commit 9e87724f22aa5c91e0f564f92bcf47e6e5e1c80f Author: Brad Spengler Date: Thu Jun 5 12:35:51 2014 -0400 randomize layouts of two futex structs kernel/futex.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 064d5806d5d604f0179d6bba35a9ee38aedc3d36 Author: Thomas Gleixner Date: Mon May 12 20:45:35 2014 +0000 Upstream commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a futex: Prevent attaching to kernel threads We happily allow userspace to declare a random kernel thread to be the owner of a user space PI futex. Found while analysing the fallout of Dave Jones syscall fuzzer. We also should validate the thread group for private futexes and find some fast way to validate whether the "alleged" owner has RW access on the file which backs the SHM, but that's a separate issue. Signed-off-by: Thomas Gleixner Cc: Dave Jones Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Darren Hart Cc: Davidlohr Bueso Cc: Steven Rostedt Cc: Clark Williams Cc: Paul McKenney Cc: Lai Jiangshan Cc: Roland McGrath Cc: Carlos ODonell Cc: Jakub Jelinek Cc: Michael Kerrisk Cc: Sebastian Andrzej Siewior Link: http://lkml.kernel.org/r/20140512201701.194824402@linutronix.de Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org kernel/futex.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9c7b78634a505475c3283b3178220bc97c93ea79 Author: Ursula Braun Date: Tue May 13 14:38:02 2014 +0200 Upstream commit: f5738e2ef88070ef1372e6e718124d88e9abe4ac af_iucv: wrong mapping of sent and confirmed skbs When sending data through IUCV a MESSAGE COMPLETE interrupt signals that sent data memory can be freed or reused again. With commit f9c41a62bba3f3f7ef3541b2a025e3371bcbba97 "af_iucv: fix recvmsg by replacing skb_pull() function" the MESSAGE COMPLETE callback iucv_callback_txdone() identifies the wrong skb as being confirmed, which leads to data corruption. This patch fixes the skb mapping logic in iucv_callback_txdone(). Signed-off-by: Ursula Braun Signed-off-by: Frank Blaschka Cc: Signed-off-by: David S. Miller net/iucv/af_iucv.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7db9658af6838283b8f765027088b9f2b5d406d9 Author: Dan Carpenter Date: Fri May 23 19:37:21 2014 +0300 Upstream commit: 7df566bbdd0af0785542b89466a937e94257fcfb qlcnic: info leak in qlcnic_dcb_peer_app_info() This function is called from dcbnl_build_peer_app(). The "info" struct isn't initialized at all so we disclose 2 bytes of uninitialized stack data. We should clear it before passing it to the user. Fixes: 48365e485275 ('qlcnic: dcb: Add support for CEE Netlink interface.') Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit bea241de3bca2bd2d116d7d6fc4d7947333f6c93 Author: Eric W. Biederman Date: Fri May 30 11:04:00 2014 -0700 Upstream commit: 2d7a85f4b06e9c27ff629f07a524c48074f07f81 netlink: Only check file credentials for implicit destinations It was possible to get a setuid root or setcap executable to write to it's stdout or stderr (which has been set made a netlink socket) and inadvertently reconfigure the networking stack. To prevent this we check that both the creator of the socket and the currentl applications has permission to reconfigure the network stack. Unfortunately this breaks Zebra which always uses sendto/sendmsg and creates it's socket without any privileges. To keep Zebra working don't bother checking if the creator of the socket has privilege when a destination address is specified. Instead rely exclusively on the privileges of the sender of the socket. Note from Andy: This is exactly Eric's code except for some comment clarifications and formatting fixes. Neither I nor, I think, anyone else is thrilled with this approach, but I'm hesitant to wait on a better fix since 3.15 is almost here. Note to stable maintainers: This is a mess. An earlier series of patches in 3.15 fix a rather serious security issue (CVE-2014-0181), but they did so in a way that breaks Zebra. The offending series includes: commit aa4cf9452f469f16cea8c96283b641b4576d4a7b Author: Eric W. Biederman Date: Wed Apr 23 14:28:03 2014 -0700 net: Add variants of capable for use on netlink messages If a given kernel version is missing that series of fixes, it's probably worth backporting it and this patch. if that series is present, then this fix is critical if you care about Zebra. Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller include/linux/netlink.h | 7 ++++--- net/netlink/af_netlink.c | 7 ++++++- 2 files changed, 10 insertions(+), 4 deletions(-) commit 93f6913dfd0fc9a7dadfed16d187cb760557567d Author: Eric W. Biederman Date: Wed Apr 23 14:28:03 2014 -0700 Upstream commit: aa4cf9452f469f16cea8c96283b641b4576d4a7b net: Add variants of capable for use on netlink messages netlink_net_capable - The common case use, for operations that are safe on a network namespace netlink_capable - For operations that are only known to be safe for the global root netlink_ns_capable - The general case of capable used to handle special cases __netlink_ns_capable - Same as netlink_ns_capable except taking a netlink_skb_parms instead of the skbuff of a netlink message. Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/linux/netlink.h | 7 +++++ net/netlink/af_netlink.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 0 deletions(-) commit 83eee88f79157580fe01a244a628f5c39f205eb8 Author: Eric W. Biederman Date: Wed Apr 23 14:25:48 2014 -0700 Upstream commit: 5187cd055b6e81fc6526109456f8b20623148d5f netlink: Rename netlink_capable netlink_allowed netlink_capable is a static internal function in af_netlink.c and we have better uses for the name netlink_capable. Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/netlink/af_netlink.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit b79e73e3664f6d9fdaa5db1bbb653a584026a64a Author: Sebastian Ott Date: Wed Jun 4 15:58:24 2014 +0200 Upstream commit: 0c36b390a546055b6815d4b93a2c9fed4d980ffb percpu-refcount: fix usage of this_cpu_ops The percpu-refcount infrastructure uses the underscore variants of this_cpu_ops in order to modify percpu reference counters. (e.g. __this_cpu_inc()). However the underscore variants do not atomically update the percpu variable, instead they may be implemented using read-modify-write semantics (more than one instruction). Therefore it is only safe to use the underscore variant if the context is always the same (process, softirq, or hardirq). Otherwise it is possible to lose updates. This problem is something that Sebastian has seen within the aio subsystem which uses percpu refcounters both in process and softirq context leading to reference counts that never dropped to zeroes; even though the number of "get" and "put" calls matched. Fix this by using the non-underscore this_cpu_ops variant which provides correct per cpu atomic semantics and fixes the corrupted reference counts. Cc: Kent Overstreet Cc: # v3.11+ Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Tejun Heo References: http://lkml.kernel.org/g/alpine.LFD.2.11.1406041540520.21183@denkbrett include/linux/percpu-refcount.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit bdd7037701e89d9d9137f6e81336648ad6bb6d90 Author: Brad Spengler Date: Thu Jun 5 11:43:32 2014 -0400 futex: Make lookup_pi_state more robust The current implementation of lookup_pi_state has ambigous handling of the TID value 0 in the user space futex. We can get into the kernel even if the TID value is 0, because either there is a stale waiters bit or the owner died bit is set or we are called from the requeue_pi path or from user space just for fun. The current code avoids an explicit sanity check for pid = 0 in case that kernel internal state (waiters) are found for the user space address. This can lead to state leakage and worse under some circumstances. Handle the cases explicit: Waiter | pi_state | pi->owner | uTID | uODIED | ? [1] NULL | --- | --- | 0 | 0/1 | Valid [2] NULL | --- | --- | >0 | 0/1 | Valid [3] Found | NULL | -- | Any | 0/1 | Invalid [4] Found | Found | NULL | 0 | 1 | Valid [5] Found | Found | NULL | >0 | 1 | Invalid [6] Found | Found | task | 0 | 1 | Valid [7] Found | Found | NULL | Any | 0 | Invalid [8] Found | Found | task | ==taskTID | 0/1 | Valid [9] Found | Found | task | 0 | 0 | Invalid [10] Found | Found | task | !=taskTID | 0/1 | Invalid [1] Indicates that the kernel can acquire the futex atomically. We came came here due to a stale FUTEX_WAITERS/FUTEX_OWNER_DIED bit. [2] Valid, if TID does not belong to a kernel thread. If no matching thread is found then it indicates that the owner TID has died. [3] Invalid. The waiter is queued on a non PI futex [4] Valid state after exit_robust_list(), which sets the user space value to FUTEX_WAITERS | FUTEX_OWNER_DIED. [5] The user space value got manipulated between exit_robust_list() and exit_pi_state_list() [6] Valid state after exit_pi_state_list() which sets the new owner in the pi_state but cannot access the user space value. [7] pi_state->owner can only be NULL when the OWNER_DIED bit is set. [8] Owner and user space value match [9] There is no transient state which sets the user space TID to 0 except exit_robust_list(), but this is indicated by the FUTEX_OWNER_DIED bit. See [4] [10] There is no transient state which leaves owner and user space TID out of sync. Backport to 3.13 conflicts: kernel/futex.c Signed-off-by: Thomas Gleixner Signed-off-by: John Johansen Cc: Kees Cook Cc: Will Drewry Cc: Darren Hart Cc: stable@vger.kernel.org kernel/futex.c | 123 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 106 insertions(+), 17 deletions(-) commit 62fa4abca42b8ac782c4961ee22a2f45e8347f2c Author: Thomas Gleixner Date: Tue Jun 3 12:27:07 2014 +0000 futex: Always cleanup owner tid in unlock_pi If the owner died bit is set at futex_unlock_pi, we currently do not cleanup the user space futex. So the owner TID of the current owner (the unlocker) persists. That's observable inconsistant state, especially when the ownership of the pi state got transferred. Clean it up unconditionally. Signed-off-by: Thomas Gleixner Cc: Kees Cook Cc: Will Drewry Cc: Darren Hart Cc: stable@vger.kernel.org Signed-off-by: Brad Spengler kernel/futex.c | 40 ++++++++++++++++++---------------------- 1 files changed, 18 insertions(+), 22 deletions(-) commit b3fe7a7c6ce8135784b22649ac41ea26bd560dbc Author: Thomas Gleixner Date: Tue Jun 3 12:27:06 2014 +0000 futex: Validate atomic acquisition in We need to protect the atomic acquisition in the kernel against rogue user space which sets the user space futex to 0, so the kernel side acquisition succeeds while there is existing state in the kernel associated to the real owner. Verify whether the futex has waiters associated with kernel state. If it has, return -EINVAL. The state is corrupted already, so no point in cleaning it up. Subsequent calls will fail as well. Not our problem. [ tglx: Use futex_top_waiter() and explain why we do not need to try restoring the already corrupted user space state. ] Signed-off-by: Darren Hart Cc: Kees Cook Cc: Will Drewry Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner Signed-off-by: Brad Spengler kernel/futex.c | 14 +++++++++++--- 1 files changed, 11 insertions(+), 3 deletions(-) commit 9353b65389c326aacfe98091f7f67170361a3ea9 Author: Thomas Gleixner Date: Tue Jun 3 12:27:06 2014 +0000 futex-prevent-requeue-pi-on-same-futex.patch If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, then dangling pointers may be left for rt_waiter resulting in an exploitable condition. This change brings futex_requeue() into line with futex_wait_requeue_pi() which performs the same check as per commit 6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()) [ tglx: Compare the resulting keys as well, as uaddrs might be different depending on the mapping ] Fixes CVE-2014-3153. Reported-by: Pinkie Pie Signed-off-by: Will Drewry Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner Signed-off-by: Brad Spengler kernel/futex.c | 25 +++++++++++++++++++++++++ 1 files changed, 25 insertions(+), 0 deletions(-) commit 5f91521cf6929379a912ebc9ede7957afc8812a3 Author: Brad Spengler Date: Tue Jun 3 09:49:01 2014 -0400 fix compiler warning fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b64fe5a34976cab207dddd33da55eee75540cc62 Author: Brad Spengler Date: Mon Jun 2 14:32:40 2014 -0400 remove now-outdated documentation kernel/cred.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 8001473542f0384528a6d406d5cc4993800fb87d Author: Brad Spengler Date: Mon Jun 2 14:15:25 2014 -0400 compare securebits in addition to ensuring the other threads are running with uid 0 include/linux/cred.h | 1 + kernel/cred.c | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) commit eb821bd70f42873600a3697261a43a55afcf1a86 Author: Brad Spengler Date: Mon Jun 2 13:08:43 2014 -0400 add documentation kernel/cred.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 58493cba34e705f10484dc8bf3e01c146630993e Author: Brad Spengler Date: Mon Jun 2 12:57:48 2014 -0400 Fix a bug with GRKERNSEC_SETXID exhibited by ntpd bailing out when being unable to drop privileges. It drops privileges itself in two separate threads, though only one of the threads calls a PR_SET_KEEPCAPS which forks off the cred struct. While it's a little silly for ntpd to be doing this (having two threads of different privilege with the same shared memory space) we can make GRKERNSEC_SETXID compatible by only scheduling a credential change for tasks that share a cred struct with the thread that's doing the root -> nonroot setuid Thanks to strcat for the report kernel/cred.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit a47afbb7822943c5ede32b4712fa9719db251844 Merge: b34ba4b 8b34961 Author: Brad Spengler Date: Mon Jun 2 12:24:49 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: net/core/filter.c commit 8b349614897a39ad13e59c448692646916b5ecc6 Merge: 9460d83 0314057 Author: Brad Spengler Date: Mon Jun 2 12:23:19 2014 -0400 Update to pax-linux-3.14.5-test10.patch: - fixed an off-by-one in the prefault code in access_ok on x86, reported by Roy Li it'd cause a prefault attempt on address 0 and other unmapped addresses and fail the current syscall - updated gcc-common.h Merge branch 'linux-3.14.y' into pax-test Conflicts: arch/x86/net/bpf_jit_comp.c commit b34ba4b6d4489f98b90e583b6016f926b75cfbed Author: Brad Spengler Date: Mon Jun 2 06:51:24 2014 -0400 avoid include hell by moving the stack check to fs/exec.c and passing in an extra bool to the function specifying whether the length is const or not. we'll also perform this check regardless of USERCOPY status fs/exec.c | 17 +++++++++++++++-- include/linux/thread_info.h | 16 ++-------------- 2 files changed, 17 insertions(+), 16 deletions(-) commit 4e9db31ff463f509366359d65a25ce48490d0629 Author: Brad Spengler Date: Sun Jun 1 12:43:42 2014 -0400 We can use an even stricter check on the stack for copy*user as it should only ever be called in process context -- this allows us not only to check for potential future overflow but actual overflow include/linux/thread_info.h | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 52d9aa7e2d501f1d9cf948b1fdb159755073a069 Author: Brad Spengler Date: Wed May 28 18:16:00 2014 -0400 don't force on DEBUG_STACKOVERFLOW as we now have the better STACKLEAK improvements and KSTACKOVERFLOW security/Kconfig | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 1c4bf7bd54b098ed27046e41723d594471fec1b4 Author: Brad Spengler Date: Tue May 27 12:54:48 2014 -0400 make pax_track_stack BUG() immediately if it notices the stack getting too deep -- this will happen separately to its later check that we're clearing too much stack on syscall exit fs/exec.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 9c30ed737cf129e265c8a19e9dee3ce5b3a0b7ee Author: Brad Spengler Date: Tue May 27 10:40:50 2014 -0400 Add a new feature for 64-bit kernels to defend against stack overflows GRKERNSEC_KSTACKOVERFLOW Contrary to some naive suggestions on Twitter, it's not just a simple process of "adding guard pages" due to how kernel stacks are allocated on Linux and the fact that just adding guard pages to that existing allocation mechanism would require breaking up large pages, adding a large maintenance and performance cost. Instead we allocate the kernel process stacks using vmalloc which provides us with the "guard pages" for free, though we only do this on 64-bit architectures (other than Itanium) due to the limited space for vmalloc allocations on 32-bit. We've been working on some other approaches for solving this problem, including one that required several advances in GCC plugin analysis, but this will exist for now as a stopgap until another approach replaces it. arch/x86/kernel/traps.c | 5 +++++ fs/exec.c | 1 + grsecurity/Kconfig | 13 +++++++++++++ include/linux/sched.h | 19 +++++++++++++++++++ include/linux/vmalloc.h | 1 + kernel/fork.c | 15 +++++++++++++++ kernel/sched/core.c | 8 ++++++-- mm/vmalloc.c | 6 ++++++ 8 files changed, 66 insertions(+), 2 deletions(-) commit 9d960434d84ecce5c80b92bb8e70362ddb31276f Author: Jens Axboe Date: Thu May 22 11:54:16 2014 -0700 Upstream commit: 7fcbbaf18392f0b17c95e2f033c8ccf87eecde1d mm/filemap.c: avoid always dirtying mapping->flags on O_DIRECT In some testing I ran today (some fio jobs that spread over two nodes), we end up spending 40% of the time in filemap_check_errors(). That smells fishy. Looking further, this is basically what happens: blkdev_aio_read() generic_file_aio_read() filemap_write_and_wait_range() if (!mapping->nr_pages) filemap_check_errors() and filemap_check_errors() always attempts two test_and_clear_bit() on the mapping flags, thus dirtying it for every single invocation. The patch below tests each of these bits before clearing them, avoiding this issue. In my test case (4-socket box), performance went from 1.7M IOPS to 4.0M IOPS. Signed-off-by: Jens Axboe Acked-by: Jeff Moyer Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/filemap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 98e383b2e3f72ddd28dff0a371ae57680effbd16 Author: Brad Spengler Date: Sun May 25 20:19:32 2014 -0400 update hash table .../size_overflow_plugin/size_overflow_hash.data | 159 +++++++++++++++++--- 1 files changed, 135 insertions(+), 24 deletions(-) commit a374af73d1d3bcf89a3cbcb13f7d3ad329e89b41 Author: Brad Spengler Date: Sun May 25 16:03:39 2014 -0400 update hash table .../size_overflow_plugin/size_overflow_hash.data | 1212 ++++++++++++++++++-- 1 files changed, 1141 insertions(+), 71 deletions(-) commit cac2bc69dfd571246fd9f029c569b8ad4f2d9d16 Author: Anthony Iliopoulos Date: Wed May 14 11:29:48 2014 +0200 Upstream commit: 9844f5462392b53824e8b86726e7c33b5ecbb676 x86, mm, hugetlb: Add missing TLB page invalidation for hugetlb_cow() The invalidation is required in order to maintain proper semantics under CoW conditions. In scenarios where a process clones several threads, a thread operating on a core whose DTLB entry for a particular hugepage has not been invalidated, will be reading from the hugepage that belongs to the forked child process, even after hugetlb_cow(). The thread will not see the updated page as long as the stale DTLB entry remains cached, the thread attempts to write into the page, the child process exits, or the thread gets migrated to a different processor. Signed-off-by: Anthony Iliopoulos Link: http://lkml.kernel.org/r/20140514092948.GA17391@server-36.huawei.corp Suggested-by: Shay Goikhman Acked-by: Dave Hansen Signed-off-by: H. Peter Anvin Cc: # v2.6.16+ (!) arch/x86/include/asm/hugetlb.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 87b8aa4784d20b7b6a206ab25f8b8a4318a59e77 Author: Linus Torvalds Date: Wed May 14 16:33:54 2014 -0700 Upstream commit: fa81511bb0bbb2b1aace3695ce869da9762624ff x86-64, modify_ldt: Make support for 16-bit segments a runtime option Checkin: b3b42ac2cbae x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels disabled 16-bit segments on 64-bit kernels due to an information leak. However, it does seem that people are genuinely using Wine to run old 16-bit Windows programs on Linux. A proper fix for this ("espfix64") is coming in the upcoming merge window, but as a temporary fix, create a sysctl to allow the administrator to re-enable support for 16-bit segments. It adds a "/proc/sys/abi/ldt16" sysctl that defaults to zero (off). If you hit this issue and care about your old Windows program more than you care about a kernel stack address information leak, you can do echo 1 > /proc/sys/abi/ldt16 as root (add it to your startup scripts), and you should be ok. The sysctl table is only added if you have COMPAT support enabled on x86-64, but I assume anybody who runs old windows binaries very much does that ;) Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/r/CA%2B55aFw9BPoD10U1LfHbOMpHWZkvJTkMcfCs9s3urPr1YyWBxw@mail.gmail.com Cc: arch/x86/kernel/ldt.c | 4 +++- arch/x86/vdso/vdso32-setup.c | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletions(-) commit ed852d4758cd8351de4f68d0c8a88f209afccef2 Author: Tejun Heo Date: Mon May 19 15:52:10 2014 -0400 Upstream commit: f5c16f29bf5e57ba4051fc7785ba7f035f798c71 sysfs: make sure read buffer is zeroed 13c589d5b0ac ("sysfs: use seq_file when reading regular files") switched sysfs from custom read implementation to seq_file to enable later transition to kernfs. After the change, the buffer passed to ->show() is acquired through seq_get_buf(); unfortunately, this introduces a subtle behavior change. Before the commit, the buffer passed to ->show() was always zero as it was allocated using get_zeroed_page(). Because seq_file doesn't clear buffers on allocation and neither does seq_get_buf(), after the commit, depending on the behavior of ->show(), we may end up exposing uninitialized data to userland thus possibly altering userland visible behavior and leaking information. Fix it by explicitly clearing the buffer. Signed-off-by: Tejun Heo Reported-by: Ron Fixes: 13c589d5b0ac ("sysfs: use seq_file when reading regular files") Cc: stable # 3.13+ Signed-off-by: Greg Kroah-Hartman fs/sysfs/file.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5165ee753899c8af578eda16e1796b5681ecc757 Author: Brad Spengler Date: Sun May 25 12:11:16 2014 -0400 fix sysfs infoleak caught by HIDESYM and reported by sandb0y mm/slub.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 8c287bcb50bc1a01620bd0a22d3a83c90c3fbb7b Merge: 6041a88 9460d83 Author: Brad Spengler Date: Sun May 25 12:06:37 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: Makefile tools/gcc/size_overflow_plugin/size_overflow_hash.data commit 9460d836b604ec4db0bec529207c62edb806e352 Author: Brad Spengler Date: Sun May 25 12:02:13 2014 -0400 Update to pax-linux-3.14.4-test9.patch: - Emese fixed the handling of more intentional overflows in unsigned/signed casts, reported by minipli - updated the mrproper target for the new location of the overflow plugin headers, by minipli - updated the size overflow hash database Makefile | 5 +- .../insert_size_overflow_check_core.c | 9 +- .../size_overflow_plugin/intentional_overflow.c | 108 ++++++++++- tools/gcc/size_overflow_plugin/misc.c | 23 +++ .../size_overflow_plugin/remove_unnecessary_dup.c | 25 +--- tools/gcc/size_overflow_plugin/size_overflow.h | 3 + .../size_overflow_plugin/size_overflow_hash.data | 196 +++++++++++++++++++- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 8 files changed, 328 insertions(+), 43 deletions(-) commit 6041a88c489343c25b1b98d4c55f9f5ecb47c2e1 Merge: f3afbfa 62fe16f Author: Brad Spengler Date: Wed May 14 16:00:06 2014 -0400 Merge branch 'pax-test' into grsec-test commit 62fe16fcd604bfa92f665155d1dbc710c0a83861 Author: Brad Spengler Date: Wed May 14 15:59:33 2014 -0400 Update to pax-linux-3.14.4-test8.patch: - Emese fixed an assert in the size overflow plugin that could trigger while compiling on 32 bit archs, reported by spender .../insert_size_overflow_check_core.c | 2 +- .../size_overflow_plugin/remove_unnecessary_dup.c | 14 ++++++++++---- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 3 files changed, 12 insertions(+), 6 deletions(-) commit f3afbfacafcf2c52475ac04d165a270fc50f3d8e Merge: 1106fa2 27ffb5a Author: Brad Spengler Date: Tue May 13 20:04:04 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: commit 27ffb5aaaaea9257cc7e5f26120f24315941b485 Author: Brad Spengler Date: Tue May 13 20:00:39 2014 -0400 Update to pax-linux-3.14.4-test7.patch: - forward port to 3.14.4 - Emese fixed a size overflow bug, reported by minipli arch/x86/Makefile | 2 +- arch/x86/kernel/paravirt.c | 2 +- tools/gcc/.gitignore | 1 - tools/gcc/size_overflow_plugin/.gitignore | 1 + .../insert_size_overflow_asm.c | 8 +- .../insert_size_overflow_check_core.c | 10 +++- .../size_overflow_plugin/intentional_overflow.c | 67 ++++++++++++++++++++ .../size_overflow_plugin/remove_unnecessary_dup.c | 18 +++-- tools/gcc/size_overflow_plugin/size_overflow.h | 7 ++- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 10 files changed, 101 insertions(+), 17 deletions(-) commit 1106fa26fc99a7d683b6e04c95bff3bbbb4a49cb Merge: c73db0f dab255c Author: Brad Spengler Date: Tue May 13 10:26:31 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/tty/n_tty.c commit dab255c402cfe7c75929e4e7f3b44fb4077b0365 Merge: dbd1f7f 7261684 Author: Brad Spengler Date: Tue May 13 10:24:45 2014 -0400 Merge branch 'linux-3.14.y' into pax-test Conflicts: arch/x86/Makefile commit c73db0fc647d04acb96b40b479f60794a56c6b3f Merge: e1d09b0 dbd1f7f Author: Brad Spengler Date: Mon May 12 17:52:08 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: tools/gcc/Makefile commit dbd1f7f9ca789dd950683331bcc69a5a09288d12 Author: Brad Spengler Date: Mon May 12 17:43:32 2014 -0400 Update to pax-linux-3.14.3-test7.patch: - forward port to 3.14.3 - removed the no longer necessary mmap_sem locking from binfmt_flat, reported by Lionel Debroux - fixed resume on i386/KERNEXEC, reported by vincent (https://forums.grsecurity.net/viewtopic.php?f=3&t=3176) - Emese refactored the size overflow plugin and also fixed several integer constant related false positives - https://forums.grsecurity.net/viewtopic.php?f=3&t=3940 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3942 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3943 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3949 - https://forums.grsecurity.net/viewtopic.php?f=3&t=3950 Makefile | 2 +- arch/x86/realmode/rm/wakeup_asm.S | 5 +- fs/binfmt_flat.c | 6 - mm/page_alloc.c | 4 +- tools/gcc/Makefile | 29 +- tools/gcc/generate_size_overflow_hash.sh | 97 - tools/gcc/size_overflow_hash.data | 4629 -------------------- tools/gcc/size_overflow_hash_aux.data | 92 - tools/gcc/size_overflow_plugin.c | 4169 ------------------ tools/gcc/size_overflow_plugin/Makefile | 20 + .../generate_size_overflow_hash.sh | 102 + .../insert_size_overflow_asm.c | 790 ++++ .../insert_size_overflow_check_core.c | 889 ++++ .../insert_size_overflow_check_ipa.c | 1133 +++++ .../size_overflow_plugin/intentional_overflow.c | 568 +++ tools/gcc/size_overflow_plugin/misc.c | 180 + .../size_overflow_plugin/remove_unnecessary_dup.c | 151 + tools/gcc/size_overflow_plugin/size_overflow.h | 119 + .../gcc/size_overflow_plugin/size_overflow_debug.c | 116 + .../size_overflow_plugin/size_overflow_hash.data | 4629 ++++++++++++++++++++ .../size_overflow_hash_aux.data | 92 + .../size_overflow_plugin/size_overflow_plugin.c | 259 ++ .../size_overflow_plugin_hash.c | 364 ++ 23 files changed, 9426 insertions(+), 9019 deletions(-) commit e1d09b04917662f6d497d46c63510fc32956c3e4 Author: Brad Spengler Date: Sun May 11 18:00:35 2014 -0400 fix compilation on sparc drivers/cpufreq/sparc-us3-cpufreq.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 54e7e93f6d47e1888b7abc97283a74d679a2a97d Author: Kirill A. Shutemov Date: Fri May 9 15:37:00 2014 -0700 Upstream commit: dd18dbc2d42af75fffa60c77e0f02220bc329829 mm, thp: close race between mremap() and split_huge_page() It's critical for split_huge_page() (and migration) to catch and freeze all PMDs on rmap walk. It gets tricky if there's concurrent fork() or mremap() since usually we copy/move page table entries on dup_mm() or move_page_tables() without rmap lock taken. To get it work we rely on rmap walk order to not miss any entry. We expect to see destination VMA after source one to work correctly. But after switching rmap implementation to interval tree it's not always possible to preserve expected walk order. It works fine for dup_mm() since new VMA has the same vma_start_pgoff() / vma_last_pgoff() and explicitly insert dst VMA after src one with vma_interval_tree_insert_after(). But on move_vma() destination VMA can be merged into adjacent one and as result shifted left in interval tree. Fortunately, we can detect the situation and prevent race with rmap walk by moving page table entries under rmap lock. See commit 38a76013ad80. Problem is that we miss the lock when we move transhuge PMD. Most likely this bug caused the crash[1]. [1] http://thread.gmane.org/gmane.linux.kernel.mm/96473 Fixes: 108d6642ad81 ("mm anon rmap: remove anon_vma_moveto_tail") Signed-off-by: Kirill A. Shutemov Reviewed-by: Andrea Arcangeli Cc: Rik van Riel Acked-by: Michel Lespinasse Cc: Dave Jones Cc: David Miller Acked-by: Johannes Weiner Cc: [3.7+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mremap.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 36257c0bd2117881be7807c62c942463c78762f2 Author: Brad Spengler Date: Sun May 11 17:46:20 2014 -0400 Upstream commit: 28b92e09e25bdc0ae864b22eacf195a74f861389 x86, vdso, time: Cast tv_nsec to u64 for proper shifting in update_vsyscall() With tk->wall_to_monotonic.tv_nsec being a 32-bit value on 32-bit systems, (tk->wall_to_monotonic.tv_nsec << tk->shift) in update_vsyscall() may lose upper bits or, worse, add them since compiler will do this: (u64)(tk->wall_to_monotonic.tv_nsec << tk->shift) instead of ((u64)tk->wall_to_monotonic.tv_nsec << tk->shift) So if, for example, tv_nsec is 0x800000 and shift is 8 we will end up with 0xffffffff80000000 instead of 0x80000000. And then we are stuck in the subsequent 'while' loop. We need an explicit cast. Signed-off-by: Boris Ostrovsky Link: http://lkml.kernel.org/r/1399648287-15178-1-git-send-email-boris.ostrovsky@oracle.com Acked-by: Konrad Rzeszutek Wilk Cc: # v3.14 Signed-off-by: H. Peter Anvin arch/x86/kernel/vsyscall_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 159ee7f30d3d31b83f47be3925c7f9ba0d4e9c80 Author: David S. Miller Date: Tue Apr 29 13:03:27 2014 -0700 Upstream commit: 26cf432551d749e7d581db33529507a711c6eaab sparc64: Add basic validations to {pud,pmd}_bad(). Instead of returning false we should at least check the most basic things, otherwise page table corruptions will be very difficult to debug. PMD and PTE tables are of size PAGE_SIZE, so none of the sub-PAGE_SIZE bits should be set. We also complement this with a check that the physical address the pud/pmd points to is valid memory. PowerPC was used as a guide while implementating this. Signed-off-by: David S. Miller Conflicts: arch/sparc/include/asm/pgtable_64.h arch/sparc/include/asm/pgtable_64.h | 46 +++++++++++++++++++++++----------- 1 files changed, 31 insertions(+), 15 deletions(-) commit 69d5aea5a39dcb65700e8721f2b64a4cfb71ee76 Author: David S. Miller Date: Tue Apr 29 12:58:03 2014 -0700 Upstream commit: ee73887e92a69ae0a5cda21c68ea75a27804c944 sparc64: Fix range check in kern_addr_valid(). In commit b2d438348024b75a1ee8b66b85d77f569a5dfed8 ("sparc64: Make PAGE_OFFSET variable."), the MAX_PHYS_ADDRESS_BITS value was increased (to 47). This constant reference to '41UL' was missed. Signed-off-by: David S. Miller arch/sparc/include/asm/pgtable_64.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d956411472c3cb4b0d922588074e0c8750246dd9 Author: David S. Miller Date: Mon Apr 28 23:52:11 2014 -0700 Upstream commit: 70ffc6ebaead783ac8dafb1e87df0039bb043596 sparc64: Fix top-level fault handling bugs. Make get_user_insn() able to cope with huge PMDs. Next, make do_fault_siginfo() more robust when get_user_insn() can't actually fetch the instruction. In particular, use the MMU announced fault address when that happens, instead of calling compute_effective_address() and computing garbage. Signed-off-by: David S. Miller arch/sparc/mm/fault_64.c | 82 +++++++++++++++++++++++++++++----------------- 1 files changed, 52 insertions(+), 30 deletions(-) commit cd77d17308b2adf148d34b5778a08f2c630ad299 Author: David S. Miller Date: Tue Apr 29 13:28:23 2014 -0700 Upstream commit: fe866433f843b080246ce729b5e6b27b5f5d9a58 sparc64: Give more detailed information in {pgd,pmd}_ERROR() and kill pte_ERROR(). pte_ERROR() is not used anywhere, delete it. For pgd_ERROR() and pmd_ERROR(), output something similar to x86, giving the address of the pgd/pmd as well as it's value. Also provide the caller, since these macros are invoked from pgd_clear_bad() and pmd_clear_bad() which provides little context as to what high level operation was occuring when the BAD state was detected. Signed-off-by: David S. Miller arch/sparc/include/asm/pgtable_64.h | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit 37cb28b61a50ae2c5c52308931c2a6539b6e81e5 Author: David S. Miller Date: Mon Apr 28 23:50:08 2014 -0700 Upstream commit: d037d16372bbe4d580342bebbb8826821ad9edf0 sparc64: Handle 32-bit tasks properly in compute_effective_address(). If we have a 32-bit task we must chop off the top 32-bits of the 64-bit value just as the cpu would. Signed-off-by: David S. Miller arch/sparc/kernel/unaligned_64.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 10e5b721586e4aa824ed7ae802a22deda77b3383 Author: David S. Miller Date: Fri Apr 25 10:21:12 2014 -0700 Upstream commit: 04df419de34104d8818b8c5cffaa062fa36d20ea sparc64: Fix bugs in get_user_pages_fast() wrt. THP. The large PMD path needs to check _PAGE_VALID not _PAGE_PRESENT, to decide if it needs to bail and return 0. pmd_large() should therefore just check _PAGE_PMD_HUGE. Calls to gup_huge_pmd() are guarded with a check of pmd_large(), so we just need to add a valid bit check. Signed-off-by: David S. Miller arch/sparc/include/asm/pgtable_64.h | 2 +- arch/sparc/mm/gup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit a97c8c954ec2428b69f233ceef737a9f8a2cb8bd Author: David S. Miller Date: Thu Apr 24 13:58:02 2014 -0700 Upstream commit: 51e5ef1bb7ab0e5fa7de4e802da5ab22fe35f0bf sparc64: Fix huge PMD invalidation. On sparc64 "present" and "valid" are seperate PTE bits, this allows us to naturally distinguish between the user explicitly asking for PROT_NONE with mprotect() and other situations. However we weren't handling this properly in the huge PMD paths. First of all, the page table walker in the TSB miss path only checks for _PAGE_PMD_HUGE. So the generic pmdp_invalidate() would clear _PAGE_PRESENT but the TLB miss paths would still load it into the TLB as a valid huge PMD. Fix this by clearing the valid bit in pmdp_invalidate(), and also checking the valid bit in USER_PGTABLE_CHECK_PMD_HUGE using "brgez" since _PAGE_VALID is bit 63 in both the sun4u and sun4v pte layouts. Signed-off-by: David S. Miller arch/sparc/include/asm/pgtable_64.h | 18 ++++-------------- arch/sparc/include/asm/tsb.h | 3 ++- arch/sparc/mm/tlb.c | 11 +++++++++++ 3 files changed, 17 insertions(+), 15 deletions(-) commit a422426e1fd1de318f37193d530b5bb391545f1c Author: David S. Miller Date: Sun Apr 20 21:55:01 2014 -0400 Upstream commit: 5b1e94fa439a3227beefad58c28c17f68287a8e9 sparc64: Fix executable bit testing in set_pmd_at() paths. This code was mistakenly using the exec bit from the PMD in all cases, even when the PMD isn't a huge PMD. If it's not a huge PMD, test the exec bit in the individual ptes down in tlb_batch_pmd_scan(). Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 15 +++++++++------ 1 files changed, 9 insertions(+), 6 deletions(-) commit 62718f107b55cce3983fc85c14dbdd1d61811804 Author: Brad Spengler Date: Sat May 10 17:31:17 2014 -0400 fix compilation include/linux/thread_info.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit caca44254a6356660d8e7f8e85187dd90a34a903 Author: Brad Spengler Date: Sat May 10 17:24:47 2014 -0400 force DEBUG_STACKOVERFLOW on on grsec kernels and make it trigger the bruteforce logic arch/mips/kernel/irq.c | 4 ++++ arch/powerpc/kernel/irq.c | 3 +++ arch/x86/kernel/irq_32.c | 3 +++ arch/x86/kernel/irq_64.c | 4 ++++ security/Kconfig | 1 + 5 files changed, 15 insertions(+), 0 deletions(-) commit cdba1e7ede26f16ed2cd48b8e906b3e98e23845a Author: Brad Spengler Date: Sat May 10 16:46:48 2014 -0400 always perform the stack overflow check, not just for non-fixed size copies Conflicts: include/linux/thread_info.h fs/exec.c | 16 +--------------- include/linux/thread_info.h | 8 ++++++++ 2 files changed, 9 insertions(+), 15 deletions(-) commit b729936a95dc6374f463fecb52f95317b7261a1c Author: Brad Spengler Date: Sat May 10 15:52:44 2014 -0400 improve PAX_USERCOPY on x86 to detect attempted copies when the current stack has overflowed arch/x86/kernel/dumpstack_32.c | 2 +- arch/x86/kernel/dumpstack_64.c | 2 +- fs/exec.c | 17 ++++++++++++++++- 3 files changed, 18 insertions(+), 3 deletions(-) commit 9f9391e854ab1d0617c70411c0a137401bbe7b00 Author: Brad Spengler Date: Sat May 10 15:23:22 2014 -0400 relax /proc/stat restrictions fs/proc/stat.c | 53 ++++++++++++++++++++++++----------------------------- 1 files changed, 24 insertions(+), 29 deletions(-) commit 82d874f453c5ed2fbde05b30a545b6fbb3728f4d Author: Brad Spengler Date: Sat May 10 14:59:15 2014 -0400 work around a division by zero in vmstat -a fs/proc/stat.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit ded4fcbf3d8e773ec9264082b465749ac325a0a7 Author: John David Anglin Date: Sun Apr 27 16:20:47 2014 -0400 Upstream commit: e0d8898d76a785453bfaf6cd08b830a7d5189f78 parisc: remove _STK_LIM_MAX override There are only a couple of architectures that override _STK_LIM_MAX to a non-infinity value. This changes the stack allocation semantics in subtle ways. For example, GNU make changes its stack allocation to the hard maximum defined by _STK_LIM_MAX. As a results, threads executed by processes running under make are allocated a stack size of _STK_LIM_MAX rather than a sensible default value. This causes various thread stress tests to fail when they can't muster more than about 50 threads. The attached change implements the default behavior used by the majority of architectures. Signed-off-by: John David Anglin Reviewed-by: Carlos O'Donell Cc: stable@vger.kernel.org # 3.14 Signed-off-by: Helge Deller arch/parisc/include/uapi/asm/resource.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f011c01d537ef5acbdcb0a5a5f7b511881192afd Author: Leon Yu Date: Thu May 1 03:31:28 2014 +0000 Upstream commit: 754320d6e166d3a12cb4810a452bde00afbd4e9a aio: fix potential leak in aio_run_iocb(). iovec should be reclaimed whenever caller of rw_copy_check_uvector() returns, but it doesn't hold when failure happens right after aio_setup_vectored_rw(). Fix that in a such way to avoid hairy goto. Signed-off-by: Leon Yu Signed-off-by: Benjamin LaHaise Cc: stable@vger.kernel.org fs/aio.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 53366a1f1b2587e85e6c67d894d9e6d86b94e8f4 Author: Bjørn Mork Date: Fri May 2 23:27:00 2014 +0200 Upstream commit: 9becd707841207652449a8dfd90fe9c476d88546 net: cdc_ncm: fix buffer overflow Commit 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") changed the padding logic for devices with the ZLP flag set. This meant that frames of any size will be sent without additional padding, except for the single byte added if the size is a multiple of the USB packet size. But if the unpadded size is identical to the maximum frame size, and the maximum size is a multiplum of the USB packet size, then this one-byte padding will overflow the buffer. Prevent padding if already at maximum frame size, letting usbnet transmit a ZLP instead in this case. Fixes: 4d619f625a60 ("net: cdc_ncm: no point in filling up the NTBs if we send ZLPs") Reported by: Yu-an Shih Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_ncm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a3cfbca9cec13b6270a27f1f1aa709e22d73c3d9 Author: Will Woods Date: Tue May 6 12:50:10 2014 -0700 Upstream commit: 9becd707841207652449a8dfd90fe9c476d88546 fanotify: fix -EOVERFLOW with large files on 64-bit On 64-bit systems, O_LARGEFILE is automatically added to flags inside the open() syscall (also openat(), blkdev_open(), etc). Userspace therefore defines O_LARGEFILE to be 0 - you can use it, but it's a no-op. Everything should be O_LARGEFILE by default. But: when fanotify does create_fd() it uses dentry_open(), which skips all that. And userspace can't set O_LARGEFILE in fanotify_init() because it's defined to 0. So if fanotify gets an event regarding a large file, the read() will just fail with -EOVERFLOW. This patch adds O_LARGEFILE to fanotify_init()'s event_f_flags on 64-bit systems, using the same test as open()/openat()/etc. Addresses https://bugzilla.redhat.com/show_bug.cgi?id=696821 Signed-off-by: Will Woods Acked-by: Eric Paris Reviewed-by: Jan Kara Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/notify/fanotify/fanotify_user.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 7f09c21acd29f701c9be8b3b1c0d03c1a5b43cd4 Author: Fabian Frederick Date: Tue May 6 12:50:11 2014 -0700 Upstream commit: d353efd02357a74753cd45f367a2d3d357fd6904 fs/affs/super.c: bugfix / double free Commit 842a859db26b ("affs: use ->kill_sb() to simplify ->put_super() and failure exits of ->mount()") adds .kill_sb which frees sbi but doesn't remove sbi free in case of parse_options error causing double free+random crash. Signed-off-by: Fabian Frederick Cc: Alexander Viro Cc: [3.14.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/affs/super.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit cfc1168a8cd5bb3bebbd9477a4ebcd1311db65a2 Author: Dan Carpenter Date: Sat May 3 23:27:00 2014 +0300 Upstream commit: 3cf0b0311e746a26dcc7c0b5ba0756f61d636a33 agp: info leak in agpioc_info_wrap() On 64 bit systems the agp_info struct has a 4 byte hole between ->agp_mode and ->aper_base. We need to clear it to avoid disclosing stack information to userspace. Signed-off-by: Dan Carpenter Signed-off-by: Dave Airlie drivers/char/agp/frontend.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4eb22b1780f897edebafc98471a028767d018f68 Author: Matthew Daley Date: Mon Apr 28 19:05:20 2014 +1200 Upstream commit: ef87dbe7614341c2e7bfe8d32fcb7028cc97442c floppy: ignore kernel-only members in FDRAWCMD ioctl input Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds drivers/block/floppy.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b029e28a822159e71fc06ee3a38649c457237bab Author: Matthew Daley Date: Mon Apr 28 19:05:21 2014 +1200 Upstream commit: 2145e15e0557a01b9195d1c7199a1b92cb9be81f floppy: don't write kernel-only members to FDRAWCMD ioctl output Do not leak kernel-only floppy_raw_cmd structure members to userspace. This includes the linked-list pointer and the pointer to the allocated DMA space. Signed-off-by: Matthew Daley Signed-off-by: Linus Torvalds drivers/block/floppy.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 00c9338a1d971a976f9e07d2e776d6ae11461995 Author: Brad Spengler Date: Tue May 6 21:30:54 2014 -0400 update size_overflow hash table tools/gcc/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 603c6c4a5f17df3c20d2e8da3d0e1d6077fdc338 Merge: 4f0228b 60400a27 Author: Brad Spengler Date: Tue May 6 17:34:25 2014 -0400 Merge branch 'pax-test' into grsec-test commit 60400a27828523dc7ff09bcc24b79937d4e49347 Merge: db5906b 774e1e6 Author: Brad Spengler Date: Tue May 6 17:33:54 2014 -0400 Merge branch 'linux-3.14.y' into pax-test Conflicts: arch/arm/mm/Kconfig arch/x86/kernel/ldt.c commit 4f0228bf02504dc03b8230f0463677e23fdf1978 Author: Brad Spengler Date: Mon May 5 18:12:30 2014 -0400 Backport fix for heap overflow in the tty layer, CVE-2014-0196 http://bugzillafiles.novell.org/attachment.cgi?id=588355 drivers/tty/n_tty.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit e50ebdb10d55d6596d41088f49f18ca424ed8ae1 Author: Brad Spengler Date: Sun May 4 12:01:01 2014 -0400 restrict rt_cache net/ipv4/route.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 7b203e85d14f2cd81f97803f2f4a2afbc710d5fb Author: Brad Spengler Date: Sun May 4 11:39:59 2014 -0400 use ERR_PTR fs/proc/generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9d24e618f2196fdbb84aea759b8c572066b1c0aa Author: Brad Spengler Date: Sun May 4 11:37:27 2014 -0400 compile fix fs/proc/generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deced968c8b0a931ea8594f3dba9da40575cf7dc Author: Brad Spengler Date: Sun May 4 11:33:57 2014 -0400 compile fix fs/proc/generic.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit a07d8206b2b37c3567069ad1cc4cb244766aaaf0 Author: Brad Spengler Date: Sun May 4 11:32:18 2014 -0400 compile fix fs/proc/generic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2e194064a4c184dd955418a88805845deb1d78f4 Author: Brad Spengler Date: Sun May 4 11:26:04 2014 -0400 compile fix include/linux/proc_fs.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 6a19db7abd2d2d7390f4ff64c11fb93cea9fc0d3 Author: Brad Spengler Date: Sun May 4 11:21:38 2014 -0400 forward-port recent change to /proc/net/dev handling fs/proc/generic.c | 69 ++++++++++++++++++++++++++++++++++- fs/proc/internal.h | 3 ++ fs/proc/proc_net.c | 20 +++++------ fs/seq_file.c | 22 +++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_proc.c | 20 ++++++++++ include/linux/grsecurity.h | 2 + include/linux/proc_fs.h | 3 +- include/linux/seq_file.h | 2 + net/appletalk/atalk_proc.c | 2 +- net/can/bcm.c | 2 +- net/can/proc.c | 2 +- net/core/net-procfs.c | 12 +++++-- net/core/pktgen.c | 2 +- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- net/ipv6/proc.c | 2 +- net/ipx/ipx_proc.c | 2 +- net/irda/irproc.c | 2 +- net/llc/llc_proc.c | 2 +- net/netfilter/xt_hashlimit.c | 4 +- net/netfilter/xt_recent.c | 2 +- net/sunrpc/cache.c | 2 +- net/sunrpc/stats.c | 2 +- net/x25/x25_proc.c | 2 +- 24 files changed, 152 insertions(+), 33 deletions(-) commit 03781fdb2928a6aad9a65527120612e42e8d897c Author: Brad Spengler Date: Sat May 3 07:25:19 2014 -0400 approve the display of the rcu-torture rtc pointer, since it's only printed into a temporary kmalloc'd buffer then sent to dmesg via printk(). Thanks to Jack Suter for the report kernel/rcu/torture.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e6abe3c923a2663c6599a22ef3db0e084ad067bf Author: Brad Spengler Date: Thu May 1 17:46:13 2014 -0400 Fix CVE-2014-1739, upstream vuln in media_enum_entities() Author Salva Peiró Date April 2014 - Discovery of the vulnerability. Impact The vulnerability discloses 200 bytes of kernel process stack. Affected Version From linux-2.6.38 to linux-3.15-rc3 Bug Timespan 3 years: 2011-03-23 to 2014-04-29 commit 1651333b (Deleted) blog post at: http://speirofr.appspot.com/cve-2014-1739-kernel-infoleak-vulnerability-in-media_enum_entities.html drivers/media/media-device.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1d1e095be5e60f547aa6963be5afd8db7b6f4527 Author: Brad Spengler Date: Tue Apr 29 20:23:46 2014 -0400 update gitignore tools/gcc/.gitignore | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e0a8d627469b275ce581d5b142ef5e2c18464cab Merge: 0315786 db5906b Author: Brad Spengler Date: Sun Apr 27 08:54:33 2014 -0400 Merge branch 'pax-test' into grsec-test commit db5906b69e8ce2b57485cdf9b75c628b94129c79 Merge: 966aa1c 798d3c5 Author: Brad Spengler Date: Sun Apr 27 08:53:57 2014 -0400 Merge branch 'linux-3.14.y' into pax-test commit 0315786960600005ba56ac24ac020efc8f698d0f Author: Dan Carpenter Date: Wed Apr 16 14:25:16 2014 +0300 Upstream commit: b7a314054eb55e3745a9409beaa5d8be5cd2d273 isdn: icn: buffer overflow in icn_command() This buffer over was detected using static analysis: drivers/isdn/icn/icn.c:1325 icn_command() error: format string overflow. buf_size: 60 length: 98 The calculation for the length of the string is off because it assumes that the dial[] buffer holds a 50 character string, but actually it is at most 31 characters and NUL. I have removed the dial[] buffer because it isn't needed. The maximum length of the string is actually 79 characters and a NUL. I have made the cbuf[] array large enough to hold it and changed the sprintf() to an snprintf() as a further safety enhancement. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/icn/icn.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit b0dff0371d218b1a0f94f93684abe16ce56ba384 Author: Eric Dumazet Date: Sat Apr 19 10:15:07 2014 -0700 Upstream commit: 404ca80eb5c2727d78cd517d12108b040c522e12 coredump: fix va_list corruption A va_list needs to be copied in case it needs to be used twice. Thanks to Hugh for debugging this issue, leading to various panics. Tested: lpq84:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern 'produce_core' is simply : main() { *(int *)0 = 1;} lpq84:~# ./produce_core Segmentation fault (core dumped) lpq84:~# dmesg | tail -1 [ 614.352947] Core dump to |/foobar12345 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 lpq84 (null) pipe failed Notice the last argument was replaced by a NULL (we were lucky enough to not crash, but do not try this on your production machine !) After fix : lpq83:~# echo "|/foobar12345 %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h %h" >/proc/sys/kernel/core_pattern lpq83:~# ./produce_core Segmentation fault lpq83:~# dmesg | tail -1 [ 740.800441] Core dump to |/foobar12345 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 lpq83 pipe failed Fixes: 5fe9d8ca21cc ("coredump: cn_vprintf() has no reason to call vsnprintf() twice") Signed-off-by: Eric Dumazet Diagnosed-by: Hugh Dickins Acked-by: Oleg Nesterov Cc: Neil Horman Cc: Andrew Morton Cc: stable@vger.kernel.org # 3.11+ Signed-off-by: Linus Torvalds fs/coredump.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit d6238568d6f2ffd112bda2a5dcc8b1c055ab5eef Author: Linus Torvalds Date: Tue Apr 22 13:49:40 2014 -0700 Upstream commit: 1b17844b29ae042576bea588164f2f1e9590a8bc mm: make fixup_user_fault() check the vma access rights too fixup_user_fault() is used by the futex code when the direct user access fails, and the futex code wants it to either map in the page in a usable form or return an error. It relied on handle_mm_fault() to map the page, and correctly checked the error return from that, but while that does map the page, it doesn't actually guarantee that the page will be mapped with sufficient permissions to be then accessed. So do the appropriate tests of the vma access rights by hand. [ Side note: arguably handle_mm_fault() could just do that itself, but we have traditionally done it in the caller, because some callers - notably get_user_pages() - have been able to access pages even when they are mapped with PROT_NONE. Maybe we should re-visit that design decision, but in the meantime this is the minimal patch. ] Found by Dave Jones running his trinity tool. Reported-by: Dave Jones Acked-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/memory.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c30687b3dc4a23853c179b365d4c5b003f768f80 Author: Brad Spengler Date: Wed Apr 23 20:19:43 2014 -0400 fix RANDSTRUCT compilation on arm allyesconfig drivers/video/sh_mobile_lcdcfb.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 480fa0cf384348cc476b719836bc94bab5b6c2d6 Author: Brad Spengler Date: Wed Apr 23 20:04:53 2014 -0400 compile fix: we renamed object_is_on_stack to (the more accurate) object_starts_on_stack drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fd5d587eb3cb7f64bdc925b508dc7ae8e7540684 Merge: 1884701 966aa1c Author: Brad Spengler Date: Wed Apr 23 19:06:10 2014 -0400 Merge branch 'pax-test' into grsec-test commit 966aa1c686ea4bff7eac840c8e292a5661059dc8 Author: Brad Spengler Date: Wed Apr 23 19:04:54 2014 -0400 Update to pax-linux-3.14.1-test6.patch: - spender fixed various compilation problems on arm, reported by Michael Tremer - spender fixed a sparc compile error - changed the colorize plugin to be similar to -fdiagnostics-color in gcc 4.9 - http://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Language-Independent-Options.html - by default colorization is off - if GCC_COLORS exists in the environment then stderr will be colored if it's a terminal - -fplugin-arg-colorize_plugin-color= takes the same arguments as -fdiagnostics-color= - e.g., the old behaviour is equivalent to EXTRA_CFLAGS=-fplugin-arg-colorize_plugin-color=always - the value of GCC_COLORS isn't parsed yet, the existing colors (red/yellow/blue) are used instead - fixed all warnings on the gcc plugins reported by clang - fixed a REFCOUNT regression that would instrument code even when REFCOUNT was disabled Makefile | 2 +- arch/arm/include/asm/mach/map.h | 4 +- arch/arm/mm/mmu.c | 4 +- arch/arm/plat-iop/setup.c | 2 +- arch/sparc/mm/hugetlbpage.c | 1 + arch/x86/include/asm/cmpxchg.h | 4 ++ arch/x86/kernel/traps.c | 4 +- drivers/dma/sh/shdma-base.c | 4 +- drivers/gpu/drm/tegra/dsi.c | 2 +- drivers/irqchip/irq-renesas-irqc.c | 2 +- drivers/thermal/of-thermal.c | 13 ++++-- tools/gcc/colorize_plugin.c | 77 +++++++++++++++++++++++++++-------- tools/gcc/constify_plugin.c | 13 ++++-- tools/gcc/kallocstat_plugin.c | 9 ++-- tools/gcc/kernexec_plugin.c | 27 +++++++------ tools/gcc/latent_entropy_plugin.c | 13 ++++-- tools/gcc/size_overflow_plugin.c | 27 +++++++------ tools/gcc/stackleak_plugin.c | 18 +++++---- tools/gcc/structleak_plugin.c | 9 ++-- 19 files changed, 154 insertions(+), 81 deletions(-) commit 188470114e75fba3505dcf6722cf65fd04a1a974 Author: Brad Spengler Date: Sun Apr 20 17:00:14 2014 -0400 fix allmodconfig compilation drivers/usb/gadget/f_uac1.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c960a617471b908413a489019c60a7b644127708 Author: Brad Spengler Date: Sun Apr 20 16:59:15 2014 -0400 fix allmodconfig compilation drivers/usb/gadget/u_uac1.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 72467604afc9007084fffdee0f202d1aaac6a520 Author: Brad Spengler Date: Sun Apr 20 11:16:23 2014 -0400 sparc64 compile fix arch/sparc/mm/hugetlbpage.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7f349d61ecba290e865667f05cd9d850bc613837 Author: Brad Spengler Date: Sun Apr 20 11:11:53 2014 -0400 fix compiler warning fs/sysfs/dir.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit f47412cc933473db618600d465f00e95e3c2f17f Author: Brad Spengler Date: Sun Apr 20 11:09:18 2014 -0400 automatically enable KERNEXEC/UDEREF in ARM autoconfig security/Kconfig | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b8741437aaf0d01cf65754010948c21d974a8a2c Author: Brad Spengler Date: Sun Apr 20 10:32:19 2014 -0400 arm compile fixes, reported by Michael Tremer arch/arm/include/asm/mach/map.h | 4 ++-- arch/arm/mm/mmu.c | 4 +++- arch/arm/plat-iop/setup.c | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) commit d3bbc864301cb104276f4436884323ee3fa85ffc Author: Brad Spengler Date: Sat Apr 19 23:49:07 2014 -0400 update size_overflow hash table tools/gcc/size_overflow_hash.data | 1397 ++++++++++++++++++++++++++++++++++--- 1 files changed, 1316 insertions(+), 81 deletions(-) commit cd23784e8fa1bfdb94ab996974b55ff393a99d1d Author: Brad Spengler Date: Sat Apr 19 17:56:43 2014 -0400 update hash table tools/gcc/size_overflow_hash.data | 89 ++++++++++++++++++++++++++++++++---- 1 files changed, 79 insertions(+), 10 deletions(-) commit c690d26a85ddc401b41736fcf3843184b8aa8ce3 Author: Brad Spengler Date: Sat Apr 19 17:27:30 2014 -0400 compile fix fs/sysfs/dir.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 9c2e86fc73a07e339453c37d453c15df5239a81b Author: Brad Spengler Date: Sat Apr 19 17:21:37 2014 -0400 compile fix fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 291020f4909335691022cad5667223cba91b889a Author: Brad Spengler Date: Sat Apr 19 17:16:53 2014 -0400 compile fix kernel/sched/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c7ff410e37eefde634fbc08b161cb2588955dd2d Author: Brad Spengler Date: Sat Apr 19 17:11:30 2014 -0400 compile fixes fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 52aeace717f5179e7da8b4bc1a5b8d30dd2a5435 Author: Brad Spengler Date: Sat Apr 19 17:01:32 2014 -0400 Initial port of grsecurity for Linux 3.14.1 Documentation/dontdiff | 2 + Documentation/kernel-parameters.txt | 4 + Makefile | 18 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/Kconfig | 1 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/Kconfig | 4 +- arch/arm/mm/fault.c | 40 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/Kconfig | 1 + arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/Kconfig | 1 + arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 4 + arch/powerpc/Kconfig | 1 + arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 5 +- arch/powerpc/kernel/Makefile | 2 + arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/mmap.c | 2 +- arch/powerpc/mm/slice.c | 2 +- arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 15 +- arch/tile/Kconfig | 1 + arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 6 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ldt.c | 11 + arch/x86/kernel/msr.c | 10 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/mm/init_32.c | 6 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/x86/xen/Kconfig | 1 + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/acpi/custom_method.c | 4 + drivers/block/cciss.h | 30 +- drivers/block/drbd/drbd_interval.c | 6 +- drivers/block/smart1,2.h | 40 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 19 +- drivers/firewire/ohci.c | 4 + drivers/gpu/drm/drm_info.c | 4 + drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/hid/hid-wiimote-debug.c | 2 +- drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/bonding/bond_main.c | 1 + drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wan/lmc/lmc_media.c | 97 +- drivers/net/wan/z85230.c | 24 +- drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/platform/x86/asus-wmi.c | 12 + drivers/rtc/rtc-dev.c | 3 + drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 20 +- drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- drivers/staging/lustre/lustre/llite/dir.c | 2 +- drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/uio/uio.c | 6 +- drivers/usb/core/hub.c | 5 + drivers/video/arcfb.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ drivers/video/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/matrox/matroxfb_Ti3026.c | 5 +- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 40 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 17 +- fs/debugfs/inode.c | 4 + fs/exec.c | 196 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/mount.h | 4 +- fs/namei.c | 235 ++- fs/namespace.c | 24 + fs/nfs/nfs4proc.c | 19 +- fs/open.c | 38 + fs/pipe.c | 2 +- fs/posix_acl.c | 15 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 7 +- fs/proc/interrupts.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 52 +- fs/proc/root.c | 8 + fs/proc/stat.c | 27 +- fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/reiserfs/item_ops.c | 24 +- fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 20 +- fs/sysfs/dir.c | 15 +- fs/utimes.c | 7 + fs/xattr.c | 38 +- grsecurity/Kconfig | 1161 +++++++++ grsecurity/Makefile | 54 + grsecurity/gracl.c | 2679 +++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_compat.c | 270 ++ grsecurity/gracl_fs.c | 437 ++++ grsecurity/gracl_ip.c | 386 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_policy.c | 1782 +++++++++++++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 313 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 433 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 272 ++ grsecurity/grsec_ipc.c | 48 + grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 341 +++ grsecurity/grsec_mem.c | 48 + grsecurity/grsec_mount.c | 65 + grsecurity/grsec_pax.c | 45 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 236 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 479 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsec_usb.c | 15 + grsecurity/grsum.c | 61 + include/linux/binfmts.h | 5 +- include/linux/capability.h | 5 + include/linux/compiler-gcc4.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 7 +- include/linux/dcache.h | 2 +- include/linux/fs.h | 24 +- include/linux/fs_struct.h | 2 +- include/linux/fsnotify.h | 6 + include/linux/gracl.h | 340 +++ include/linux/gracl_compat.h | 156 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 229 ++ include/linux/grmsg.h | 116 + include/linux/grsecurity.h | 246 ++ include/linux/grsock.h | 19 + include/linux/ipc_namespace.h | 2 +- include/linux/kallsyms.h | 18 +- include/linux/kmod.h | 5 + include/linux/kobject.h | 2 +- include/linux/mm.h | 1 + include/linux/mm_types.h | 4 +- include/linux/module.h | 4 +- include/linux/mount.h | 2 +- include/linux/netfilter/xt_gradm.h | 9 + include/linux/path.h | 4 +- include/linux/perf_event.h | 13 +- include/linux/pid_namespace.h | 2 +- include/linux/printk.h | 3 +- include/linux/proc_fs.h | 13 + include/linux/proc_ns.h | 2 +- include/linux/rbtree_augmented.h | 4 +- include/linux/sched.h | 80 +- include/linux/security.h | 3 +- include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 4 +- include/linux/thread_info.h | 2 + include/linux/tty.h | 2 +- include/linux/tty_driver.h | 4 +- include/linux/uidgid.h | 5 + include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/linux/vermagic.h | 16 +- include/net/af_unix.h | 2 +- include/net/neighbour.h | 3 +- include/net/net_namespace.h | 2 +- include/net/netfilter/nf_conntrack_extend.h | 4 +- include/net/sock.h | 4 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 23 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + ipc/util.c | 6 + kernel/capability.c | 40 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 94 +- kernel/kprobes.c | 7 +- kernel/ksysfs.c | 2 + kernel/locking/lockdep_proc.c | 10 +- kernel/module.c | 106 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/pid_namespace.c | 4 +- kernel/posix-timers.c | 8 + kernel/power/Kconfig | 2 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 71 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- kernel/user_namespace.c | 15 + lib/Kconfig.debug | 7 +- lib/is_single_threaded.c | 3 + lib/list_debug.c | 65 +- lib/rbtree.c | 4 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/Kconfig | 5 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 6 +- mm/mmap.c | 85 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 29 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/core/dev_ioctl.c | 4 + net/core/filter.c | 25 +- net/core/neighbour.c | 9 +- net/core/net-procfs.c | 5 + net/core/sock_diag.c | 7 + net/decnet/dn_dev.c | 2 +- net/ieee802154/dgram.c | 3 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/ping.c | 22 +- net/ipv4/raw.c | 4 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 31 +- net/ipv6/raw.c | 4 +- net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 12 +- net/l2tp/l2tp_ip.c | 4 +- net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/nf_tables_api.c | 7 +- net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 1 - net/socket.c | 72 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- net/vmw_vsock/vmci_transport_notify.c | 30 +- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- net/x25/sysctl_net_x25.c | 2 +- scripts/Makefile | 2 + security/Kconfig | 349 +++- security/apparmor/file.c | 4 +- security/apparmor/lsm.c | 8 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/tomoyo/file.c | 12 +- security/tomoyo/mount.c | 4 + security/tomoyo/tomoyo.c | 22 +- security/yama/Kconfig | 2 +- sound/core/seq/oss/seq_oss.c | 4 +- sound/core/seq/seq_midi.c | 4 +- sound/drivers/opl3/opl3_seq.c | 4 +- sound/drivers/opl4/opl4_seq.c | 4 +- sound/isa/sb/emu8000_synth.c | 4 +- sound/pci/emu10k1/emu10k1_synth.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 11 + tools/gcc/gen-random-seed.sh | 8 + tools/gcc/randomize_layout_plugin.c | 910 +++++++ virt/kvm/ioapic.c | 2 +- 398 files changed, 18219 insertions(+), 2583 deletions(-) commit 6c907241bdb826a89c81080d01b5fa596b8300a2 Author: Brad Spengler Date: Sat Apr 19 15:15:29 2014 -0400 Initial import of pax-linux-3.14.1-test5.patch Documentation/dontdiff | 47 +- Documentation/kernel-parameters.txt | 23 + Makefile | 102 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 442 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 12 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 3 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 96 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 2 +- arch/arm/kernel/module.c | 31 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 20 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/tcm.c | 4 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 24 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 4 +- arch/arm/mach-at91/setup.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/cache-l2x0.c | 2 +- arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 140 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 178 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/include/asm/uaccess.h | 1 + arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 27 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/atomic.h | 728 +++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/hw_irq.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/pgtable.h | 3 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/include/asm/uaccess.h | 1 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/i8259.c | 2 +- arch/mips/kernel/irq-gt641xx.c | 2 +- arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/reset.c | 4 + arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/pci/pci-octeon.c | 4 +- arch/mips/pci/pcie-octeon.c | 12 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/mips/sni/rm200.c | 2 +- arch/mips/vr41xx/common/icu.c | 2 +- arch/mips/vr41xx/common/irq.c | 4 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 15 + arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/local.h | 15 + arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 141 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 15 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/kvm/powerpc.c | 2 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 22 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 16 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 34 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable.h | 4 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 13 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 16 +- arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 4 +- arch/x86/boot/compressed/head_64.S | 12 +- arch/x86/boot/compressed/misc.c | 13 +- arch/x86/boot/cpucheck.c | 16 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 106 +- arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +- arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 4 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 10 +- arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 18 +- arch/x86/ia32/ia32entry.S | 173 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 269 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 166 +- arch/x86/include/asm/bitops.h | 18 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/calling.h | 118 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 78 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 14 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 106 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 136 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 15 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/preempt.h | 2 +- arch/x86/include/asm/processor.h | 79 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rmwcc.h | 84 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 82 +- arch/x86/include/asm/tlbflush.h | 73 +- arch/x86/include/asm/uaccess.h | 180 +- arch/x86/include/asm/uaccess_32.h | 24 +- arch/x86/include/asm/uaccess_64.h | 173 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/include/uapi/asm/ptrace-abi.h | 1 - arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 69 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 132 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/microcode/core.c | 2 +- arch/x86/kernel/cpu/microcode/intel.c | 4 +- arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 ++- arch/x86/kernel/entry_64.S | 742 +++- arch/x86/kernel/ftrace.c | 10 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 138 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/jump_label.c | 8 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ksysfs.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/preempt.S | 3 + arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 3 +- arch/x86/kernel/setup.c | 63 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 30 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/tsc.c | 2 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 10 +- arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 63 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 20 +- arch/x86/lib/copy_user_64.S | 81 +- arch/x86/lib/copy_user_nocache_64.S | 14 + arch/x86/lib/csum-copy_64.S | 18 +- arch/x86/lib/csum-wrappers_64.c | 8 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 10 +- arch/x86/lib/memmove_64.S | 4 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 2 + arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 12 +- arch/x86/lib/usercopy_32.c | 357 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 564 +++- arch/x86/mm/gup.c | 6 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 24 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 151 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 38 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/intel_mid_pci.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/intel-mid/intel-mid.c | 3 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 11 +- arch/x86/xen/smp.c | 21 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 4 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 29 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 8 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/null_blk.c | 27 +- drivers/block/pktcdvd.c | 4 +- drivers/bluetooth/btwilink.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 18 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 9 +- drivers/cpufreq/acpi-cpufreq.c | 17 +- drivers/cpufreq/cpufreq.c | 26 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 4 +- drivers/cpufreq/cpufreq_ondemand.c | 10 +- drivers/cpufreq/intel_pstate.c | 30 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 70 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/driver.c | 2 +- drivers/cpuidle/governor.c | 2 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdmac.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 2 +- drivers/firmware/efi/cper.c | 8 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-em.c | 2 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-rcar.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 12 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 13 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 26 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- drivers/gpu/drm/qxl/qxl_drv.h | 8 +- drivers/gpu/drm/qxl/qxl_ioctl.c | 10 +- drivers/gpu/drm/qxl/qxl_irq.c | 16 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/tegra/dc.c | 2 +- drivers/gpu/drm/tegra/hdmi.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/vga/vga_switcheroo.c | 4 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 4 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/nct6775.c | 6 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stats.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 4 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/platform/vivi.c | 4 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 16 +- drivers/media/v4l2-core/v4l2-ctrls.c | 4 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 13 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 67 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/ab8500-debugfs.c | 2 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/eeprom/sunxi_sid.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/card/block.c | 2 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/mmci.c | 4 +- drivers/mmc/host/sdhci-esdhc-imx.c | 7 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_netlink.c | 2 +- drivers/net/can/Kconfig | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 4 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/r8152.c | 2 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 4 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath10k/htc.c | 7 +- drivers/net/wireless/ath/ath10k/htc.h | 4 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 28 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 6 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/msi.c | 6 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/chrome/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/powercap/powercap_sys.c | 136 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/gdm724x/gdm_tty.c | 2 +- drivers/staging/imx-drm/imx-drm-core.c | 6 +- drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- drivers/staging/lustre/lnet/selftest/framework.c | 4 - drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- drivers/staging/lustre/lustre/include/obd.h | 2 +- .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 22 +- drivers/tty/hvc/hvsi_lib.c | 4 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 5 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 8 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 15 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/devio.c | 10 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 6 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/host/ehci-hub.c | 4 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 8 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 20 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbmem.c | 8 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/omap2/dss/display.c | 8 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 2 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 6 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 680 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/btrfs/sysfs.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/file.c | 10 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 16 +- fs/dcache.c | 5 +- fs/ecryptfs/inode.c | 2 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/ext4/xattr.c | 5 +- fs/fhandle.c | 3 +- fs/file.c | 4 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 40 +- fs/fscache/internal.h | 200 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/hostfs/hostfs_kern.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/kernfs/dir.c | 2 +- fs/kernfs/file.c | 16 +- fs/kernfs/symlink.c | 2 +- fs/libfs.c | 12 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 2 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 22 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 2 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 59 +- fs/posix_acl.c | 4 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 16 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 4 +- fs/splice.c | 41 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_readdir.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 212 +- include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/bitops/__fls.h | 2 +- include/asm-generic/bitops/fls.h | 2 +- include/asm-generic/bitops/fls64.h | 4 +- include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 16 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/i915_pciids.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/drm/ttm/ttm_page_alloc.h | 1 + include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/audit.h | 2 +- include/linux/binfmts.h | 3 +- include/linux/bitops.h | 6 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 8 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 12 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 4 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/hash.h | 2 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 6 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 12 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 6 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/jiffies.h | 14 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 10 +- include/linux/mempolicy.h | 7 + include/linux/mm.h | 118 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/padata.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/pm.h | 1 + include/linux/pm_domain.h | 4 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 21 + include/linux/proc_ns.h | 2 +- include/linux/quota.h | 2 +- include/linux/random.h | 23 +- include/linux/rculist.h | 20 +- include/linux/rcupdate.h | 2 +- include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 68 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 - include/linux/semaphore.h | 2 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 8 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 14 +- include/linux/slub_def.h | 2 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vga_switcheroo.h | 8 +- include/linux/vmalloc.h | 7 +- include/linux/vmstat.h | 24 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 20 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 4 +- include/net/netns/ipv6.h | 4 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/checksum.h | 4 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 8 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 13 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/bcache.h | 5 +- include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 2 - include/uapi/linux/videodev2.h | 2 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/compat.c | 2 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 4 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/events/internal.h | 10 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 166 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 8 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 +- kernel/locking/lockdep.c | 7 +- kernel/locking/mutex-debug.c | 12 +- kernel/locking/mutex-debug.h | 4 +- kernel/locking/mutex.c | 10 +- kernel/locking/rtmutex-tester.c | 24 +- kernel/module.c | 337 +- kernel/notifier.c | 17 +- kernel/padata.c | 4 +- kernel/panic.c | 5 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcu/srcu.c | 4 +- kernel/rcu/tiny.c | 4 +- kernel/rcu/torture.c | 56 +- kernel/rcu/tree.c | 76 +- kernel/rcu/tree.h | 26 +- kernel/rcu/tree_plugin.h | 42 +- kernel/rcu/tree_trace.c | 22 +- kernel/rcu/update.c | 4 +- kernel/sched/auto_group.c | 4 +- kernel/sched/completion.c | 6 +- kernel/sched/core.c | 45 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 12 +- kernel/sys.c | 10 +- kernel/sysctl.c | 34 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 1 - kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/average.c | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/hash.c | 2 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/percpu-refcount.c | 2 +- lib/radix-tree.c | 2 +- lib/random32.c | 2 +- lib/show_mem.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 28 +- mm/memory.c | 424 ++- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 581 +++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 42 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 106 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 86 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 75 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/client.c | 6 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/fragmentation.c | 2 +- net/batman-adv/soft-interface.c | 6 +- net/batman-adv/types.h | 6 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 4 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/filter.c | 2 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 4 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 8 +- net/core/sock.c | 28 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 20 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 16 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 37 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 18 +- net/ipv6/addrconf.c | 12 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ip6_vti.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 33 +- net/ipv6/raw.c | 17 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 17 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 16 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/nft_compat.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 13 +- net/socket.c | 20 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/svcauth_unix.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 16 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/module-common.lds | 4 + scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 689 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/security.c | 9 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 11 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 10 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 6 +- sound/soc/soc-core.c | 6 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 51 + tools/gcc/checker_plugin.c | 150 + tools/gcc/colorize_plugin.c | 169 + tools/gcc/constify_plugin.c | 552 +++ tools/gcc/gcc-common.h | 287 ++ tools/gcc/generate_size_overflow_hash.sh | 97 + tools/gcc/kallocstat_plugin.c | 182 + tools/gcc/kernexec_plugin.c | 519 +++ tools/gcc/latent_entropy_plugin.c | 457 ++ tools/gcc/size_overflow_hash.data | 4629 ++++++++++++++++++++ tools/gcc/size_overflow_hash_aux.data | 92 + tools/gcc/size_overflow_plugin.c | 4166 ++++++++++++++++++ tools/gcc/stackleak_plugin.c | 374 ++ tools/gcc/structleak_plugin.c | 273 ++ tools/include/linux/compiler.h | 8 + tools/lib/api/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 44 +- 1763 files changed, 34368 insertions(+), 8117 deletions(-) commit e8658e072c00c4c4124383dba46d91f67a24cf97 Merge: b48043e f70f945 Author: Brad Spengler Date: Fri Apr 18 21:05:15 2014 -0400 Merge branch 'pax-test' into grsec-test commit f70f94597c07e3902709100b9e8b0ca88ee5be4d Author: Brad Spengler Date: Fri Apr 18 21:04:32 2014 -0400 Update to pax-linux-3.13.10-test20.patch: - forward port to 3.13.10 - temporarily reverted the previous fix of the overflow plugin as it triggers more problems than it solves tools/gcc/size_overflow_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b48043e1a01025db96cbbe3b9817a221c8dc154b Merge: 30ce675 0338ded Author: Brad Spengler Date: Thu Apr 17 17:55:02 2014 -0400 Merge branch 'pax-test' into grsec-test commit 0338dedbccd1d623ef78ccebd057893a8510905d Author: Brad Spengler Date: Thu Apr 17 17:54:33 2014 -0400 Update to pax-linux-3.13.9-test20.patch: - Emese fixed two size overflow false positives due to intentional overflows, reported by 7LL (https://forums.grsecurity.net/viewtopic.php?f=3&t=3940) and marcin1j (https://forums.grsecurity.net/viewtopic.php?f=3&t=3943) include/uapi/linux/bcache.h | 5 ++- tools/gcc/size_overflow_hash_aux.data | 9 +++++ tools/gcc/size_overflow_plugin.c | 58 ++++++++++++++++++++++++++++++++- 3 files changed, 69 insertions(+), 3 deletions(-) commit 30ce6750d8a1cd0484a19bb136baaec0f7780b09 Author: Brad Spengler Date: Thu Apr 17 17:12:50 2014 -0400 fix an off-by-one triggerable on 32bit kernels with PAX_USERCOPY on specific shmemfs reads that end up copying from empty_zero_page, which on 32bit x86 has the same address as _etext. Fix up some other harmless instances of this error as well Thanks to 'jy' from IRC for reporting this arch/x86/mm/init_32.c | 6 +++--- fs/exec.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) commit b3a6e7d392ea040b10b5d84e21ce3b25964ce6df Merge: 27bdf99 b377d16 Author: Brad Spengler Date: Mon Apr 14 16:49:55 2014 -0400 Merge branch 'pax-test' into grsec-test commit b377d16f0d5b072ef75635ca0d778e2807c20ae8 Merge: fc6d889 f994ec5 Author: Brad Spengler Date: Mon Apr 14 16:49:37 2014 -0400 Merge branch 'linux-3.13.y' into pax-test Conflicts: arch/x86/crypto/ghash-clmulni-intel_asm.S kernel/futex.c commit 27bdf99dcadbe3e4b185aea4f8574a6cadf3cc93 Author: Brad Spengler Date: Sun Apr 13 12:47:57 2014 -0400 From: Mathias Krause [PATCH net] filter: prevent nla extensions to peek beyond the end of the message The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check for a minimal message length before testing the supplied offset to be within the bounds of the message. This allows the subtraction of the nla header to underflow and therefore -- as the data type is unsigned -- allowing far to big offset and length values for the search of the netlink attribute. The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is also wrong. It has the minuend und subtrahend mixed up, therefore calculates a huge length value, allowing to overrun the end of the message while looking for the netlink attribute. The following three BPF snippets will trigger the bugs when attached to a UNIX datagram socket and parsing a message with length 1, 2 or 3. ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- | ld #0x87654321 | ldx #42 | ld #nla | ret a `--- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- | ld #0x87654321 | ldx #42 | ld #nlan | ret a `--- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- | ; (needs a fake netlink header at offset 0) | ld #0 | ldx #42 | ld #nlan | ret a `--- Fix the first issue by ensuring the message length fulfills the minimal size constrains of a nla header. Fix the second bug by getting the math for the remainder calculation right. Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") Cc: Patrick McHardy Cc: Pablo Neira Ayuso Signed-off-by: Mathias Krause net/core/filter.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 397ff885e5d3da96d0f115caa9d4c697895b3281 Author: Pablo Neira Ayuso Date: Mon Mar 31 12:26:39 2014 +0200 Upstream commit: 2fec6bb6f484b1a88b4a325724234d6cfd08c918 netfilter: nf_tables: fix wrong format in request_module() The intended format in request_module is %.*s instead of %*.s. Reported-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 4d8b1faffb7cfe526eb20b717cb0b6d59f348108 Author: Pablo Neira Ayuso Date: Mon Mar 24 15:10:37 2014 +0100 Upstream commit: a9bdd8365684810e3de804f8c51e52c26a5eccbb netfilter: nf_tables: set names cannot be larger than 15 bytes Currently, nf_tables trims off the set name if it exceeeds 15 bytes, so explicitly reject set names that are too large. Reported-by: Giuseppe Longo Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a99a10ea229b7ae7f6af473949ff5138aef76209 Author: Brad Spengler Date: Fri Apr 11 17:33:00 2014 -0400 Upstream commit: 5678de3f15010b9022ee45673f33bcfc71d47b60 KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) QE reported that they got the BUG_ON in ioapic_service to trigger. I cannot reproduce it, but there are two reasons why this could happen. The less likely but also easiest one, is when kvm_irq_delivery_to_apic does not deliver to any APIC and returns -1. Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that function is never reached. However, you can target the similar loop in kvm_irq_delivery_to_apic_fast; just program a zero logical destination address into the IOAPIC, or an out-of-range physical destination address. Signed-off-by: Paolo Bonzini virt/kvm/ioapic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c522310c240fa3b1e671066def9fcab1f232f3b Author: Dan Carpenter Date: Tue Apr 8 12:23:09 2014 +0300 Upstream commit: 7563487cbf865284dcd35e9ef5a95380da046737 isdnloop: several buffer overflows There are three buffer overflows addressed in this patch. 1) In isdnloop_fake_err() we add an 'E' to a 60 character string and then copy it into a 60 character buffer. I have made the destination buffer 64 characters and I'm changed the sprintf() to a snprintf(). 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 character buffer so we have 54 characters. The ->eazlist[] is 11 characters long. I have modified the code to return if the source buffer is too long. 3) In isdnloop_command() the cbuf[] array was 60 characters long but the max length of the string then can be up to 79 characters. I made the cbuf array 80 characters long and changed the sprintf() to snprintf(). I also removed the temporary "dial" buffer and changed it to use "p" directly. Unfortunately, we pass the "cbuf" string from isdnloop_command() to isdnloop_writecmd() which truncates anything over 60 characters to make it fit in card->omsg[]. (It can accept values up to 255 characters so long as there is a '\n' character every 60 characters). For now I have just fixed the memory corruption bug and left the other problems in this driver alone. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit 9b011cba3d245a48139ab05099e6a825956f8056 Author: Andrey Vagin Date: Fri Mar 28 13:54:32 2014 +0400 Upstream commit: 223b02d923ecd7c84cf9780bb3686f455d279279 netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len "len" contains sizeof(nf_ct_ext) and size of extensions. In a worst case it can contain all extensions. Bellow you can find sizes for all types of extensions. Their sum is definitely bigger than 256. nf_ct_ext_types[0]->len = 24 nf_ct_ext_types[1]->len = 32 nf_ct_ext_types[2]->len = 24 nf_ct_ext_types[3]->len = 32 nf_ct_ext_types[4]->len = 152 nf_ct_ext_types[5]->len = 2 nf_ct_ext_types[6]->len = 16 nf_ct_ext_types[7]->len = 8 I have seen "len" up to 280 and my host has crashes w/o this patch. The right way to fix this problem is reducing the size of the ecache extension (4) and Florian is going to do this, but these changes will be quite large to be appropriate for a stable tree. Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable) Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Cc: "David S. Miller" Signed-off-by: Andrey Vagin Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_conntrack_extend.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c323aca3431ec956221a0333826a0aebcad6182c Author: Trond Myklebust Date: Wed Mar 26 13:24:37 2014 -0700 Upstream commit: e911b8158ee1def8153849b1641b736026b036e0 NFSv4: Fix a use-after-free problem in open() If we interrupt the nfs4_wait_for_completion_rpc_task() call in nfs4_run_open_task(), then we don't prevent the RPC call from completing. So freeing up the opendata->f_attr.mdsthreshold in the error path in _nfs4_do_open() leads to a use-after-free when the XDR decoder tries to decode the mdsthreshold information from the server. Fixes: 82be417aa37c0 (NFSv4.1 cache mdsthreshold values on OPEN) Tested-by: Steve Dickson Cc: stable@vger.kernel.org # 3.5+ Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 19 ++++++++++--------- 1 files changed, 10 insertions(+), 9 deletions(-) commit afbc7281d89c10419bcaf9cd8f2a34fa1f0dc74a Author: Brad Spengler Date: Fri Apr 11 16:57:17 2014 -0400 Apply: https://lkml.org/lkml/2014/4/10/736 PAX_REFCOUNT makes this unexploitable, turning it into a harmless memleak net/ipv4/ping.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 64688b956632b3165fd8aabb9b143f4d365ba382 Author: H. Peter Anvin Date: Sun Mar 16 15:31:54 2014 -0700 Upstream commit: b3b42ac2cbae1f3cecbb6229964a4d48af31d382 x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels The IRET instruction, when returning to a 16-bit segment, only restores the bottom 16 bits of the user space stack pointer. We have a software workaround for that ("espfix") for the 32-bit kernel, but it relies on a nonzero stack segment base which is not available in 32-bit mode. Since 16-bit support is somewhat crippled anyway on a 64-bit kernel (no V86 mode), and most (if not quite all) 64-bit processors support virtualization for the users who really need it, simply reject attempts at creating a 16-bit segment when running on top of a 64-bit kernel. Cc: Linus Torvalds Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org Cc: Conflicts: arch/x86/kernel/ldt.c arch/x86/kernel/ldt.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 027b8db0f3266f307c6324f52d19c9425e01a95b Author: Brad Spengler Date: Mon Apr 7 18:41:45 2014 -0400 Update GRKERNSEC_IO documentation grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4ffae780ca4045f1e00c3695a1c67fa7b83e842a Author: Brad Spengler Date: Sun Apr 6 18:59:00 2014 -0400 add compiler.h to path.h include/linux/path.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 697d5a873545a0ee00e2bffbf74ba5faae55c286 Author: Brad Spengler Date: Sun Apr 6 18:37:18 2014 -0400 fix typo security/tomoyo/tomoyo.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit d1a22c83e7a3175d894b8ceb0f01b77fe499db28 Author: Brad Spengler Date: Sun Apr 6 17:58:39 2014 -0400 fix tomoyo compilation with RANDSTRUCT Conflicts: security/tomoyo/tomoyo.c security/tomoyo/tomoyo.c | 27 ++++++++++++++++----------- 1 files changed, 16 insertions(+), 11 deletions(-) commit 96785c664a95a149773214bed1d7463ffad0441f Author: Brad Spengler Date: Sun Apr 6 17:50:38 2014 -0400 fix tomoyo compilation with RANDSTRUCT security/tomoyo/file.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 25475ea5ba7ec539347edb25d8d15eac6a9e65d1 Author: Brad Spengler Date: Sun Apr 6 17:43:47 2014 -0400 Fix tomoyo compilation with RANDSTRUCT security/tomoyo/file.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit bd744926b9496053982db351f2b087725e931ce2 Author: Brad Spengler Date: Sun Apr 6 17:23:09 2014 -0400 fix apparmor compilation with RANDSTRUCT security/apparmor/file.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 6a70a4ca3f2f5b2f9f2f1c500a3b39813f980091 Author: Brad Spengler Date: Sun Apr 6 17:11:40 2014 -0400 fix apparmor compilation with RANDSTRUCT security/apparmor/lsm.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 6d5c843ec117929962b0b5e36b6efe36d7008489 Author: Brad Spengler Date: Sun Apr 6 16:58:35 2014 -0400 add __randomize_layout to more important structures Conflicts: include/linux/filter.h include/net/af_unix.h include/net/sock.h include/linux/binfmts.h | 4 ++-- include/linux/path.h | 2 +- include/linux/security.h | 2 +- include/linux/tty_driver.h | 2 +- include/net/af_unix.h | 2 +- include/net/sock.h | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) commit 2d58b7af7d974cf11c9b6fcaafc098f68925b28d Merge: f7886f6 fc6d889 Author: Brad Spengler Date: Sun Apr 6 09:10:40 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: tools/gcc/Makefile commit fc6d8892f8370cc6b246aab23dfe3ce472da9058 Author: Brad Spengler Date: Sun Apr 6 09:06:24 2014 -0400 Update to pax-linux-3.13.9-test19.patch: - updated the hash database for external modules, by Emese - fixed regression in gcc plugin compilation when compiling with ccache, reported by ncopa - proper fix for 309944be296efbb3ca4737d12ef49d2ba97cbecc upstream - fixed plugin compilation under gcc 4.5, reported by Emese Revfy - Emese added support for out-of-tree modules for the size overflow plugin, fixes https://bugs.gentoo.org/show_bug.cgi?id=505594 arch/x86/boot/compressed/misc.c | 7 +- drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- scripts/gcc-plugin.sh | 4 +- tools/gcc/Makefile | 12 ++- tools/gcc/gcc-common.h | 1 + tools/gcc/generate_size_overflow_hash.sh | 5 +- tools/gcc/size_overflow_hash_aux.data | 83 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 25 ++++-- 8 files changed, 123 insertions(+), 18 deletions(-) commit f7886f6633822747782b7206b371ea521eee3f0b Author: Brad Spengler Date: Sun Apr 6 08:34:08 2014 -0400 This reverts commit 31dee23268ac47eaaafacb186229bc14fb84fa9b. net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0f1d45357477cb7658e7dc361c7ac67678d7a9b9 Merge: ca30500 6bf7e1d Author: Brad Spengler Date: Sat Apr 5 18:09:10 2014 -0400 Merge branch 'pax-test' into grsec-test commit 6bf7e1df5475a7244d717546bd5c0569acdf8215 Merge: 20f0a08 bf061ff Author: Brad Spengler Date: Sat Apr 5 18:08:56 2014 -0400 Merge branch 'linux-3.13.y' into pax-test commit ca305006c767819ee7924d7ea952a8f9c817d2a7 Author: Pablo Neira Date: Tue Apr 1 19:38:44 2014 +0200 Upstream commit: 8b7b932434f5eee495b91a2804f5b64ebb2bc835 netlink: don't compare the nul-termination in nla_strcmp nla_strcmp compares the string length plus one, so it's implicitly including the nul-termination in the comparison. int nla_strcmp(const struct nlattr *nla, const char *str) { int len = strlen(str) + 1; ... d = memcmp(nla_data(nla), str, len); However, if NLA_STRING is used, userspace can send us a string without the nul-termination. This is a problem since the string comparison will not match as the last byte may be not the nul-termination. Fix this by skipping the comparison of the nul-termination if the attribute data is nul-terminated. Suggested by Thomas Graf. Cc: Florian Westphal Cc: Thomas Graf Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller lib/nlattr.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 4676a42ce0a63b9713d315c715d6f863d6388bf2 Author: Oleg Nesterov Date: Wed Apr 2 17:45:05 2014 +0200 Upstream commit: d23082257d83e4bc89727d5aedee197e907999d2 pid_namespace: pidns_get() should check task_active_pid_ns() != NULL pidns_get()->get_pid_ns() can hit ns == NULL. This task_struct can't go away, but task_active_pid_ns(task) is NULL if release_task(task) was already called. Alternatively we could change get_pid_ns(ns) to check ns != NULL, but it seems that other callers are fine. Signed-off-by: Oleg Nesterov Cc: Eric W. Biederman ebiederm@xmission.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds kernel/pid_namespace.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit b2c5c8d231e1749fe42698c6be31a49b46b8eb7e Author: YOSHIFUJI Hideaki / 吉藤英明 Date: Wed Apr 2 12:48:42 2014 +0900 Upstream commit: 77bc6bed7121936bb2e019a8c336075f4c8eef62 isdnloop: Validate NUL-terminated strings from user. Return -EINVAL unless all of user-given strings are correctly NUL-terminated. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit abceea2065cb053917751b02a02e87134d5af5b0 Author: Wei Liu Date: Tue Apr 1 12:46:12 2014 +0100 Upstream commit: e9d8b2c2968499c1f96563e6522c56958d5a1d0d xen-netback: disable rogue vif in kthread context When netback discovers frontend is sending malformed packet it will disables the interface which serves that frontend. However disabling a network interface involving taking a mutex which cannot be done in softirq context, so we need to defer this process to kthread context. This patch does the following: 1. introduce a flag to indicate the interface is disabled. 2. check that flag in TX path, don't do any work if it's true. 3. check that flag in RX path, turn off that interface if it's true. The reason to disable it in RX path is because RX uses kthread. After this change the behavior of netback is still consistent -- it won't do any TX work for a rogue frontend, and the interface will be eventually turned off. Also change a "continue" to "break" after xenvif_fatal_tx_err, as it doesn't make sense to continue processing packets if frontend is rogue. This is a fix for XSA-90. Reported-by: Török Edwin Signed-off-by: Wei Liu Cc: Ian Campbell Reviewed-by: David Vrabel Acked-by: Ian Campbell Signed-off-by: David S. Miller drivers/net/xen-netback/common.h | 5 +++++ drivers/net/xen-netback/interface.c | 11 +++++++++++ drivers/net/xen-netback/netback.c | 16 ++++++++++++++-- 3 files changed, 30 insertions(+), 2 deletions(-) commit ff438506da3cf85c07f3f3c80429f87138502d82 Author: Brad Spengler Date: Thu Apr 3 11:34:13 2014 -0400 revert last change net/core/filter.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit aed17226225c496cea10f90db89cb5f505ce5c3a Author: Brad Spengler Date: Thu Apr 3 10:38:55 2014 -0400 harden non-JIT socket filters against memory corruption occuring after check time net/core/filter.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 8153c4335a8c655d0dc51fb547bf257339faabe3 Author: Brad Spengler Date: Thu Apr 3 11:01:13 2014 -0400 add additional checking, convert WARN to a BUG since we should be able to filter out any invalid ops at filter install time -- finding them during runtime is a sign of memory corruption Conflicts: net/core/filter.c net/core/filter.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit cf4164083c37d1f301ab28f5cf102b875c6a3057 Author: Brad Spengler Date: Thu Apr 3 07:39:34 2014 -0400 Update documentation on chroot to notify users that chrooting to a bind mount of the root filesystem provides no security benefits and will not trigger the chroot protections. grsecurity/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 809c33c81db39b5e0a2f8b8953f156d3ae2bc9d4 Merge: b224936 20f0a08 Author: Brad Spengler Date: Tue Apr 1 18:41:17 2014 -0400 Merge branch 'pax-test' into grsec-test commit 20f0a08510a47d6d31c29da6ff3bd093a62cfdd1 Merge: 6b71ad0 5366635 Author: Brad Spengler Date: Tue Apr 1 18:41:02 2014 -0400 Merge branch 'linux-3.13.y' into pax-test commit b224936088e49229a37e4a3b17567598161bb1c0 Author: Sasha Levin Date: Fri Mar 28 17:38:42 2014 +0100 Upstream commit: 05efa8c943b1d5d90fa8c8147571837573338bb6 random32: avoid attempt to late reseed if in the middle of seeding Commit 4af712e8df ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") has added a late reseed stage that happens as soon as the nonblocking pool is marked as initialized. This fails in the case that the nonblocking pool gets initialized during __prandom_reseed()'s call to get_random_bytes(). In that case we'd double back into __prandom_reseed() in an attempt to do a late reseed - deadlocking on 'lock' early on in the boot process. Instead, just avoid even waiting to do a reseed if a reseed is already occuring. Fixes: 4af712e8df99 ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") Signed-off-by: Sasha Levin Acked-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller lib/random32.c | 13 ++++++++++++- 1 files changed, 12 insertions(+), 1 deletions(-) commit 9aa441e0e5aa2480ca073e33fcf6a9f5cdaabc81 Author: Michael S. Tsirkin Date: Thu Mar 27 12:00:26 2014 +0200 Upstream commit: d8316f3991d207fe32881a9ac20241be8fa2bad0 vhost: fix total length when packets are too short When mergeable buffers are disabled, and the incoming packet is too large for the rx buffer, get_rx_bufs returns success. This was intentional in order for make recvmsg truncate the packet and then handle_rx would detect err != sock_len and drop it. Unfortunately we pass the original sock_len to recvmsg - which means we use parts of iov not fully validated. Fix this up by detecting this overrun and doing packet drop immediately. CVE-2014-0077 Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit 43ee74030403a780a1e9418ab825f4d675ccdb47 Merge: 9987cd5 6b71ad0 Author: Brad Spengler Date: Sun Mar 30 13:28:35 2014 -0400 Merge branch 'pax-test' into grsec-test commit 6b71ad024068595a2e4caa3393fbb4d531197e27 Author: Brad Spengler Date: Sun Mar 30 13:27:44 2014 -0400 Update to pax-linux-3.13.7-test17.patch: - fixed a regression in the previous latent entropy plugin change, reported by spender - fixed a regression in gcc-plugin.sh that could make cross-compilation fail, reported by Aniem - hardened the hyper-v hypercall page access rights (rwx -> r-x), reported and tested by Hunger drivers/hv/hv.c | 2 +- scripts/gcc-plugin.sh | 4 ++-- tools/gcc/latent_entropy_plugin.c | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) commit 9987cd5663f69ecc4d8bdfe80e46775ec081512c Author: Wei Liu Date: Sat Mar 15 16:11:47 2014 +0000 Upstream commit: 09ed3d5ba06137913960f9c9385f71fc384193ab xen/balloon: flush persistent kmaps in correct position Xen balloon driver will update ballooned out pages' P2M entries to point to scratch page for PV guests. In 24f69373e2 ("xen/balloon: don't alloc page while non-preemptible", kmap_flush_unused was moved after updating P2M table. In that case for 32 bit PV guest we might end up with P2M X -----> S (S is mfn of balloon scratch page) M2P Y -----> X (Y is mfn in persistent kmap entry) kmap_flush_unused() iterates through all the PTEs in the kmap address space, using pte_to_page() to obtain the page. If the p2m and the m2p are inconsistent the incorrect page is returned. This will clear page->address on the wrong page which may cause subsequent oopses if that page is currently kmap'ed. Move the flush back between get_page and __set_phys_to_machine to fix this. Signed-off-by: Wei Liu Signed-off-by: David Vrabel Cc: stable@vger.kernel.org # 3.12+ drivers/xen/balloon.c | 24 ++++++++++++++++++------ 1 files changed, 18 insertions(+), 6 deletions(-) commit f6481e295cb69c34218b694ba5fca6315cc90b71 Author: David Vrabel Date: Tue Mar 25 10:38:37 2014 +0000 Upstream commit: 5926f87fdaad4be3ed10cec563bf357915e55a86 Revert "xen: properly account for _PAGE_NUMA during xen pte translations" This reverts commit a9c8e4beeeb64c22b84c803747487857fe424b68. PTEs in Xen PV guests must contain machine addresses if _PAGE_PRESENT is set and pseudo-physical addresses is _PAGE_PRESENT is clear. This is because during a domain save/restore (migration) the page table entries are "canonicalised" and uncanonicalised". i.e., MFNs are converted to PFNs during domain save so that on a restore the page table entries may be rewritten with the new MFNs on the destination. This canonicalisation is only done for PTEs that are present. This change resulted in writing PTEs with MFNs if _PAGE_PROTNONE (or _PAGE_NUMA) was set but _PAGE_PRESENT was clear. These PTEs would be migrated as-is which would result in unexpected behaviour in the destination domain. Either a) the MFN would be translated to the wrong PFN/page; b) setting the _PAGE_PRESENT bit would clear the PTE because the MFN is no longer owned by the domain; or c) the present bit would not get set. Symptoms include "Bad page" reports when munmapping after migrating a domain. Signed-off-by: David Vrabel Acked-by: Konrad Rzeszutek Wilk Cc: [3.12+] arch/x86/include/asm/pgtable.h | 14 ++------------ arch/x86/xen/mmu.c | 4 ++-- 2 files changed, 4 insertions(+), 14 deletions(-) commit 29e56c3fdd2ff43c43f31e74bccc164c38ec96b2 Author: Daniel Vetter Date: Wed Mar 26 20:10:09 2014 +0100 Upstream commit: 8ee661b505613ef2747b350ca2871a31b3781bee drm/i915: Undo gtt scratch pte unmapping again It apparently blows up on some machines. This functionally reverts commit 828c79087cec61eaf4c76bb32c222fbe35ac3930 Author: Ben Widawsky Date: Wed Oct 16 09:21:30 2013 -0700 drm/i915: Disable GGTT PTEs on GEN6+ suspend Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=64841 Reported-and-Tested-by: Brad Jackson Cc: stable@vger.kernel.org Cc: Takashi Iwai Cc: Paulo Zanoni Cc: Todd Previte Signed-off-by: Daniel Vetter Signed-off-by: Dave Airlie drivers/gpu/drm/i915/i915_gem_gtt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f5fd5843a87569cfd8de8e8843ccb13e9e35afd5 Author: Jan Kara Date: Wed Mar 26 06:20:14 2014 +0100 Upstream commit: 75c5a52da3fc2a06abb6c6192bdf5d680e56d37d vfs: Allocate anon_inode_inode in anon_inode_init() Currently we allocated anon_inode_inode in anon_inodefs_mount. This is somewhat fragile as if that function ever gets called again, it will overwrite anon_inode_inode pointer. So move the initialization of anon_inode_inode to anon_inode_init(). Signed-off-by: Jan Kara [ Further simplified on suggestion from Dave Jones ] Signed-off-by: Linus Torvalds fs/anon_inodes.c | 30 ++++++++---------------------- 1 files changed, 8 insertions(+), 22 deletions(-) commit da2cc3c610141a5f41bd382b5ee7729893e3db12 Author: Brad Spengler Date: Thu Mar 27 21:54:11 2014 -0400 ignore noreturn functions for now in the latent_entropy plugin tools/gcc/latent_entropy_plugin.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 0d1e588588bc19f449d667b69ac76bad0584752d Author: Brad Spengler Date: Thu Mar 27 21:27:56 2014 -0400 update config help for GRKERNSEC_KMEM to reflect recent change to only deny writes to /dev/cpu/*/msr instead of denying access entirely, allows powertop etc to continue to work while denying/logging the malicious activity grsecurity/Kconfig | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) commit 4ad2f9fd7429c81e3b2115227685af06830d05c4 Author: Brad Spengler Date: Thu Mar 27 21:24:58 2014 -0400 Revert "Upstream commit: 2c4a33aba5f9ea3a28f2e40351f078d95f00786b" This reverts commit b6ab67fc7a47b542601dd116f934d255c9c2c372. kernel/trace/trace.c | 27 ++------------------------- 1 files changed, 2 insertions(+), 25 deletions(-) commit 1a70975ec716c68b37758fbba95ab9b7b6165c8a Author: Linus Torvalds Date: Tue Mar 25 17:43:34 2014 -0700 Upstream commit: fce7fc79c8f7188dfc5eafa1b937bcc3c5a4c2f5 fs: remove now stale label in anon_inode_init() The previous commit removed the register_filesystem() call and the associated error handling, but left the label for the error path that no longer exists. Remove that too. Signed-off-by: Linus Torvalds fs/anon_inodes.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 6c1ec97bac84bc22b1a37008193643b9bcab1a46 Author: Jan Kara Date: Tue Mar 25 21:37:09 2014 +0100 Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1 fs: Avoid userspace mounting anon_inodefs filesystem anon_inodefs filesystem is a kernel internal filesystem userspace shouldn't mess with. Remove registration of it so userspace cannot even try to mount it (which would fail anyway because the filesystem is MS_NOUSER). This fixes an oops triggered by trinity when it tried mounting anon_inodefs which overwrote anon_inode_inode pointer while other CPU has been in anon_inode_getfile() between ihold() and d_instantiate(). Thus effectively creating dentry pointing to an inode without holding a reference to it. Reported-by: Sasha Levin Signed-off-by: Jan Kara Signed-off-by: Linus Torvalds fs/anon_inodes.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 1e03cd2f178d167cc13e29836c1cb040aeea8d0f Author: Al Viro Date: Sun Mar 23 00:28:40 2014 -0400 Upstream commit: e825196d48d2b89a6ec3a8eff280098d2a78207e make prepend_name() work correctly when called with negative *buflen In all callchains leading to prepend_name(), the value left in *buflen is eventually discarded unused if prepend_name() has returned a negative. So we are free to do what prepend() does, and subtract from *buflen *before* checking for underflow (which turns into checking the sign of subtraction result, of course). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8c174b004c6eed3d46e9888385207f454599aa23 Author: Al Viro Date: Thu Mar 20 15:18:22 2014 -0400 Upstream commit: b37199e626b31e1175fb06764c5d1d687723aac2 rcuwalk: recheck mount_lock after mountpoint crossing attempts We can get false negative from __lookup_mnt() if an unrelated vfsmount gets moved. In that case legitimize_mnt() is guaranteed to fail, and we will fall back to non-RCU walk... unless we end up running into a hard error on a filesystem object we wouldn't have reached if not for that false negative. IOW, delaying that check until the end of pathname resolution is wrong - we should recheck right after we attempt to cross the mountpoint. We don't need to recheck unless we see d_mountpoint() being true - in that case even if we have just raced with mount/umount, we can simply go on as if we'd come at the moment when the sucker wasn't a mountpoint; if we run into a hard error as the result, it was a legitimate outcome. __lookup_mnt() returning NULL is different in that respect, since it might've happened due to operation on completely unrelated mountpoint. Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namei.c | 29 +++++++++++++---------------- 1 files changed, 13 insertions(+), 16 deletions(-) commit b6ab67fc7a47b542601dd116f934d255c9c2c372 Author: Steven Rostedt (Red Hat) Date: Tue Mar 25 23:39:41 2014 -0400 Upstream commit: 2c4a33aba5f9ea3a28f2e40351f078d95f00786b tracing: Fix traceon trigger condition to actually turn tracing on While working on my tutorial for 2014 Linux Collaboration Summit I found that the traceon trigger did not work when conditions were used. The other triggers worked fine though. Looking into it, it is because of the way the triggers use the ring buffer to store the fields it will use for the condition. But if tracing is off, nothing is stored in the buffer, and the tracepoint exits before calling the trigger to test the condition. This is fine for all the triggers that only work when tracing is on, but for traceon trigger that is to work when tracing is off, nothing happens. The fix is simple, just use a temp ring buffer to record the event if tracing is off and the event has a trace event conditional trigger enabled. The rest of the tracepoint code will work just fine, but the tracepoint wont be recorded in the other buffers. Cc: Tom Zanussi Signed-off-by: Steven Rostedt kernel/trace/trace.c | 27 +++++++++++++++++++++++++-- 1 files changed, 25 insertions(+), 2 deletions(-) commit 3b8aebe0c4cffda5d5bfc738e7a02fd320184b06 Author: Eric Dumazet Date: Tue Mar 25 18:42:27 2014 -0700 Upstream commit: de1443916791d75fdd26becb116898277bb0273f net: unix: non blocking recvmsg() should not return -EINTR Some applications didn't expect recvmsg() on a non blocking socket could return -EINTR. This possibility was added as a side effect of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines"). To hit this bug, you need to be a bit unlucky, as the u->readlock mutex is usually held for very small periods. Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines") Signed-off-by: Eric Dumazet Cc: Rainer Weikusat Signed-off-by: David S. Miller net/unix/af_unix.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) commit 1bb09af0e99a5b3f3006e4fedf9bba1c3ed3d9d4 Merge: 5473ce5 0a11cb5 Author: Brad Spengler Date: Thu Mar 27 20:00:42 2014 -0400 Merge branch 'pax-test' into grsec-test commit 0a11cb57b4afce8c08851aef512f873bdb3d9943 Author: Brad Spengler Date: Thu Mar 27 20:00:02 2014 -0400 Update to pax-linux-3.13.7-test16.patch: - updated the size overflow hast table, by spender - fixed the gcc plugin capability detector script for gcc 4.9 - fixed the latent entropy plugin to use the intended successor blocks instead of what happens to be next in the block list - changed the initial task's and the idle tasks' starting stack address to be consistent with the other stacks (top 2 slots are unused) - removed the pointless retaddr instrumentation from the low level kernel relocator code arch/x86/kernel/head_64.S | 2 +- arch/x86/kernel/relocate_kernel_64.S | 2 -- arch/x86/kernel/smpboot.c | 2 +- scripts/gcc-plugin.sh | 17 ++++++++--------- tools/gcc/latent_entropy_plugin.c | 10 ++++++---- tools/gcc/size_overflow_hash.data | 6 ++++++ 6 files changed, 22 insertions(+), 17 deletions(-) commit 5473ce509ab763c927aa2639f7db8aee384d3693 Author: Eric Dumazet Date: Wed Mar 19 21:02:21 2014 -0700 Upstream commit: 632623153196bf183a69686ed9c07eee98ff1bf8 tcp: syncookies: do not use getnstimeofday() While it is true that getnstimeofday() uses about 40 cycles if TSC is available, it can use 1600 cycles if hpet is the clocksource. Switch to get_jiffies_64(), as this is more than enough, and go back to 60 seconds periods. Fixes: 8c27bd75f04f ("tcp: syncookies: reduce cookie lifetime to 128 seconds") Signed-off-by: Eric Dumazet Cc: Florian Westphal Acked-by: Florian Westphal Signed-off-by: David S. Miller include/net/tcp.h | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 580a16424470410a1655dd62f71847725a89e1f0 Author: Dave Kleikamp Date: Fri Mar 14 10:42:01 2014 -0500 Upstream commit: 1535bd8adbdedd60a0ee62e28fd5225d66434371 sparc64: don't treat 64-bit syscall return codes as 32-bit When checking a system call return code for an error, linux_sparc_syscall was sign-extending the lower 32-bit value and comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return codes whose lower 32-bits alone would indicate a failure (such as 4G-1). Use the whole 64-bit value to check for errors. Only the 32-bit path should sign extend the lower 32-bit value. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Acked-by: Allen Pais Cc: David S. Miller Cc: sparclinux@vger.kernel.org Signed-off-by: David S. Miller arch/sparc/kernel/syscalls.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 29127b7a71024630e40d98ec08c77e3feb584e7e Author: Brad Spengler Date: Tue Mar 25 17:07:59 2014 -0400 update size_overflow hash table tools/gcc/size_overflow_hash.data | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit d42eece8853149008b9645106936f9cd4ddb38bc Merge: df4b222 cb629d4 Author: Brad Spengler Date: Mon Mar 24 19:07:49 2014 -0400 Merge branch 'pax-test' into grsec-test commit cb629d4458d7491cc16580860c234f85c463111d Merge: 3afa257 896c694 Author: Brad Spengler Date: Mon Mar 24 19:07:30 2014 -0400 Merge branch 'linux-3.13.y' into pax-test Conflicts: arch/x86/kernel/head_32.S drivers/cpufreq/intel_pstate.c commit df4b2229045f125eaa91dd2a696e56c589f8c962 Merge: e440e3a 3afa257 Author: Brad Spengler Date: Mon Mar 24 18:55:45 2014 -0400 Merge branch 'pax-test' into grsec-test commit 3afa2576ef64a8266c5a2f142e3cb3c970f21d3c Author: Brad Spengler Date: Mon Mar 24 18:54:38 2014 -0400 Update to pax-linux-3.13.7-test15.patch: - fixed several compilation problems on arm all*configs, by spender - small update to gcc-common.h - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only) Makefile | 2 +- arch/arm/include/asm/uaccess.h | 1 + arch/ia64/include/asm/uaccess.h | 1 + arch/powerpc/include/asm/uaccess.h | 1 + arch/powerpc/mm/mmap.c | 6 +++--- arch/s390/include/asm/uaccess.h | 1 + arch/x86/include/asm/uaccess.h | 2 +- arch/x86/include/asm/uaccess_64.h | 12 ++++++------ 8 files changed, 15 insertions(+), 11 deletions(-) commit e440e3aa4b4662f8d811120a87f51d8ab48d9c90 Author: Brad Spengler Date: Thu Mar 20 23:16:11 2014 -0400 convert hvc tty driver to proper refcounted atomics on port.count, fixes ppc64 allyesconfig compilation drivers/tty/hvc/hvsi.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 013c6d73e4a4ae358ee180b40428f3dd04dd3aa8 Author: Brad Spengler Date: Thu Mar 20 22:53:31 2014 -0400 add local_unchecked_t accessors to fix ppc64 compilation arch/powerpc/include/asm/local.h | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) commit 1cffa7895513b754c95673b12a8c638797e5b7e2 Author: Brad Spengler Date: Thu Mar 20 22:25:47 2014 -0400 add access_ok_noprefault macro to fix ppc64+kvm compilation, patch from pipacs arch/arm/include/asm/uaccess.h | 1 + arch/arm64/include/asm/uaccess.h | 1 + arch/ia64/include/asm/uaccess.h | 1 + arch/mips/include/asm/uaccess.h | 1 + arch/powerpc/include/asm/uaccess.h | 1 + arch/s390/include/asm/uaccess.h | 1 + arch/x86/include/asm/uaccess.h | 2 +- arch/x86/include/asm/uaccess_64.h | 12 ++++++------ arch/x86/mm/gup.c | 4 ++-- virt/kvm/kvm_main.c | 2 +- 10 files changed, 16 insertions(+), 10 deletions(-) commit 58bdcb9b494eb7ab916ead7944e444d0a6af5002 Author: Brad Spengler Date: Thu Mar 20 21:53:32 2014 -0400 correct function definition for kvm_arch_init() to fix compilation on ppc64 arch/powerpc/kvm/powerpc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3eb6820bfec5b4a4bfbb0056c057d50b8df4997 Author: Brad Spengler Date: Thu Mar 20 21:47:35 2014 -0400 fix ppc64 allyesconfig compilation with RANDSTRUCT arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit fb017032977cb38d750fe9b9a11d22fc565e576f Author: Brad Spengler Date: Thu Mar 20 21:36:39 2014 -0400 use $(LATENT_ENTROPY_PLUGIN_CFLAGS) arch/powerpc/kernel/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e795367c8c4d750c3900f6546365ca27b9a8aad5 Author: Brad Spengler Date: Thu Mar 20 21:24:01 2014 -0400 move REMOVE_CFLAGS arch/powerpc/kernel/Makefile | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f80a67cf62542dbab790fcad2395c00e6534c26d Author: Brad Spengler Date: Thu Mar 20 20:30:35 2014 -0400 fix compilation by removing the latent entropy plugin from prom_init.c -- there's a script for ppc64 that checks the object file for a whitelisted set of exported symbols, code is very fragile arch/powerpc/kernel/Makefile | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit cafe563e6cc19e3510c2f341c12440fdbd77a2aa Author: Brad Spengler Date: Thu Mar 20 20:28:07 2014 -0400 export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64 Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 90330189b37110d8343edd37147bb5c666feede4 Author: Brad Spengler Date: Thu Mar 20 20:24:53 2014 -0400 fix ppc64 compilation, pass mm_struct through from arch_pick_mmap_layout arch/powerpc/mm/mmap.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 765a84b5300316d57eb9b82f7d941750d9ddf9ec Author: Brad Spengler Date: Wed Mar 19 21:53:12 2014 -0400 add ktla_ktva/ktva_ktla to sparc to fix compilation arch/sparc/include/asm/pgtable.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 896004e18909d7de9ffe295180e12c275a623990 Author: Brad Spengler Date: Wed Mar 19 21:32:20 2014 -0400 remove __read_mostly on ip_vs_genl_ops[], it's const so the attribute is bogus and causes compilation failure on MIPS net/netfilter/ipvs/ip_vs_ctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 143dcb4ff8b259163f978c468663dcaebfe573b4 Author: Brad Spengler Date: Wed Mar 19 21:18:46 2014 -0400 Include second patch needed for compilation, not yet included by upstream (so MIPS compilation is broken there): http://patchwork.linux-mips.org/patch/6585/ arch/mips/include/asm/ftrace.h | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) commit b464eb7ac1132953ab99ff25826478e32690844f Author: Markos Chandras Date: Wed Jan 22 14:39:57 2014 +0000 Upstream commit: a8031d2ce15bdb90baeae02d7a231ccece73da8b MIPS: asm: syscall: Fix copying system call arguments The syscall_get_arguments function expects the arguments to be copied to the '*args' argument but instead a local variable was used to hold the system call argument. As a result of which, this variable was never passed to the filter and any filter testing the system call arguments would fail. This is fixed by passing the '*args' variable as the destination memory for the system call arguments. Signed-off-by: Markos Chandras Reviewed-by: Paul Burton Reviewed-by: James Hogan Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/6402/ Signed-off-by: Ralf Baechle arch/mips/include/asm/syscall.h | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit b8f9d6f82e2fb814be37391109623d79e297571d Author: Brad Spengler Date: Wed Mar 19 21:01:40 2014 -0400 add ktla_ktva/ktva_ktla macros to MIPS arch/mips/include/asm/pgtable.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit f0f660649f3b2cf1d448940ca8b7f4ab4249d8ce Author: Brad Spengler Date: Wed Mar 19 20:46:38 2014 -0400 include linux/prefetch.h to fix mips compilation grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 514ec7617daa1a925a0ec0fa910335396213ef45 Author: Brad Spengler Date: Wed Mar 19 20:45:59 2014 -0400 Revert "fix compiler warning in hugetlbfs code" This reverts commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0. fs/hugetlbfs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6da49b57e2795853a453f596e0b874aece27aa4b Author: Viller Hsiao Date: Sat Feb 22 15:46:49 2014 +0800 Upstream commit: a4671094227d11985c06ee1178d7205c5fd39f8a MIPS: ftrace: Fix icache flush range error In 32-bit mode, the start address passed to flush_icache_range is shifted by 4 bytes before the second safe_store_code() call. This causes system crash from time to time because the first 4 bytes might not be flushed properly. This bug exists since linux-3.8. Also remove obsoleted comment while at it. Signed-off-by: Viller Hsiao Cc: linux-mips@linux-mips.org Cc: rostedt@goodmis.org Cc: fweisbec@gmail.com Cc: mingo@redhat.com Cc: Qais.Yousef@imgtec.com Patchwork: https://patchwork.linux-mips.org/patch/6586/ Signed-off-by: Ralf Baechle arch/mips/kernel/ftrace.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 624ddea7bbda3535b7c9a779b6ff149e93863321 Author: Lars Persson Date: Mon Mar 17 12:14:13 2014 +0100 Upstream commit: 86ca57b5a5525dbf89fc2a3285781fae807276b0 MIPS: Fix syscall tracing interface Fix pointer computation for stack-based arguments. Signed-off-by: Lars Persson Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/6620/ Signed-off-by: Ralf Baechle arch/mips/include/asm/syscall.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bf3daf307906cd7d03cb6eb64559ee98cdf3182 Author: Brad Spengler Date: Wed Mar 19 20:28:16 2014 -0400 fix octeon compilation, add __maybe_unused to usp local var arch/mips/include/asm/syscall.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0 Author: Brad Spengler Date: Wed Mar 19 19:46:52 2014 -0400 fix compiler warning in hugetlbfs code fs/hugetlbfs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 43783f55374fe9bafc064ceacf915920ca45a6c5 Merge: e018f0a aae8b87 Author: Brad Spengler Date: Mon Mar 17 19:51:01 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/gpio/gpio-rcar.c commit aae8b8720beec7c79d17ddd4f7d55bac0e83d5c6 Author: Brad Spengler Date: Mon Mar 17 19:48:43 2014 -0400 Update to pax-linux-3.13.6-test14.patch: - fixed several compilation problems on arm all*configs, by spender - small update to gcc-common.h - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only) arch/arm/include/asm/page.h | 1 + drivers/base/power/domain.c | 4 +- drivers/gpio/gpio-em.c | 2 +- drivers/gpio/gpio-rcar.c | 2 +- drivers/mfd/ab8500-debugfs.c | 2 +- drivers/net/can/Kconfig | 2 +- drivers/staging/imx-drm/imx-drm-core.c | 6 +- include/linux/pm_domain.h | 2 +- tools/gcc/gcc-common.h | 12 +++ tools/gcc/size_overflow_plugin.c | 116 +++++++++++++++++++++++--------- 10 files changed, 106 insertions(+), 43 deletions(-) commit e018f0a38370496abe4289911eb67f1816cdc65d Author: Brad Spengler Date: Mon Mar 17 19:12:04 2014 -0400 move the location of the include to suit pipacs' OCD arch/arm/include/asm/page.h | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit bb6742b0e35d1ee42ec643ea921a340d672ec3bc Author: Brad Spengler Date: Mon Mar 17 18:01:11 2014 -0400 revert lustre change, we'll include compiler.h from asm/page.h instead .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit a39c965db54a571780b9844d93cfec71265b2c5e Author: Brad Spengler Date: Mon Mar 17 18:00:13 2014 -0400 fix ARM compilation with constify plugin arch/arm/include/asm/page.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 721fb83dc182e1442311b8ca3a986963f9cf2b76 Author: Brad Spengler Date: Mon Mar 17 17:18:04 2014 -0400 move header ordering .../lustre/include/linux/lnet/linux/lib-lnet.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 985afa44870e690fce35adf47979a99855db3323 Author: Brad Spengler Date: Mon Mar 17 17:02:24 2014 -0400 compile fix for lustre on ARM with constify plugin .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e5c4fe3e8fb7e1a64f1ab29887b7f787cc989c24 Author: Brad Spengler Date: Mon Mar 17 16:04:34 2014 -0400 fix compiler error caused by constify plugin on ARM drivers/mfd/ab8500-debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b6e2f644cf05a858d3988fb9bb8a8ca6c0beeff4 Author: Brad Spengler Date: Mon Mar 17 15:46:53 2014 -0400 fix more compile errors caused by RANDSTRUCT and constify plugins on ARM drivers/base/power/domain.c | 4 ++-- include/linux/pm_domain.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 2d33f0f25f7ee45412728f8bad6ef97b5bf40a66 Author: Brad Spengler Date: Mon Mar 17 15:34:17 2014 -0400 fix another compile error caused by constify plugin on ARM drivers/gpio/gpio-rcar.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 05b33c660567d4dc74ebcd06e996bf0656146757 Author: Brad Spengler Date: Mon Mar 17 15:08:49 2014 -0400 fix compile error caused by constify plugin on ARM drivers/gpio/gpio-em.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b9c8e0a83ba19e0228317675ffb4e1c1fb175b31 Author: Brad Spengler Date: Sun Mar 16 21:17:20 2014 -0400 fix allyesconfig compilation with PAX_REFCOUNT drivers/staging/imx-drm/imx-drm-core.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b855bafd2e8d4b50c13586e5a00905fb9c03ed5a Author: Brad Spengler Date: Sun Mar 16 21:04:10 2014 -0400 fix arm allmodconfig drivers/net/can/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 611bf735a4def802205cc83a131ec9c77c194662 Author: Brad Spengler Date: Fri Mar 14 20:12:02 2014 -0400 add /usr/share/apport/apport to the allowed userland exec paths -- because apparently some distros have no problem just throwing critical binaries around anywhere. kernel/kmod.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 51692fc9a6be048dd0500f78f97aed4db87bc359 Merge: 54fa0d5 7fcc1d0 Author: Brad Spengler Date: Fri Mar 14 20:09:56 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/mips/mm/mmap.c commit 7fcc1d01537c3e4d4cb3494b4e19890864473376 Author: Brad Spengler Date: Fri Mar 14 20:08:19 2014 -0400 Update to pax-linux-3.13.6-test13.patch: - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/kernel/setup.c | 4 ++-- arch/arm/mm/mmu.c | 2 +- arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/hw_irq.h | 2 +- arch/mips/kernel/i8259.c | 2 +- arch/mips/kernel/irq-gt641xx.c | 2 +- arch/mips/kernel/reset.c | 4 ++++ arch/mips/mm/mmap.c | 2 +- arch/mips/pci/pci-octeon.c | 4 ++-- arch/mips/pci/pcie-octeon.c | 12 ++++++------ arch/mips/sni/rm200.c | 2 +- arch/mips/vr41xx/common/icu.c | 2 +- arch/mips/vr41xx/common/irq.c | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 2 +- ipc/mq_sysctl.c | 2 +- kernel/panic.c | 2 +- 18 files changed, 29 insertions(+), 25 deletions(-) commit 54fa0d51929173d4eb6c060ea966ec5abe32faaf Author: Brad Spengler Date: Wed Mar 12 22:54:32 2014 -0400 add support for PAX_EMUTRAMP by default in the autoconfig security/Kconfig | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 1a3518d87b5faa66b5684569bfe84024edc955ce Author: Laura Abbott Date: Mon Mar 10 15:49:44 2014 -0700 Upstream commit: 2af120bc040c5ebcda156df6be6a66610ab6957f mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block We received several reports of bad page state when freeing CMA pages previously allocated with alloc_contig_range: BUG: Bad page state in process Binder_A pfn:63202 page:d21130b0 count:0 mapcount:1 mapping: (null) index:0x7dfbf page flags: 0x40080068(uptodate|lru|active|swapbacked) Based on the page state, it looks like the page was still in use. The page flags do not make sense for the use case though. Further debugging showed that despite alloc_contig_range returning success, at least one page in the range still remained in the buddy allocator. There is an issue with isolate_freepages_block. In strict mode (which CMA uses), if any pages in the range cannot be isolated, isolate_freepages_block should return failure 0. The current check keeps track of the total number of isolated pages and compares against the size of the range: if (strict && nr_strict_required > total_isolated) total_isolated = 0; After taking the zone lock, if one of the pages in the range is not in the buddy allocator, we continue through the loop and do not increment total_isolated. If in the last iteration of the loop we isolate more than one page (e.g. last page needed is a higher order page), the check for total_isolated may pass and we fail to detect that a page was skipped. The fix is to bail out if the loop immediately if we are in strict mode. There's no benfit to continuing anyway since we need all pages to be isolated. Additionally, drop the error checking based on nr_strict_required and just check the pfn ranges. This matches with what isolate_freepages_range does. Signed-off-by: Laura Abbott Acked-by: Minchan Kim Cc: Mel Gorman Acked-by: Vlastimil Babka Cc: Joonsoo Kim Acked-by: Bartlomiej Zolnierkiewicz Acked-by: Michal Nazarewicz Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/compaction.c | 20 +++++++++++++------- 1 files changed, 13 insertions(+), 7 deletions(-) commit 6c2a0937a7bb61db66b01160334fa83c93c05c7b Author: Artem Fetishev Date: Mon Mar 10 15:49:45 2014 -0700 Upstream commit: 70335abb2689c8cd5df91bf2d95a65649addf50b fs/proc/base.c: fix GPF in /proc/$PID/map_files The expected logic of proc_map_files_get_link() is either to return 0 and initialize 'path' or return an error and leave 'path' uninitialized. By the time dname_to_vma_addr() returns 0 the corresponding vma may have already be gone. In this case the path is not initialized but the return value is still 0. This results in 'general protection fault' inside d_path(). Steps to reproduce: CONFIG_CHECKPOINT_RESTORE=y fd = open(...); while (1) { mmap(fd, ...); munmap(fd, ...); } ls -la /proc/$PID/map_files Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991 Signed-off-by: Artem Fetishev Signed-off-by: Aleksandr Terekhov Reported-by: Acked-by: Pavel Emelyanov Acked-by: Cyrill Gorcunov Reviewed-by: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/proc/base.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 34d22047e821cdae1d31beb2fdda8e6e9fe40cdf Author: Matthew Leach Date: Tue Mar 11 11:58:27 2014 +0000 Upstream commit: dbb490b96584d4e958533fb637f08b557f505657 net: socket: error on a negative msg_namelen When copying in a struct msghdr from the user, if the user has set the msg_namelen parameter to a negative value it gets clamped to a valid size due to a comparison between signed and unsigned values. Ensure the syscall errors when the user passes in a negative value. Signed-off-by: Matthew Leach Signed-off-by: David S. Miller net/socket.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a28f7e3e1ec4d26bf7734c70ca3b6107e54597ca Author: Alexei Starovoitov Date: Mon Mar 10 15:56:51 2014 -0700 Upstream commit: fdfaf64e75397567257e1051931f9a3377360665 x86: bpf_jit: support negative offsets Commit a998d4342337 claimed to introduce negative offset support to x86 jit, but it couldn't be working, since at the time of the execution of LD+ABS or LD+IND instructions via call into bpf_internal_load_pointer_neg_helper() the %edx (3rd argument of this func) had junk value instead of access size in bytes (1 or 2 or 4). Store size into %edx instead of %ecx (what original commit intended to do) Fixes: a998d4342337 ("bpf jit: Let the x86 jit handle negative offsets") Signed-off-by: Alexei Starovoitov Cc: Jan Seiffert Cc: Eric Dumazet Acked-by: Eric Dumazet Signed-off-by: David S. Miller arch/x86/net/bpf_jit.S | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 977ee3909139082a57a04afbb8e9ee202475aa27 Author: Brad Spengler Date: Wed Mar 12 19:21:43 2014 -0400 Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up -- if an attacker had an arbitrary read vuln and ability to redirect control flow, he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a 32bit random key which the attacker has XORed with his desired immediates to cause the constant blinding to produce a potentially useful instruction stream (which he could verify by abusing the infoleak). Instead of using one key per instruction stream, generate a new key for each instruction using prandom_u32(). The downside is some performance impact during JIT compilation, though this shouldn't be so common an event for anyone to notice. arch/x86/net/bpf_jit_comp.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 1b3f7f8f68d05143c0d55e8ceba0904c21007ad4 Author: Brad Spengler Date: Fri Mar 7 20:44:22 2014 -0500 fix typo ipc/mq_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 90c31e93dc4eb2045775930cacbb64318cabafad Author: Brad Spengler Date: Fri Mar 7 20:25:53 2014 -0500 add no_const to ctl_table located on stack ipc/mq_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 098fd10b3af4ef61b2edc60314ef18991b2f6f71 Author: Sabrina Dubroca Date: Thu Mar 6 17:51:57 2014 +0100 Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39 ipv6: don't set DST_NOCOUNT for remotely added routes DST_NOCOUNT should only be used if an authorized user adds routes locally. In case of routes which are added on behalf of router advertisments this flag must not get used as it allows an unlimited number of routes getting added remotely. Signed-off-by: Sabrina Dubroca Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/route.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c4bd306f576cc03b5f0f9e56253e3f0a3be5d3bd Merge: 71ed8ef a2aac72 Author: Brad Spengler Date: Fri Mar 7 20:10:30 2014 -0500 Merge branch 'pax-test' into grsec-test commit a2aac72603c2309d560a606493bb3003e2abe6c7 Merge: 96545e3 404df65 Author: Brad Spengler Date: Fri Mar 7 20:10:13 2014 -0500 Merge branch 'linux-3.13.y' into pax-test Conflicts: arch/arm/mm/mmu.c mm/memory.c commit 71ed8ef8e7d2ffcc57b5ffacef3a9262ed8781c7 Author: Brad Spengler Date: Tue Mar 4 18:08:29 2014 -0500 Backport security fix: http://seclists.org/oss-sec/2014/q1/477 net/ipv4/inet_fragment.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d752f1f1704ddbec282d7eb2150c75e05b9bcdd3 Author: Daniel Borkmann Date: Mon Mar 3 17:23:04 2014 +0100 Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729 Remote DoS fix net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable RFC4895 introduced AUTH chunks for SCTP; during the SCTP handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS being optional though): ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- A special case is when an endpoint requires COOKIE-ECHO chunks to be authenticated: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- ------------------ AUTH; COOKIE-ECHO ----------------> <-------------------- COOKIE-ACK --------------------- RFC4895, section 6.3. Receiving Authenticated Chunks says: The receiver MUST use the HMAC algorithm indicated in the HMAC Identifier field. If this algorithm was not specified by the receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk during association setup, the AUTH chunk and all the chunks after it MUST be discarded and an ERROR chunk SHOULD be sent with the error cause defined in Section 4.1. [...] If no endpoint pair shared key has been configured for that Shared Key Identifier, all authenticated chunks MUST be silently discarded. [...] When an endpoint requires COOKIE-ECHO chunks to be authenticated, some special procedures have to be followed because the reception of a COOKIE-ECHO chunk might result in the creation of an SCTP association. If a packet arrives containing an AUTH chunk as a first chunk, a COOKIE-ECHO chunk as the second chunk, and possibly more chunks after them, and the receiver does not have an STCB for that packet, then authentication is based on the contents of the COOKIE-ECHO chunk. In this situation, the receiver MUST authenticate the chunks in the packet by using the RANDOM parameters, CHUNKS parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO chunk, and possibly a local shared secret as inputs to the authentication procedure specified in Section 6.3. If authentication fails, then the packet is discarded. If the authentication is successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO MUST be processed. If the receiver has an STCB, it MUST process the AUTH chunk as described above using the STCB from the existing association to authenticate the COOKIE-ECHO chunk and all the chunks after it. [...] Commit bbd0d59809f9 introduced the possibility to receive and verification of AUTH chunk, including the edge case for authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, the function sctp_sf_do_5_1D_ce() handles processing, unpacks and creates a new association if it passed sanity checks and also tests for authentication chunks being present. After a new association has been processed, it invokes sctp_process_init() on the new association and walks through the parameter list it received from the INIT chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO and SCTP_PARAM_CHUNKS, and copies them into asoc->peer meta data (peer_random, peer_hmacs, peer_chunks) in case sysctl -w net.sctp.auth_enable=1 is set. If in INIT's SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, peer_random != NULL and peer_hmacs != NULL the peer is to be assumed asoc->peer.auth_capable=1, in any other case asoc->peer.auth_capable=0. Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is available, we set up a fake auth chunk and pass that on to sctp_sf_authenticate(), which at latest in sctp_auth_calculate_hmac() reliably dereferences a NULL pointer at position 0..0008 when setting up the crypto key in crypto_hash_setkey() by using asoc->asoc_shared_key that is NULL as condition key_id == asoc->active_key_id is true if the AUTH chunk was injected correctly from remote. This happens no matter what net.sctp.auth_enable sysctl says. The fix is to check for net->sctp.auth_enable and for asoc->peer.auth_capable before doing any operations like sctp_sf_authenticate() as no key is activated in sctp_auth_asoc_init_active_key() for each case. Now as RFC4895 section 6.3 states that if the used HMAC-ALGO passed from the INIT chunk was not used in the AUTH chunk, we SHOULD send an error; however in this case it would be better to just silently discard such a maliciously prepared handshake as we didn't even receive a parameter at all. Also, as our endpoint has no shared key configured, section 6.3 says that MUST silently discard, which we are doing from now onwards. Before calling sctp_sf_pdiscard(), we need not only to free the association, but also the chunk->auth_chunk skb, as commit bbd0d59809f9 created a skb clone in that case. I have tested this locally by using netfilter's nfqueue and re-injecting packets into the local stack after maliciously modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) and the SCTP packet containing the COOKIE_ECHO (injecting AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") Signed-off-by: Daniel Borkmann Cc: Vlad Yasevich Cc: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/sm_statefuns.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 855c02e8cb1af9b40752258060af547805881899 Author: Brad Spengler Date: Tue Mar 4 18:05:10 2014 -0500 Backport local DoS fix: http://seclists.org/oss-sec/2014/q1/494 security/keys/keyring.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 4877e98529649880ac76ade11e5529403a40ea73 Author: Brad Spengler Date: Mon Mar 3 14:42:58 2014 -0500 mark 'processor' as __read_only instead of forcing constify on it to avoid a GCC constant propagation that will cause a NULL deref on boot on ARM MULTI_CPU configs Thanks to Arnaud Fontaine and Arnaud Ebalard for the report, fix is from the PaX Team arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/kernel/setup.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit 9c8d2926262f0345af454da45b41c6259bdc89e8 Author: Andrew Honig Date: Thu Feb 27 19:35:14 2014 +0100 Upstream commit: a08d3b3b99efd509133946056531cdf8f3a0c09b kvm: x86: fix emulator buffer overflow (CVE-2014-0049) The problem occurs when the guest performs a pusha with the stack address pointing to an mmio address (or an invalid guest physical address) to start with, but then extending into an ordinary guest physical address. When doing repeated emulated pushes emulator_read_write sets mmio_needed to 1 on the first one. On a later push when the stack points to regular memory, mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0. As a result, KVM exits to userspace, and then returns to complete_emulated_mmio. In complete_emulated_mmio vcpu->mmio_cur_fragment is incremented. The termination condition of vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved. The code bounces back and fourth to userspace incrementing mmio_cur_fragment past it's buffer. If the guest does nothing else it eventually leads to a a crash on a memcpy from invalid memory address. However if a guest code can cause the vm to be destroyed in another vcpu with excellent timing, then kvm_clear_async_pf_completion_queue can be used by the guest to control the data that's pointed to by the call to cancel_work_item, which can be used to gain execution. Fixes: f78146b0f9230765c6315b2e14f56112513389ad Signed-off-by: Andrew Honig Cc: stable@vger.kernel.org (3.5+) Signed-off-by: Paolo Bonzini arch/x86/kvm/x86.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40051b60939861d365baf66d95dadd3f090542ac Author: Mike Pecovnik Date: Mon Feb 24 21:11:16 2014 +0100 Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f net: Fix permission check in netlink_connect() netlink_sendmsg() was changed to prevent non-root processes from sending messages with dst_pid != 0. netlink_connect() however still only checks if nladdr->nl_groups is set. This patch modifies netlink_connect() to check for the same condition. Signed-off-by: Mike Pecovnik Signed-off-by: David S. Miller net/netlink/af_netlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a3be34042aa8d3eccb476cb240d8cdc85024b18a Author: Brad Spengler Date: Sat Mar 1 23:17:33 2014 -0500 Apply role_umask RBAC restrictions to POSIX ACLs as well fs/posix_acl.c | 7 +++++-- fs/xattr_acl.c | 9 +++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) commit 652b798b80f39815b94fc9b7192d648ad6b6cf64 Author: Brad Spengler Date: Mon Feb 24 21:57:37 2014 -0500 mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT grsecurity/Kconfig | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 5ffde76a88cb5dadc307cabc33d7ad253158b608 Author: Brad Spengler Date: Mon Feb 24 18:54:34 2014 -0500 use current_umask() helper in lustre instead of current->fs->umask drivers/staging/lustre/lustre/llite/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 49761e88b63e2771f09aa16cb4e98c681515cf31 Merge: daf0afa 96545e3 Author: Brad Spengler Date: Mon Feb 24 17:43:09 2014 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/cpu/common.c commit 96545e3f1c4df86c1d9b74a1916d1b712138345f Merge: 1ea0c4a dc0ead5 Author: Brad Spengler Date: Mon Feb 24 17:37:59 2014 -0500 Update to pax-linux-3.13.5-test11.patch: - fixed a mismerge in atomic64_sub_return on arm, reported by Arnaud Fontaine - the latent entropy plugin can now initialize structure variables as well Merge branch 'linux-3.13.y' into pax-test Conflicts: arch/x86/kernel/ftrace.c include/linux/compiler-gcc4.h commit daf0afa64695bd49bf6be19450fea0a533edc3ab Author: Brad Spengler Date: Mon Feb 24 17:16:47 2014 -0500 when IPC hardening is disabled via sysctl, we shouldn't be imposing any additional restrictions thanks to Mathias Krause (minipli) for the report grsecurity/grsec_ipc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 179bf20a88510350fc86383c7d1b8e7d422cc604 Author: Brad Spengler Date: Fri Feb 21 12:06:41 2014 -0500 add missing return in the ARM refcount code. Thanks to Arnaud Fontaine for the report and patch! arch/arm/include/asm/atomic.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 5eecd26548fa8462296745eedf66858bf83532c9 Merge: d32875c 1ea0c4a Author: Brad Spengler Date: Thu Feb 20 21:39:25 2014 -0500 Merge branch 'pax-test' into grsec-test commit 1ea0c4ab7114838fb5f7b320c5c4bee6269c2f99 Author: Brad Spengler Date: Thu Feb 20 21:39:02 2014 -0500 Update to pax-linux-3.13.4-test10.patch tools/gcc/latent_entropy_plugin.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit d32875ccf8800fd9b458907fbd9f08e74847012b Author: Brad Spengler Date: Thu Feb 20 18:42:11 2014 -0500 work around pipacs' latent_entropy plugin tools/gcc/randomize_layout_plugin.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 91ea54c68a7f728341371d3ca8c6208acc885706 Author: Brad Spengler Date: Thu Feb 20 17:57:36 2014 -0500 .data takes the address of the ints, not their values net/core/neighbour.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit bc41258c48ca6acae51d191e914556ab37ca7c92 Merge: 3051292 0ce19d4 Author: Brad Spengler Date: Thu Feb 20 17:45:07 2014 -0500 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/compiler-gcc4.h commit 0ce19d411496f0ab77a86c1c5091b909fd720665 Author: Brad Spengler Date: Thu Feb 20 17:43:26 2014 -0500 Update to pax-linux-3.13.4-test10.patch: - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87) - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender - the latent entropy plugin will now insert some entropy at compile time into the random pools drivers/char/random.c | 6 +- fs/binfmt_elf.c | 2 +- include/linux/compiler-gcc4.h | 4 -- tools/gcc/gcc-common.h | 10 ++++- tools/gcc/latent_entropy_plugin.c | 84 +++++++++++++++++++++++++++++++++---- tools/gcc/stackleak_plugin.c | 5 +- 6 files changed, 90 insertions(+), 21 deletions(-) commit 3051292e84bf30c218e447a105ab898e8c509b44 Merge: 71d207d 8a3ecf6 Author: Brad Spengler Date: Thu Feb 20 17:19:54 2014 -0500 Merge branch 'pax-test' into grsec-test commit 8a3ecf6d2b7e6304d259608e77a7259daeeeab9b Merge: 98242db 93ee5dc Author: Brad Spengler Date: Thu Feb 20 17:17:30 2014 -0500 Merge branch 'linux-3.13.y' into pax-test commit 71d207d2df0cc95b1cf26d1499317d5b010c4033 Author: Brad Spengler Date: Thu Feb 20 16:59:26 2014 -0500 Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was enabled, reported by jacekalex on the forums include/net/neighbour.h | 1 - net/core/neighbour.c | 9 +++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 6d3beec0d1c79dfad2ba060c4d06ebf65ce39d15 Author: Brad Spengler Date: Wed Feb 19 22:01:38 2014 -0500 Backport CIFS vuln fix: http://article.gmane.org/gmane.linux.kernel.cifs/9401 fs/cifs/file.c | 37 ++++++++++++++++++++++++++++++++++--- 1 files changed, 34 insertions(+), 3 deletions(-) commit 20eb03803ea2fea3f8c420b69097058122de32f6 Author: Trond Myklebust Date: Tue Feb 11 09:15:54 2014 -0500 Upstream commit: 06ea0bfe6e6043cb56a78935a19f6f8ebc636226 SUNRPC: Fix races in xs_nospace() When a send failure occurs due to the socket being out of buffer space, we call xs_nospace() in order to have the RPC task wait until the socket has drained enough to make it worth while trying again. The current patch fixes a race in which the socket is drained before we get round to setting up the machinery in xs_nospace(), and which is reported to cause hangs. Link: http://lkml.kernel.org/r/20140210170315.33dfc621@notabene.brown Fixes: a9a6b52ee1ba (SUNRPC: Don't start the retransmission timer...) Reported-by: Neil Brown Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust net/sunrpc/xprtsock.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 9fff690287df8c389126420e1dab2608ddb4be75 Author: Trond Myklebust Date: Tue Feb 11 13:56:54 2014 -0500 Upstream commit: 628356791b04ea988fee070f66a748a823d001bb SUNRPC: Fix potential memory scribble in xprt_free_bc_request() The call to xprt_free_allocation() will call list_del() on req->rq_bc_pa_list, which is not attached to a list. This patch moves the list_del() out of xprt_free_allocation() and into those callers that need it. Signed-off-by: Trond Myklebust net/sunrpc/backchannel_rqst.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 5382ae56cf22adf34d2dd9da03b3a44af0c846f1 Author: Trond Myklebust Date: Sun Feb 16 12:14:13 2014 -0500 Upstream commit: 9eb2ddb48ce3a7bd745c14a933112994647fa3cd SUNRPC: Ensure that gss_auth isn't freed before its upcall messages Fix a race in which the RPC client is shutting down while the gss daemon is processing a downcall. If the RPC client manages to shut down before the gss daemon is done, then the struct gss_auth used in gss_release_msg() may have already been freed. Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com Reported-by: John Reported-by: Borislav Petkov Cc: stable@vger.kernel.org # 3.12+ Signed-off-by: Trond Myklebust net/sunrpc/auth_gss/auth_gss.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) commit 76e2d40cfc26bc44ba2ff4604c1f0ff4821ec13b Author: Trond Myklebust Date: Sun Feb 16 13:28:01 2014 -0500 Upstream commit: e9776d0f4adee8877145672f6416b06b57f2dc27 SUNRPC: Fix a pipe_version reference leak In gss_alloc_msg(), if the call to gss_encode_v1_msg() fails, we want to release the reference to the pipe_version that was obtained earlier in the function. Fixes: 9d3a2260f0f4b (SUNRPC: Fix buffer overflow checking in...) Signed-off-by: Trond Myklebust net/sunrpc/auth_gss/auth_gss.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 715c3e4109210d090282b360463aa474c978dcf5 Author: Christoffer Dall Date: Sun Feb 2 22:21:31 2014 +0100 Upstream commit: 4d9c5b89cf3605bbc39c6e274351ff25f0d83e6a ARM: 7950/1: mm: Fix stage-2 device memory attributes The stage-2 memory attributes are distinct from the Hyp memory attributes and the Stage-1 memory attributes. We were using the stage-1 memory attributes for stage-2 mappings causing device mappings to be mapped as normal memory. Add the S2 equivalent defines for memory attributes and fix the comments explaining the defines while at it. Add a prot_pte_s2 field to the mem_type struct and fill out the field for device mappings accordingly. Cc: [3.9+] Acked-by: Marc Zyngier Acked-by: Catalin Marinas Signed-off-by: Christoffer Dall Signed-off-by: Russell King Conflicts: arch/arm/mm/mmu.c arch/arm/include/asm/pgtable-3level.h | 15 +++++++++------ arch/arm/mm/mm.h | 1 + arch/arm/mm/mmu.c | 7 ++++++- 3 files changed, 16 insertions(+), 7 deletions(-) commit 49f25f2842b5e567ca45d5648460ad7cfd2af7ab Author: Will Deacon Date: Fri Feb 7 19:12:20 2014 +0100 Upstream commit: bae0ca2bc550d1ec6a118fb8f2696f18c4da3d8e ARM: 7953/1: mm: ensure TLB invalidation is complete before enabling MMU During __v{6,7}_setup, we invalidate the TLBs since we are about to enable the MMU on return to head.S. Unfortunately, without a subsequent dsb instruction, the invalidation is not guaranteed to have completed by the time we write to the sctlr, potentially exposing us to junk/stale translations cached in the TLB. This patch reworks the init functions so that the dsb used to ensure completion of cache/predictor maintenance is also used to ensure completion of the TLB invalidation. Cc: Reported-by: Albin Tonnerre Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/mm/proc-v6.S | 3 ++- arch/arm/mm/proc-v7.S | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) commit fa4b67556529451bd4489b07472f58feec35d51d Author: Will Deacon Date: Fri Feb 7 19:12:32 2014 +0100 Upstream commit: 7c8746a9eb287642deaad0e7c2cdf482dce5e4be ARM: 7955/1: spinlock: ensure we have a compiler barrier before sev When unlocking a spinlock, we require the following, strictly ordered sequence of events: /* dmb */ /* dsb */ Whilst the code does indeed reflect this in terms of the architecture, the final + have been contracted into a single inline asm without a "memory" clobber, therefore the compiler is at liberty to reorder the unlock to the end of the above sequence. In such a case, a waiting CPU may be woken up before the lock has been unlocked, leading to extremely poor performance. This patch reworks the dsb_sev() function to make use of the dsb() macro and ensure ordering against the unlock. Cc: Reported-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/include/asm/spinlock.h | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit f3efaba9e0a1d5d96fc0783ae8ec8e733e113bfa Author: Russell King Date: Tue Feb 11 17:11:04 2014 +0000 Upstream commit: e83b366487b5582274374f8226e489cb214ae5a6 Fix uses of dma_max_pfn() when converting to a limiting address We must use a 64-bit for this, otherwise overflowed bits get lost, and that can result in a lower than intended value set. Fixes: 8e0cb8a1f6ac ("ARM: 7797/1: mmc: Use dma_max_pfn(dev) helper for bounce_limit calculations") Fixes: 7d35496dd982 ("ARM: 7796/1: scsi: Use dma_max_pfn(dev) helper for bounce_limit calculations") Tested-Acked-by: Santosh Shilimkar Reviewed-by: Ulf Hansson Signed-off-by: Russell King drivers/mmc/card/queue.c | 2 +- drivers/scsi/scsi_lib.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 5a3e8a10d439ba8bcd893bf2159618908fe80384 Author: Vinayak Kale Date: Wed Feb 12 07:30:01 2014 +0100 Upstream commit: 39544ac9df20f73e49fc6b9ac19ff533388c82c0 ARM: 7957/1: add DSB after icache flush in __flush_icache_all() Add DSB after icache flush to complete the cache maintenance operation. Signed-off-by: Vinayak Kale Acked-by: Catalin Marinas Cc: Signed-off-by: Russell King arch/arm/include/asm/cacheflush.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 26d22a6946dfbb4f4a760038816c43ba49504863 Author: Linus Torvalds Date: Mon Feb 17 12:24:45 2014 -0800 Upstream commit: e4178d809fdaee32a56833fff1f5056c99e90a1a printk: fix syslog() overflowing user buffer This is not a buffer overflow in the traditional sense: we don't overflow any *kernel* buffers, but we do mis-count the amount of data we copy back to user space for the SYSLOG_ACTION_READ_ALL case. In particular, if the user buffer is too small to hold everything, and *if* there is a continuation line at just the right place, we can end up giving the user more data than he asked for. The reason is that we first count up the number of bytes all the log records contains, then we walk the records again until we've skipped the records at the beginning that won't fit, and then we walk the rest of the records and copy them to the user space buffer. And in between that "skip the initial records that won't fit" and the "copy the records that *will* fit to user space", we reset the 'prev' variable that contained the record information for the last record not copied. That meant that when we started copying to user space, we now had a different character count than what we had originally calculated in the first record walk-through. The fix is to simply not clear the 'prev' flags value (in both cases where we had the same logic: syslog_print_all and kmsg_dump_get_buffer: the latter is used for pstore-like dumping) Reported-and-tested-by: Debabrata Banerjee Acked-by: Kay Sievers Cc: Greg Kroah-Hartman Cc: Jeff Mahoney Signed-off-by: Linus Torvalds kernel/printk/printk.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 88d5fdac3aa7813d963ab5a3325c2f15c36c97cf Author: Rafael Aquini Date: Mon Feb 10 14:25:48 2014 -0800 Upstream commit: a0b54adda3fe4b4cc6d28f2a9217cd35d1aa888c mm: fix page leak at nfs_symlink() Changes in commit a0b8cab3b9b2 ("mm: remove lru parameter from __pagevec_lru_add and remove parts of pagevec API") have introduced a call to add_to_page_cache_lru() which causes a leak in nfs_symlink() as now the page gets an extra refcount that is not dropped. Jan Stancek observed and reported the leak effect while running test8 from Connectathon Testsuite. After several iterations over the test case, which creates several symlinks on a NFS mountpoint, the test system was quickly getting into an out-of-memory scenario. This patch fixes the page leak by dropping that extra refcount add_to_page_cache_lru() is grabbing. Signed-off-by: Jan Stancek Signed-off-by: Rafael Aquini Acked-by: Mel Gorman Acked-by: Rik van Riel Cc: Jeff Layton Cc: Trond Myklebust Cc: [3.11.x+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/nfs/dir.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit bf53635ba34d0ef231a89dd30aa9954b0fa3d87b Author: Dan Carpenter Date: Mon Feb 17 20:33:01 2014 -0500 Upstream commit: 92e3b40537707001d17bbad800d150ab04e53bf4 jbd2: fix use after free in jbd2_journal_start_reserved() If start_this_handle() fails then it leads to a use after free of "handle". Signed-off-by: Dan Carpenter Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/jbd2/transaction.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 7eb9d6b170b2d83e9a59d8d5e9c3eaec76b3e1a2 Author: Theodore Ts'o Date: Sat Feb 15 22:42:25 2014 -0500 Upstream commit: 3d2660d0c9c2f296837078c189b68a47f6b2e3b5 ext4: fix online resize with a non-standard blocks per group setting The set_flexbg_block_bitmap() function assumed that the number of blocks in a blockgroup was sb->blocksize * 8, which is normally true, but not always! Use EXT4_BLOCKS_PER_GROUP(sb) instead, to fix block bitmap corruption after: mke2fs -t ext4 -g 3072 -i 4096 /dev/vdd 1G mount -t ext4 /dev/vdd /vdd resize2fs /dev/vdd 8G Signed-off-by: "Theodore Ts'o" Reported-by: Jon Bernard Cc: stable@vger.kernel.org fs/ext4/resize.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 588500229af3505116b0fe05c4e54a06cabd64e4 Author: Theodore Ts'o Date: Sat Feb 15 21:33:13 2014 -0500 Upstream commit: b93c95353413041a8cebad915a8109619f66bcc6 ext4: fix online resize with very large inode tables If a file system has a large number of inodes per block group, all of the metadata blocks in a flex_bg may be larger than what can fit in a single block group. Unfortunately, ext4_alloc_group_tables() in resize.c was never tested to see if it would handle this case correctly, and there were a large number of bugs which caused the following sequence to result in a BUG_ON: kernel bug at fs/ext4/resize.c:409! ... call trace: [] ext4_flex_group_add+0x1448/0x1830 [] ext4_resize_fs+0x7b2/0xe80 [] ext4_ioctl+0xbf0/0xf00 [] do_vfs_ioctl+0x2dd/0x4b0 [] ? final_putname+0x22/0x50 [] sys_ioctl+0x81/0xa0 [] system_call_fastpath+0x16/0x1b code: c8 4c 89 df e8 41 96 f8 ff 44 89 e8 49 01 c4 44 29 6d d4 0 rip [] set_flexbg_block_bitmap+0x171/0x180 This can be reproduced with the following command sequence: mke2fs -t ext4 -i 4096 /dev/vdd 1G mount -t ext4 /dev/vdd /vdd resize2fs /dev/vdd 8G To fix this, we need to make sure the right thing happens when a block group's inode table straddles two block groups, which means the following bugs had to be fixed: 1) Not clearing the BLOCK_UNINIT flag in the second block group in ext4_alloc_group_tables --- the was proximate cause of the BUG_ON. 2) Incorrectly determining how many block groups contained contiguous free blocks in ext4_alloc_group_tables(). 3) Incorrectly setting the start of the next block range to be marked in use after a discontinuity in setup_new_flex_group_blocks(). Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/ext4/resize.c | 32 ++++++++++++++++++++------------ 1 files changed, 20 insertions(+), 12 deletions(-) commit dfb5654f8a9946e06f67d0481c907fa9ae4c6b04 Author: Theodore Ts'o Date: Wed Feb 12 12:16:04 2014 -0500 Upstream commit: 23301410972330c0ae9a8afc379ba2005e249cc6 ext4: don't try to modify s_flags if the the file system is read-only If an ext4 file system is created by some tool other than mke2fs (perhaps by someone who has a pathalogical fear of the GPL) that doesn't set one or the other of the EXT2_FLAGS_{UN}SIGNED_HASH flags, and that file system is then mounted read-only, don't try to modify the s_flags field. Otherwise, if dm_verity is in use, the superblock will change, causing an dm_verity failure. Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/ext4/super.c | 20 +++++++++++++------- 1 files changed, 13 insertions(+), 7 deletions(-) commit d2a631f973d3cff9a1c015cb64b08bb9cc52de8b Author: Eric Whitney Date: Wed Feb 12 10:42:45 2014 -0500 Upstream commit: 15cc17678547676c82a5da9ccf357447333fc342 ext4: fix xfstest generic/299 block validity failures Commit a115f749c1 (ext4: remove wait for unwritten extent conversion from ext4_truncate) exposed a bug in ext4_ext_handle_uninitialized_extents(). It can be triggered by xfstest generic/299 when run on a test file system created without a journal. This test continuously fallocates and truncates files to which random dio/aio writes are simultaneously performed by a separate process. The test completes successfully, but if the test filesystem is mounted with the block_validity option, a warning message stating that a logical block has been mapped to an illegal physical block is posted in the kernel log. The bug occurs when an extent is being converted to the written state by ext4_end_io_dio() and ext4_ext_handle_uninitialized_extents() discovers a mapping for an existing uninitialized extent. Although it sets EXT4_MAP_MAPPED in map->m_flags, it fails to set map->m_pblk to the discovered physical block number. Because map->m_pblk is not otherwise initialized or set by this function or its callers, its uninitialized value is returned to ext4_map_blocks(), where it is stored as a bogus mapping in the extent status tree. Since map->m_pblk can accidentally contain illegal values that are larger than the physical size of the file system, calls to check_block_validity() in ext4_map_blocks() that are enabled if the block_validity mount option is used can fail, resulting in the logged warning message. Signed-off-by: Eric Whitney Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org # 3.11+ fs/ext4/extents.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7eb52392ee886f01a5c944f35fbe95edc2169877 Author: Zheng Liu Date: Wed Feb 12 11:48:31 2014 -0500 Upstream commit: 30d29b119ef01776e0a301444ab24defe8d8bef3 ext4: fix error paths in swap_inode_boot_loader() In swap_inode_boot_loader() we forgot to release ->i_mutex and resume unlocked dio for inode and inode_bl if there is an error starting the journal handle. This commit fixes this issue. Reported-by: Ahmed Tamrawi Cc: Andreas Dilger Cc: Dr. Tilmann Bubeck Signed-off-by: Zheng Liu Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org # v3.10+ fs/ext4/ioctl.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4dc90c1991032c483b11690717ba07952f4fef07 Author: Theodore Ts'o Date: Sun Feb 16 19:29:32 2014 -0500 Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02 ext4: don't leave i_crtime.tv_sec uninitialized If the i_crtime field is not present in the inode, don't leave the field uninitialized. Fixes: ef7f38359 ("ext4: Add nanosecond timestamps") Reported-by: Vegard Nossum Tested-by: Vegard Nossum Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/ext4/ext4.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 9d8aa319cfbfdb4bdf7a5d4adc4b93fe028bec12 Author: Brad Spengler Date: Wed Feb 19 20:39:37 2014 -0500 While a Xen dom0 is technically a guest, it's perceived as a host by many and there's really no Linux "host" for Xen, so allow PARAVIRT to be enabled on "host" kernels only when Xen is selected Thanks to gaima on the forums for the report Conflicts: arch/x86/Kconfig arch/x86/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8ef15c34cb044db1ae729a53327e5b848631fbee Author: Petr Písař Date: Thu Feb 6 21:01:23 2014 +0100 Upstream commit: 0930b0950a8996aa88b0d2ba4bb2bab27cc36bc7 vt: Fix secure clear screen \E[3J console code (secure clear screen) needs to update_screen(vc) in order to write-through blanks into off-screen video memory. This has been removed accidentally in 3.6 by: commit 81732c3b2fede049a692e58a7ceabb6d18ffb18c Author: Jean-François Moine Date: Thu Sep 6 19:24:13 2012 +0200 tty vt: Fix line garbage in virtual console on command line edition Signed-off-by: Petr Písař Cc: stable # 3.6 Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8568da92bd738464772c24fd68a9b300d22985b5 Author: H. Peter Anvin Date: Thu Feb 13 07:46:04 2014 -0800 Upstream commit: 4640c7ee9b8953237d05a61ea3ea93981d1bc961 x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off If CONFIG_X86_SMAP is disabled, smap_violation() tests for conditions which are incorrect (as the AC flag doesn't matter), causing spurious faults. The dynamic disabling of SMAP (nosmap on the command line) is fine because it disables X86_FEATURE_SMAP, therefore causing the static_cpu_has() to return false. Found by Fengguang Wu's test system. [ v3: move all predicates into smap_violation() ] [ v2: use IS_ENABLED() instead of #ifdef ] Reported-by: Fengguang Wu Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost Signed-off-by: H. Peter Anvin Cc: # v3.7+ arch/x86/mm/fault.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit dc68abaa1208e66be3bc07eb57855d4ab413373c Author: H. Peter Anvin Date: Thu Feb 13 07:34:30 2014 -0800 Upstream commit: 03bbd596ac04fef47ce93a730b8f086d797c3021 x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled If SMAP support is not compiled into the kernel, don't enable SMAP in CR4 -- in fact, we should clear it, because the kernel doesn't contain the proper STAC/CLAC instructions for SMAP support. Found by Fengguang Wu's test system. Reported-by: Fengguang Wu Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost Signed-off-by: H. Peter Anvin Cc: # v3.7+ arch/x86/kernel/cpu/common.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 6d804df770568f2d41f36cc446dc2c4b9ddbdc66 Author: Steven Noonan Date: Wed Feb 12 23:01:07 2014 -0800 Upstream commit: a9f180345f5378ac87d80ed0bea55ba421d83859 compiler/gcc4: Make quirk for asm_volatile_goto() unconditional I started noticing problems with KVM guest destruction on Linux 3.12+, where guest memory wasn't being cleaned up. I bisected it down to the commit introducing the new 'asm goto'-based atomics, and found this quirk was later applied to those. Unfortunately, even with GCC 4.8.2 (which ostensibly fixed the known 'asm goto' bug) I am still getting some kind of miscompilation. If I enable the asm_volatile_goto quirk for my compiler, KVM guests are destroyed correctly and the memory is cleaned up. So make the quirk unconditional for now, until bug is found and fixed. Suggested-by: Linus Torvalds Signed-off-by: Steven Noonan Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Jakub Jelinek Cc: Richard Henderson Cc: Andrew Morton Cc: Oleg Nesterov Cc: Link: http://lkml.kernel.org/r/1392274867-15236-1-git-send-email-steven@uplinklabs.net Link: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 Signed-off-by: Ingo Molnar include/linux/compiler-gcc4.h | 6 +----- 1 files changed, 1 insertions(+), 5 deletions(-) commit df681ad2079c8b443dd98a66daa49a96f6803118 Author: Brad Spengler Date: Sat Feb 15 14:43:58 2014 -0500 add note on how to disable rate limiting on log messages grsecurity/Kconfig | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 247661801d1a9904eac479770aac8c31adfb3a03 Merge: 294e38e 98242db Author: Brad Spengler Date: Thu Feb 13 20:17:09 2014 -0500 Merge branch 'pax-test' into grsec-test commit 98242dba193affafa9996207af8aaee0a58e237c Author: Brad Spengler Date: Thu Feb 13 20:16:39 2014 -0500 Update to pax-linux-3.13.3-test9.patch: - forward port to 3.13.3 - updated hash table from Emese, missing entries reported by Adam ChyÅ‚a and Matthew Thode kernel/sched/core.c | 2 +- kernel/trace/ftrace.c | 8 ++++---- tools/gcc/size_overflow_hash.data | 6 ++++++ 3 files changed, 11 insertions(+), 5 deletions(-) commit 294e38ee2ac097654f11df09cfe8c5584a573b6c Merge: d1fd1fc 990a904 Author: Brad Spengler Date: Thu Feb 13 18:11:12 2014 -0500 Merge branch 'pax-test' into grsec-test commit 990a9041b296c2afe56f7c5ff4bb2e2e0ed6298f Merge: d32ab3c 7955a48 Author: Brad Spengler Date: Thu Feb 13 18:11:01 2014 -0500 Merge branch 'linux-3.13.y' into pax-test Conflicts: kernel/trace/ftrace.c commit d1fd1fc0d4c9d07cd6f2f2dad040db0f1c433b5d Author: Brad Spengler Date: Thu Feb 13 16:50:39 2014 -0500 Force off all virtualization guest options if the autoconfig choice was not for the kernel to be used for vm guests likewise force off Xen if it wasn't mentioned in the autoconfig arch/x86/Kconfig | 1 + arch/x86/xen/Kconfig | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 6f7fd76856916bda9145d3fb89b3462b18630c75 Merge: 32aa9fa d32ab3c Author: Brad Spengler Date: Thu Feb 13 15:25:21 2014 -0500 Merge branch 'pax-test' into grsec-test commit d32ab3c04e157fd34738846fc1cbdbed5eab1147 Author: Brad Spengler Date: Thu Feb 13 15:24:57 2014 -0500 Update to pax-linux-3.13.2-test9.patch: - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv for help tools/gcc/Makefile | 2 +- tools/gcc/latent_entropy_plugin.c | 18 +++++++++-- tools/gcc/size_overflow_plugin.c | 19 +++++++++-- tools/gcc/stackleak_plugin.c | 58 ++++++++++++++++++++++++++++-------- 4 files changed, 76 insertions(+), 21 deletions(-) commit 32aa9fa0174969476774c472226d304f122291a5 Author: Brad Spengler Date: Thu Feb 13 12:35:16 2014 -0500 add missing header grsecurity/grsec_mem.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48d8d3b1b527d8dc7a9162bda44d32608906632 Author: Brad Spengler Date: Thu Feb 13 12:04:44 2014 -0500 export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL Conflicts: grsecurity/gracl.c grsecurity/grsec_disabled.c grsecurity/grsec_exec.c grsecurity/gracl.c | 8 ++++---- grsecurity/grsec_chroot.c | 2 +- grsecurity/grsec_disabled.c | 4 ++-- grsecurity/grsec_exec.c | 8 ++++---- grsecurity/grsec_init.c | 2 +- grsecurity/grsec_mem.c | 1 + grsecurity/grsec_sock.c | 12 ++++++------ grsecurity/grsec_time.c | 2 +- 8 files changed, 20 insertions(+), 19 deletions(-) commit 3c05c8568522f6a660debeaacf536a99a0212342 Author: Brad Spengler Date: Thu Feb 13 11:28:26 2014 -0500 add missing header arch/x86/kernel/msr.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e68254d468db8b3a28fa549606136fdba9276a75 Author: Brad Spengler Date: Thu Feb 13 11:12:36 2014 -0500 fix typo arch/x86/kernel/msr.c | 4 ++-- include/linux/grsecurity.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 2845d9e8598070db65f7429ecf2ac1803077ed9e Author: Brad Spengler Date: Thu Feb 13 10:57:06 2014 -0500 PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead tools/gcc/randomize_layout_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1cd63e6169739aa7881796ac74b43b83bdbd8626 Author: Brad Spengler Date: Thu Feb 13 09:23:29 2014 -0500 Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes. Log all writing attempts. arch/x86/Kconfig | 1 - arch/x86/kernel/msr.c | 9 +++++++++ grsecurity/grsec_mem.c | 6 ++++++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 1 + 5 files changed, 17 insertions(+), 1 deletions(-) commit a750206a1934759fc0da5ab831852a22ce720862 Author: Richard Yao Date: Sat Feb 8 19:32:01 2014 -0500 Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers The 9p-virtio transport does zero copy on things larger than 1024 bytes in size. It accomplishes this by returning the physical addresses of pages to the virtio-pci device. At present, the translation is usually a bit shift. That approach produces an invalid page address when we read/write to vmalloc buffers, such as those used for Linux kernel modules. Any attempt to load a Linux kernel module from 9p-virtio produces the following stack. [] p9_virtio_zc_request+0x45e/0x510 [] p9_client_zc_rpc.constprop.16+0xfd/0x4f0 [] p9_client_read+0x15d/0x240 [] v9fs_fid_readn+0x50/0xa0 [] v9fs_file_readn+0x10/0x20 [] v9fs_file_read+0x37/0x70 [] vfs_read+0x9b/0x160 [] kernel_read+0x41/0x60 [] copy_module_from_fd.isra.34+0xfb/0x180 Subsequently, QEMU will die printing: qemu-system-x86_64: virtio: trying to map MMIO memory This patch enables 9p-virtio to correctly handle this case. This not only enables us to load Linux kernel modules off virtfs, but also enables ZFS file-based vdevs on virtfs to be used without killing QEMU. Special thanks to both Avi Kivity and Alexander Graf for their interpretation of QEMU backtraces. Without their guidence, tracking down this bug would have taken much longer. Also, special thanks to Linus Torvalds for his insightful explanation of why this should use is_vmalloc_addr() instead of is_vmalloc_or_module_addr(): https://lkml.org/lkml/2014/2/8/272 Signed-off-by: Richard Yao Signed-off-by: David S. Miller net/9p/trans_virtio.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 6f3de18441f63778b664f2815cfc0d2af0d22f4f Author: Brad Spengler Date: Thu Feb 13 08:38:14 2014 -0500 rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals add a useful compile error if we try building with < gcc 4.6.4 tools/gcc/randomize_layout_plugin.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 596b24936ed3687455327c3d26a8a820263a1f88 Author: Brad Spengler Date: Tue Feb 11 17:33:49 2014 -0500 [PATCH] random: fix overflow for big nbits values in credit_entropy_bits() Commit 30e37ec516ae "random: account for entropy loss due to overwrites" introduced an overflow in the arithmetics of credit_entropy_bits() when CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool size and therefore invalidates the assumptions of the "nifty" formula. Fix the overflow by using 64bit arithmetics. Reported-by: Torsten Hilbrich Signed-off-by: Mathias Krause This bug is at worst a privileged DoS -- with RANDNET enabled, an admin with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once can cause less than expected entropy to be credited (but this doesn't affect how much is actually added). For specific buffer sizes, this can result in 0 entropy being credited and end in a situation in which the kernel can't recover, causing future reads from /dev/random to stall. Many thanks to Torsten and Mathias for the report! drivers/char/random.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 04f9fc1040b96a623cca444b330a3a96c104d3af Author: Brad Spengler Date: Sun Feb 9 11:30:53 2014 -0500 just ignore the seed file, the hash is in a different dir tools/gcc/.gitignore | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit eaddc3f039b57731d04d90e334cf75c6cdde895d Author: Brad Spengler Date: Sun Feb 9 11:27:22 2014 -0500 Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead Documentation/dontdiff | 2 +- Makefile | 4 +--- include/linux/vermagic.h | 1 + tools/gcc/.gitignore | 4 ++-- tools/gcc/Makefile | 9 ++++----- tools/gcc/gen-random-seed.sh | 3 ++- 6 files changed, 11 insertions(+), 12 deletions(-) commit d3fcb6991a09d163867dd6e7e04ad5675f9c3202 Author: Brad Spengler Date: Sat Feb 8 22:03:25 2014 -0500 update dontdiff and .gitignore to reflect new seed/hash filenames for RANDSTRUCT Documentation/dontdiff | 4 ++-- tools/gcc/.gitignore | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 3e96d2ad6f7e3373a978767099f3b3bb12890644 Author: Brad Spengler Date: Sat Feb 8 20:02:12 2014 -0500 don't divide cputime by HZ as some architectures can't handle this use proper task_cputime and cputime_to_secs wrappers Thanks to Michael Tremer for the report grsecurity/gracl.c | 23 ++++++++++++----------- 1 files changed, 12 insertions(+), 11 deletions(-) commit bff837da26077ae243118561da6e31e8d2ef83b7 Author: Brad Spengler Date: Thu Feb 6 21:26:51 2014 -0500 gcc 4.9 update for RANDSTRUCT plugin part 1 tools/gcc/randomize_layout_plugin.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 58eee46f846245affdc86a1fd057bc7802bfef63 Merge: 954a136 2b56794 Author: Brad Spengler Date: Thu Feb 6 20:36:18 2014 -0500 Merge branch 'pax-test' into grsec-test commit 2b56794a375594b35d2984d0950059977624a5ed Author: Brad Spengler Date: Thu Feb 6 20:35:40 2014 -0500 Update to pax-linux-3.13.2-test8.patch: - fixed compile errors on arm due to constification, reported by Michael Tremer - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender - added a new header to gcc-common.h, reported by spender - some useful backports from upstream 3.14: - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9 Makefile | 8 +++++++- arch/arm/mach-omap2/powerdomains43xx_data.c | 5 ++++- arch/x86/include/asm/tlbflush.h | 1 - drivers/gpu/drm/armada/armada_drv.c | 10 +--------- drivers/gpu/drm/tegra/hdmi.c | 2 +- drivers/misc/eeprom/sunxi_sid.c | 4 +++- drivers/mmc/host/sdhci-esdhc-imx.c | 7 +++++-- include/drm/drmP.h | 1 + include/drm/ttm/ttm_page_alloc.h | 1 + tools/gcc/gcc-common.h | 1 + 10 files changed, 24 insertions(+), 16 deletions(-) commit 954a136c7f2ce3a76f9a8b148c49614092554b5b Author: Brad Spengler Date: Thu Feb 6 20:20:41 2014 -0500 Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2 security/selinux/ss/services.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a16066ea179a4f15b368cd5003d9c3638aa7f48e Author: Brad Spengler Date: Thu Feb 6 20:16:57 2014 -0500 don't pass the seed via build commandline, store it in a header file instead and build it into the RANDSTRUCT plugin. set up proper dependencies for the generated files used by the RANDSTRUCT plugin, fixing some race conditions in the build process support O= argument to make and place generated files in the target directory tree update RANDSTRUCT documentation Makefile | 6 ++---- grsecurity/Kconfig | 2 +- scripts/gen-random-seed.sh | 8 -------- tools/gcc/Makefile | 10 +++++++++- tools/gcc/gen-random-seed.sh | 7 +++++++ tools/gcc/randomize_layout_plugin.c | 23 ++++++++--------------- 6 files changed, 27 insertions(+), 29 deletions(-) commit 79cb2972d4d5e61a831e8eae996b286f433afd10 Author: Brad Spengler Date: Thu Feb 6 18:15:24 2014 -0500 make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make' grsecurity/Makefile | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 10a483b7ae687f15e3836234175920518ec50fa7 Merge: 95e6c94 5a87ea7 Author: Brad Spengler Date: Thu Feb 6 17:21:02 2014 -0500 Merge branch 'pax-test' into grsec-test commit 5a87ea74aab86c3c211612d1ae7cac26694b736d Merge: 1554390 fd82174 Author: Brad Spengler Date: Thu Feb 6 17:19:50 2014 -0500 Merge branch 'linux-3.13.y' into pax-test Conflicts: net/compat.c commit 95e6c94d6945ce8acfb56997feada8fde8aab8a6 Author: Brad Spengler Date: Wed Feb 5 23:43:27 2014 -0500 avoid printing jibberish in some instances with RANDSTRUCT and modules built with other seeds, as the kernel's module loader trusts the module layout kernel/module.c | 25 +++++++++++++++++++++++++ 1 files changed, 25 insertions(+), 0 deletions(-) commit 71ff747386915adda2113b08c47b0ccb1683dea5 Author: Brad Spengler Date: Wed Feb 5 23:32:26 2014 -0500 Introduce the non-performance mode -- the performance mode had previously been inadvertently forced on regardless of config setting Resolve an issue with gcc completing declarations for recently finished types *before* the plugin's finish_type being called to randomize that structure. This resulted in too small a structure size being emitted for this_module and generally crashes whenever modules were loaded. Makefile | 2 +- tools/gcc/randomize_layout_plugin.c | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletions(-) commit e17b47e4f837bb769f5159b928f5accce5131514 Author: Brad Spengler Date: Mon Feb 3 17:30:32 2014 -0500 select DEBUG_KERNEL in addition to DEBUG_LIST security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1a4fd0231e9cee0203dd7f10faf89d721883b6a4 Merge: 5fb88fe 1554390 Author: Brad Spengler Date: Sun Feb 2 21:25:11 2014 -0500 Merge branch 'pax-test' into grsec-test commit 1554390d0c012ebcbe8734216913fcb94681db2b Author: Brad Spengler Date: Sun Feb 2 21:24:45 2014 -0500 update plugin start_unit names tools/gcc/latent_entropy_plugin.c | 2 +- tools/gcc/size_overflow_plugin.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 5fb88febacff2f061c9aad406d107177acc3f950 Author: Brad Spengler Date: Sun Feb 2 21:23:30 2014 -0500 update copyright date grsecurity/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f4d392661ab08166ed1aa81d4f1d90fec146f761 Author: Brad Spengler Date: Sun Feb 2 21:23:08 2014 -0500 update copyright message grsecurity/Makefile | 22 ++++++++++++++++------ 1 files changed, 16 insertions(+), 6 deletions(-) commit 7bd6dcd5823155b1948fe0815a7aa173da6bea35 Author: Brad Spengler Date: Sat Feb 1 19:53:04 2014 -0500 update RANDSTRUCT plugin to eliminate false posities on struct type mismatches resulting from an IS_ERR() sequence add checks for bad casts in local and global variable initializers use the main variant when comparing types tools/gcc/randomize_layout_plugin.c | 150 +++++++++++++++++++++++++++++++++-- 1 files changed, 144 insertions(+), 6 deletions(-) commit 5349795dd080969318409078672c2c53c0645354 Author: Brad Spengler Date: Sat Feb 1 15:13:06 2014 -0500 remove unnecessary TODO_* flags for our passive bad cast gimple pass tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a22b89b09d12e3db4b464d3b26e45c7b3a65c0ba Author: Brad Spengler Date: Sat Feb 1 10:55:36 2014 -0500 fix RANDSTRUCT plugin compatibility with gcc 4.9 tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b3d5d360931c93bdeaf6fa199e29f47e7f70b17b Author: Brad Spengler Date: Fri Jan 31 21:52:14 2014 -0500 sanity check to make sure we never randomize a struct in include/uapi/* scripts/gen-random-seed.sh | 2 +- tools/gcc/randomize_layout_plugin.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletions(-) commit d2057f02e759a707a700bc9c80d1f7f55afa89f1 Author: Brad Spengler Date: Fri Jan 31 18:11:51 2014 -0500 force on modversion support if RANDSTRUCT is enabled so that we're sure no modules can be loaded that were built with a different seed grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5e1f8e0b67af1f2876f1906eab828914a1c2670b Author: Brad Spengler Date: Thu Jan 30 16:47:31 2014 -0500 Fix an extremely serious vulnerability (it's nearly an arbitrary write) introduced in 3.4 with the addition of X32 support. Hopefully most users haven't enabled this option, but as it's enabled now in some distros (e.g. Ubuntu, which is affected) the chance is more likely for those importing base configs from such a distro. I would recommend you disable X32 support, especially if you're not using it. As this bug could have been discovered with even a completely dumb syscall fuzzer, it should be clear what level of testing went into X32 support. Normally we would have fixed this immediately, announced it, and moved on, but this was not my bug and not my choice. So I got to wait for the likes of linux-distros and security@kernel.org to decide when it could be fixed, while I had to continue releasing grsecurity patches without the fix for a serious vulnerability I was aware of for two days. I'm not happy at all about this, and this is exactly why I refuse to work in any kind of situation where I would become aware of something that I couldn't fix immediately. Hopefully this is the last time this will happen. Credits to the PaX Team for finding the bug and writing the fix. This is CVE-2014-0038. net/compat.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit 9d599455aa9fb272a7160c3f8276771a5af7c74a Merge: 6aeb51b f93afd1 Author: Brad Spengler Date: Wed Jan 29 21:49:00 2014 -0500 Merge branch 'pax-test' into grsec-test commit f93afd1627ef450a96e96bdb2b984aefb66cb531 Author: Brad Spengler Date: Wed Jan 29 21:48:24 2014 -0500 Update to pax-linux-3.13.1-test6.patch: - forward port to 3.13.1 - fixed a weak UDEREF regression resulting in a kernel hang on boot, reported by Negres arch/x86/include/asm/uaccess_64.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 18727190851782d5ee2b5fe579e4a4c379303a34 Merge: b9c766b 07ecf16 Author: Brad Spengler Date: Wed Jan 29 21:41:57 2014 -0500 Merge branch 'linux-3.13.y' into pax-test commit 6aeb51bccfcad549c3b39235df08aa043cdfa9bc Author: Weston Andros Adamson Date: Tue Dec 17 12:16:11 2013 -0500 Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d sunrpc: Fix infinite loop in RPC state machine When a task enters call_refreshresult with status 0 from call_refresh and !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting or max number of retries. Instead of trying forever, make use of the retry path that other errors use. This only seems to be possible when the crrefresh callback is gss_refresh_null, which only happens when destroying the context. To reproduce: 1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific operations). 2) reboot - the client will be stuck and will need to be hard rebooted BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46] Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy irq event stamp: 195724 hardirqs last enabled at (195723): [] restore_args+0x0/0x30 hardirqs last disabled at (195724): [] apic_timer_interrupt+0x6a/0x80 softirqs last enabled at (195722): [] __do_softirq+0x1df/0x276 softirqs last disabled at (195717): [] irq_exit+0x53/0x9a CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013 Workqueue: rpciod rpc_async_schedule [sunrpc] task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000 RIP: 0010:[] [] __rpc_execute+0x8a/0x362 [sunrpc] RSP: 0018:ffff880079003d18 EFLAGS: 00000246 RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007 RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900 RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7 R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900 FS: 0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0 Stack: ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830 ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260 ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000 Call Trace: [] ? trace_hardirqs_on_caller+0x145/0x1a1 [] rpc_async_schedule+0x27/0x32 [sunrpc] [] process_one_work+0x211/0x3a5 [] ? process_one_work+0x172/0x3a5 [] worker_thread+0x134/0x202 [] ? rescuer_thread+0x280/0x280 [] ? rescuer_thread+0x280/0x280 [] kthread+0xc9/0xd1 [] ? __kthread_parkme+0x61/0x61 [] ret_from_fork+0x7c/0xb0 [] ? __kthread_parkme+0x61/0x61 Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00 And the output of "rpcdebug -m rpc -s all": RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refresh (status 0) RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 Signed-off-by: Weston Andros Adamson Cc: stable@vger.kernel.org # 2.6.37+ Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 9ad04e13872458b4883e9f8f087cad538ae8f3e3 Author: Scott Mayhew Date: Fri Jan 17 15:12:05 2014 -0500 Upstream commit: 263b4509ec4d47e0da3e753f85a39ea12d1eff24 nfs: always make sure page is up-to-date before extending a write to cover the entire page We should always make sure the cached page is up-to-date when we're determining whether we can extend a write to cover the full page -- even if we've received a write delegation from the server. Commit c7559663 added logic to skip this check if we have a write delegation, which can lead to data corruption such as the following scenario if client B receives a write delegation from the NFS server: Client A: # echo 123456789 > /mnt/file Client B: # echo abcdefghi >> /mnt/file # cat /mnt/file 0�D0�abcdefghi Just because we hold a write delegation doesn't mean that we've read in the entire page contents. Cc: # v3.11+ Signed-off-by: Scott Mayhew Signed-off-by: Trond Myklebust fs/nfs/write.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit d6a427afc951e705a45d18fe513b4a9644b54586 Author: Trond Myklebust Date: Fri Jan 17 17:03:41 2014 -0500 Upstream commit: 64590daa9e0dfb3aad89e3ab9230683b76211d5b NFSv4.1: Handle errors correctly in nfs41_walk_client_list Both nfs41_walk_client_list and nfs40_walk_client_list expect the 'status' variable to be set to the value -NFS4ERR_STALE_CLIENTID if the loop fails to find a match. The problem is that the 'pos->cl_cons_state > NFS_CS_READY' changes the value of 'status', and sets it either to the value '0' (which indicates success), or to the value EINTR. Cc: stable@vger.kernel.org # 3.7.x: 7b1f1fd1842e6: NFSv4/4.1: Fix bugs in Signed-off-by: Trond Myklebust fs/nfs/nfs4client.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit f7c465156fdef12a66d0a59114582dc4d4d7f406 Author: Weston Andros Adamson Date: Sun Jan 19 22:45:36 2014 -0500 Upstream commit: abad2fa5ba67725a3f9c376c8cfe76fbe94a3041 nfs4: fix discover_server_trunking use after free If clp is new (cl_count = 1) and it matches another client in nfs4_discover_server_trunking, the nfs_put_client will free clp before ->cl_preserve_clid is set. Cc: stable@vger.kernel.org # 3.7+ Signed-off-by: Weston Andros Adamson Signed-off-by: Trond Myklebust fs/nfs/nfs4client.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit d3737c02af42ac32da97dc30dac94ae7343cec14 Author: Heiko Carstens Date: Mon Jan 27 17:07:19 2014 -0800 Upstream commit: 592f6b842f64e416c7598a1b97c649b34241e22d compat: fix sys_fanotify_mark Commit 91c2e0bcae72 ("unify compat fanotify_mark(2), switch to COMPAT_SYSCALL_DEFINE") added a new unified compat fanotify_mark syscall to be used by all architectures. Unfortunately the unified version merges the split mask parameter in a wrong way: the lower and higher word got swapped. This was discovered with glibc's tst-fanotify test case. Signed-off-by: Heiko Carstens Reported-by: Andreas Krebbel Cc: "James E.J. Bottomley" Acked-by: "David S. Miller" Acked-by: Al Viro Cc: Benjamin Herrenschmidt Cc: Ingo Molnar Cc: Ralf Baechle Cc: [3.10+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/notify/fanotify/fanotify_user.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ae72596a96d46255c781f07ee2de05abe57d43ff Merge: 5254ff7 b9c766b Author: Brad Spengler Date: Tue Jan 28 18:23:25 2014 -0500 Merge branch 'pax-test' into grsec-test commit b9c766bc9706fcfe5bbe0df099178e8eaa643327 Author: Brad Spengler Date: Tue Jan 28 18:22:46 2014 -0500 Update to pax-linux-3.13-test6.patch: - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs arch/x86/kernel/entry_64.S | 22 ++++++++++++---------- include/linux/skbuff.h | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) commit 5254ff73f13759d893213092da5fd654ca22960f Merge: 7e5aad2 c956349 Author: Brad Spengler Date: Mon Jan 27 22:52:22 2014 -0500 Merge branch 'pax-test' into grsec-test commit c956349a3335c72308d1bce7524f2e0f521ff709 Author: Brad Spengler Date: Mon Jan 27 22:51:57 2014 -0500 Update to pax-linux-3.13-test5.patch: - new size overflow hash table from spender - backported http://git.kernel.org/linus/34228d473ef - fixed CONFIG_MEM_SOFT_DIRTY interference with _PAGE_NX on x86 - fixed the size overflow plugin for gcc 4.9, by Emese Revfy arch/x86/include/asm/pgtable_types.h | 2 +- mm/mmap.c | 12 +++++++++- tools/gcc/gcc-common.h | 2 + tools/gcc/size_overflow_hash.data | 33 ++++++++++++++++++++++++++-- tools/gcc/size_overflow_plugin.c | 38 +++++++++++++++++----------------- 5 files changed, 62 insertions(+), 25 deletions(-) commit 7e5aad2c98c49f82bdd6a6949133c0393b743e4a Author: Brad Spengler Date: Mon Jan 27 21:12:59 2014 -0500 update size_overflow hash table tools/gcc/size_overflow_hash.data | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 9583ac30e401a97397c5a4a30564521bc2d8afeb Author: Brad Spengler Date: Mon Jan 27 20:33:30 2014 -0500 Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f4afefdb6f09d22d5c0a74cf2a3ff4f44a67a8c8 Author: Brad Spengler Date: Mon Jan 27 20:30:10 2014 -0500 Make all grsecurity code GPLv2 only for future releases. Not really important as grsecurity is a derivative work of the Linux kernel and thus forced to be GPLv2, the "or higher" was superfluous. grsecurity/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 718e2b2400f29a7fa414c6c5d383f82658a3457f Author: Brad Spengler Date: Sun Jan 26 22:22:52 2014 -0500 update size_overflow hash table tools/gcc/size_overflow_hash.data | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit a4369fd780e658a9d26bedc53415261286caefe5 Merge: c93ceb8 f3b1213 Author: Brad Spengler Date: Sun Jan 26 21:24:43 2014 -0500 Merge branch 'pax-test' into grsec-test commit f3b12134d032b0bfc2a9fc2183a50fabcaabdbf5 Author: Brad Spengler Date: Sun Jan 26 21:24:17 2014 -0500 Update to pax-linux-3.13-test4.patch: - fixed a constify plugin regression, reported by spender - updated gcc-common.h tools/gcc/constify_plugin.c | 4 +- tools/gcc/gcc-common.h | 68 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 65 insertions(+), 7 deletions(-) commit 962a3acff3d42cf360932f438a666224b8597012 Author: Brad Spengler Date: Sun Jan 26 21:24:01 2014 -0500 Revert "fix an assert triggering in constify plugin update, real fix coming later" This reverts commit 899baaf06fdd79f9b9b410a414695ba7b80f6203. tools/gcc/constify_plugin.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit c93ceb8d5ed604ddd5580de9a764fc411824c5c0 Author: Brad Spengler Date: Sun Jan 26 21:18:31 2014 -0500 update size_overflow hash table tools/gcc/size_overflow_hash.data | 19 ++++++++++++++++++- 1 files changed, 18 insertions(+), 1 deletions(-) commit b42c965a52f58915c8fd048749c1dc5bcf373339 Merge: 663306e 899baaf Author: Brad Spengler Date: Sun Jan 26 20:35:52 2014 -0500 Merge branch 'pax-test' into grsec-test commit 899baaf06fdd79f9b9b410a414695ba7b80f6203 Author: Brad Spengler Date: Sun Jan 26 20:34:49 2014 -0500 fix an assert triggering in constify plugin update, real fix coming later tools/gcc/constify_plugin.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 663306edb8f76d8be46c39ba6aafcdec3e000ab1 Author: Brad Spengler Date: Sun Jan 26 18:24:44 2014 -0500 fix typo tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4539e5f2729719d07095cf267ea426524f7dc8f9 Author: Brad Spengler Date: Sun Jan 26 18:22:33 2014 -0500 Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h tools/gcc/randomize_layout_plugin.c | 77 +++++++++++++++++++---------------- 1 files changed, 42 insertions(+), 35 deletions(-) commit 3344ccde1ca59e4e0a4105f25ffbab561e5ee582 Merge: ff96162 0b83e85 Author: Brad Spengler Date: Sun Jan 26 18:04:38 2014 -0500 Merge branch 'pax-test' into grsec-test commit 0b83e85c64c9e6e4328cac45d980cdd7e088f157 Author: Brad Spengler Date: Sun Jan 26 18:03:50 2014 -0500 Update to pax-linux-3.13-test3.patch: - gcc plugin updates - ported them to gcc trunk (future 4.9) - introduced gcc-common.h to simplify gcc version dependencies - updated size overflow hash table from spender - fixed kallocstat to detect constant size arguments early - fixed constify to preserve type qualifiers on pointer-to-self fields - added a few sparse/checker annotations and changes to satisfy gcc's address space logic - fixed the TRACE_IRQFLAGS problem reported by minipli again arch/x86/ia32/ia32_signal.c | 6 +- arch/x86/include/asm/uaccess_64.h | 4 +- arch/x86/kernel/entry_64.S | 112 ++++---- arch/x86/kernel/preempt.S | 3 + arch/x86/kernel/tboot.c | 2 +- arch/x86/kernel/xsave.c | 8 +- arch/x86/lib/thunk_64.S | 2 +- block/compat_ioctl.c | 2 +- drivers/gpu/drm/drm_crtc.c | 2 +- drivers/gpu/drm/qxl/qxl_ioctl.c | 6 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 +- drivers/media/v4l2-core/v4l2-ctrls.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 2 +- drivers/mmc/card/block.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/vhost/vringh.c | 18 +- drivers/video/fbmem.c | 2 +- fs/compat_ioctl.c | 2 +- fs/exec.c | 2 +- fs/proc/vmcore.c | 4 +- include/uapi/linux/videodev2.h | 2 +- ipc/compat.c | 2 +- kernel/compat.c | 2 +- kernel/kmod.c | 4 +- net/9p/client.c | 6 +- net/compat.c | 2 +- net/core/filter.c | 2 +- net/netfilter/nft_compat.c | 4 +- net/socket.c | 6 +- net/tipc/subscr.c | 2 +- sound/pci/hda/hda_codec.c | 2 +- tools/gcc/Makefile | 2 +- tools/gcc/checker_plugin.c | 30 +-- tools/gcc/colorize_plugin.c | 62 +++-- tools/gcc/constify_plugin.c | 105 ++++---- tools/gcc/gcc-common.h | 207 +++++++++++++++ tools/gcc/kallocstat_plugin.c | 164 +++++++------ tools/gcc/kernexec_plugin.c | 333 ++++++++++++++---------- tools/gcc/latent_entropy_plugin.c | 146 +++++------ tools/gcc/size_overflow_hash.data | 68 +++++- tools/gcc/size_overflow_plugin.c | 348 +++++++++++-------------- tools/gcc/stackleak_plugin.c | 236 +++++++++-------- tools/gcc/structleak_plugin.c | 90 +++---- 43 files changed, 1149 insertions(+), 871 deletions(-) commit ff9616214c2e875db763bd395dce11df378df896 Author: Brad Spengler Date: Sun Jan 26 13:35:44 2014 -0500 pass hashed seed define as a string Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 39961e3ad1abacccc8a2de280868bcfe52a1edff Author: Brad Spengler Date: Sun Jan 26 12:44:21 2014 -0500 add a sha256-hashed version of the seed to modversion to ensure no modules compiled with another seed can be loaded Documentation/dontdiff | 1 + Makefile | 4 +++- include/linux/vermagic.h | 8 +++++++- scripts/gen-random-seed.sh | 2 +- tools/gcc/.gitignore | 1 + 5 files changed, 13 insertions(+), 3 deletions(-) commit 1df9ff15112f3713997ac10e915b99ad99d2e33a Author: Brad Spengler Date: Sun Jan 26 11:26:44 2014 -0500 Force HIDESYM on if RANDSTRUCT is used, just in case there is a user who already isn't enabling it (to prevent the seed from potentially being visible to other users if compiled on the same machine). Suggested by minipli grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5ee75cac712d37f79de1e6f509a18749258b2085 Author: Brad Spengler Date: Sun Jan 26 01:01:31 2014 -0500 Update size_overflow hash table tools/gcc/size_overflow_hash.data | 19 +++++++++++++++++-- 1 files changed, 17 insertions(+), 2 deletions(-) commit d87a88e0b3298c9d39bb7b3257dabb8fc17b8e9c Author: Brad Spengler Date: Sat Jan 25 22:19:55 2014 -0500 update to new mount_lock grsecurity/gracl.c | 24 +++++++++++------------- 1 files changed, 11 insertions(+), 13 deletions(-) commit 677d1d169912d98b7a139563ab7f7fb82ee6c3c5 Author: Brad Spengler Date: Sat Jan 25 19:05:59 2014 -0500 compile fix init/main.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) commit c8496c1e0bb5cbed7aff11ee208a7a89ffd80b40 Author: Brad Spengler Date: Sat Jan 25 19:00:50 2014 -0500 resync random code with 3.13 include/linux/random.h | 4 ++++ include/uapi/linux/random.h | 7 ------- 2 files changed, 4 insertions(+), 7 deletions(-) commit 3d168ee50cb706276c805ae1d6a5e8417a91067a Author: Brad Spengler Date: Sat Jan 25 14:54:11 2014 -0500 Fix another compiler error caught by RANDSTRUCT Signed-off-by: Brad Spengler sound/isa/sb/emu8000_synth.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit bc4a5595404b985a2b17e84d29765b7af7e968ca Author: Brad Spengler Date: Sat Jan 25 14:34:12 2014 -0500 Fix another compiler error caught by RANDSTRUCT Signed-off-by: Brad Spengler drivers/net/wan/z85230.c | 24 ++++++++++++------------ 1 files changed, 12 insertions(+), 12 deletions(-) commit 0f0da7cb40431fe816aa356499bff026452cfc44 Author: Brad Spengler Date: Sat Jan 25 14:30:46 2014 -0500 fix compilation with RANDSTRUCT plugin Signed-off-by: Brad Spengler sound/drivers/opl4/opl4_seq.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 97d6cc865b9cf64fada1fcaabfa923fecee54ef7 Author: Brad Spengler Date: Sat Jan 25 14:16:18 2014 -0500 avoid problems by just building our fake field decl node from scratch Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 6455dfb41e9c0d3f26f00ef2f505bd0f74aa8dca Author: Brad Spengler Date: Sat Jan 25 13:45:18 2014 -0500 while in non-debug mode, don't emit notes for non-randomized struct types clear all signs from our fake field decl of being a bitfield Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 35909486eebb6c1ab27956ef6cc35e19e19282a2 Author: Brad Spengler Date: Sat Jan 25 12:56:05 2014 -0500 revert change to read-only marking of fake struct field Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bbd5d12c912390e0bdb6ddde81279b579fc94edb Author: Brad Spengler Date: Sat Jan 25 12:42:48 2014 -0500 Update RANDSTRUCT plugin help Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 0d829e61f501ae59387a6e1d0f9060d5555ac588 Author: Brad Spengler Date: Sat Jan 25 12:25:43 2014 -0500 Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures automatically enabled by GRKERNSEC_CONFIG_AUTO performance mode is activated if the config priority is set to performance Signed-off-by: Brad Spengler Documentation/dontdiff | 1 + Makefile | 12 +- arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/block/cciss.h | 30 +- drivers/block/drbd/drbd_interval.c | 6 +- drivers/block/smart1,2.h | 40 +- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/wan/lmc/lmc_media.c | 97 ++-- drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 20 +- drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- drivers/video/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/matrox/matroxfb_Ti3026.c | 5 +- fs/mount.h | 4 +- fs/proc/internal.h | 4 +- fs/reiserfs/item_ops.c | 24 +- grsecurity/Kconfig | 31 +- include/linux/compiler-gcc4.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 4 +- include/linux/dcache.h | 2 +- include/linux/fs.h | 14 +- include/linux/fs_struct.h | 2 +- include/linux/ipc_namespace.h | 2 +- include/linux/kobject.h | 2 +- include/linux/mm_types.h | 4 +- include/linux/module.h | 4 +- include/linux/mount.h | 2 +- include/linux/pid_namespace.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/rbtree_augmented.h | 4 +- include/linux/sched.h | 6 +- include/linux/sysctl.h | 2 +- include/linux/tty.h | 2 +- include/linux/tty_driver.h | 2 +- include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 2 +- lib/rbtree.c | 4 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/decnet/dn_dev.c | 2 +- net/vmw_vsock/vmci_transport_notify.c | 30 +- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- net/x25/sysctl_net_x25.c | 2 +- scripts/Makefile | 2 + scripts/gen-random-seed.sh | 8 + sound/core/seq/oss/seq_oss.c | 4 +- sound/core/seq/seq_midi.c | 4 +- sound/drivers/opl3/opl3_seq.c | 4 +- sound/pci/emu10k1/emu10k1_synth.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 2 + tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++ 74 files changed, 1222 insertions(+), 390 deletions(-) commit 301f9fc40e1bed50d31034a192bc95874d5bf3b6 Author: Brad Spengler Date: Sun Jan 19 09:00:56 2014 -0500 compile fix Signed-off-by: Brad Spengler include/linux/random.h | 4 ---- include/uapi/linux/random.h | 7 +++++++ 2 files changed, 7 insertions(+), 4 deletions(-) commit b79910431008b8ce731d45aa3aecc75fe33c928c Author: Hannes Frederic Sowa Date: Mon Nov 11 12:20:34 2013 +0100 Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9 random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized The Tausworthe PRNG is initialized at late_initcall time. At that time the entropy pool serving get_random_bytes is not filled sufficiently. This patch adds an additional reseeding step as soon as the nonblocking pool gets marked as initialized. On some machines it might be possible that late_initcall gets called after the pool has been initialized. In this situation we won't reseed again. (A call to prandom_seed_late blocks later invocations of early reseed attempts.) Joint work with Daniel Borkmann. Cc: Eric Dumazet Cc: Theodore Ts'o Signed-off-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Acked-by: "Theodore Ts'o" Signed-off-by: David S. Miller Conflicts: lib/random32.c Signed-off-by: Brad Spengler drivers/char/random.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 31dee23268ac47eaaafacb186229bc14fb84fa9b Author: Brad Spengler Date: Sat Jan 18 20:43:43 2014 -0500 Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls Signed-off-by: Brad Spengler net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ffccf022adef560230b6a641c612f33600ce0e6b Author: Brad Spengler Date: Wed Jan 8 20:24:27 2014 -0500 zeroing out btime from /proc/stat breaks ps aux, it's the seconds of uptime for the system, information which is also available elsewhere (/proc/uptime), so there's no reason to limit it Signed-off-by: Brad Spengler fs/proc/stat.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a96a6e3b96ffa8c96fa3939c109dc783de2110e0 Author: Brad Spengler Date: Wed Jan 8 18:13:15 2014 -0500 fix typo Signed-off-by: Brad Spengler mm/vmstat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4c084ac8468cdd4bbb8458fae4d0b6d2d1d5afd1 Author: Brad Spengler Date: Wed Jan 8 18:06:53 2014 -0500 provide a zeroed out /proc/vmstat to unprivileged users instead of denied access, some poorly-written desktop apps bail out completely when it can't be opened Signed-off-by: Brad Spengler mm/vmstat.c | 21 +++++++++++++++------ 1 files changed, 15 insertions(+), 6 deletions(-) commit e0d003dfd4911828f08fa93da2138c9f3be4f352 Author: Brad Spengler Date: Wed Jan 8 17:46:46 2014 -0500 back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers Signed-off-by: Brad Spengler drivers/pci/pci-sysfs.c | 9 --------- drivers/pci/proc.c | 3 --- 2 files changed, 0 insertions(+), 12 deletions(-) commit 0a0823fe85e85b9ad92131a35fe57e9aebc30260 Author: Brad Spengler Date: Thu Jan 2 17:05:39 2014 -0500 add missing #include Signed-off-by: Brad Spengler fs/proc/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 867c7a59c12374d99c59b9c99a1bf8214583baad Author: Brad Spengler Date: Thu Jan 2 17:02:24 2014 -0500 Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc) Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0 checks currently Signed-off-by: Brad Spengler drivers/pci/pci-sysfs.c | 17 +++++++---------- drivers/pci/proc.c | 13 ++----------- drivers/pci/syscall.c | 4 ---- 3 files changed, 9 insertions(+), 25 deletions(-) commit e9075cc0c4bab695e2eea8e8ba8f8acfa3cef2ed Author: Brad Spengler Date: Tue Dec 31 10:30:20 2013 -0500 Resolve compatibility with libgtop and recent restriction of /proc/stat, reported by KacKurx. We now provide a properly-formatted but zeroed /proc/stat instead of denying unpriv access to the entry Signed-off-by: Brad Spengler fs/proc/stat.c | 34 ++++++++++++++++++++++++---------- 1 files changed, 24 insertions(+), 10 deletions(-) commit 7a559ce128070d9d79bf4490a258dba677fa741e Author: Brad Spengler Date: Mon Dec 30 11:19:53 2013 -0500 Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy Kulikov: http://www.openwall.com/lists/kernel-hardening/2011/11/07/1 Signed-off-by: Brad Spengler fs/proc/interrupts.c | 4 ++++ fs/proc/stat.c | 4 ++++ 2 files changed, 8 insertions(+), 0 deletions(-) commit 3898c8157466ff87ef613785f207c019ba8174cb Author: Brad Spengler Date: Mon Dec 30 11:13:49 2013 -0500 Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information. Signed-off-by: Brad Spengler grsecurity/Kconfig | 16 ++++++++++------ grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++--- include/linux/grmsg.h | 2 +- ipc/util.c | 3 ++- 4 files changed, 42 insertions(+), 11 deletions(-) commit 2a5eb70e0981fd24168be9e5d1c30735a922edca Author: Brad Spengler Date: Thu Dec 26 19:20:26 2013 -0500 add missing #include Signed-off-by: Brad Spengler grsecurity/grsec_mount.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7d66c996e754d41be945e7a2997b364643a13977 Author: Brad Spengler Date: Thu Dec 26 15:51:51 2013 -0500 Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM Signed-off-by: Brad Spengler grsecurity/Kconfig | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit bc9b4fe1db97c913b2c1163a90805c52c0f0df65 Author: Brad Spengler Date: Thu Dec 26 15:35:31 2013 -0500 Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig). Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- grsecurity/grsec_mount.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 2b5ad27e4a323648a0db99a9fa3f27b042dd70f0 Author: Brad Spengler Date: Wed Dec 25 16:37:02 2013 -0500 Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532 Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not the other way around (to produce more secure settings when distro configs are used as a base) Signed-off-by: Brad Spengler drivers/acpi/custom_method.c | 4 ++++ drivers/pci/pci-sysfs.c | 12 ++++++++++++ drivers/pci/proc.c | 12 ++++++++++++ drivers/pci/syscall.c | 4 ++++ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ kernel/power/Kconfig | 2 ++ security/Kconfig | 1 - 7 files changed, 46 insertions(+), 1 deletions(-) commit c70c49f956beb3d785ca20466c4e5c1d84d7356b Author: Brad Spengler Date: Wed Dec 25 15:11:51 2013 -0500 remove unused 'dentry' variable Signed-off-by: Brad Spengler fs/xattr.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit cb20fb467591aa2a85a8c12a1bc215a01ed75b18 Author: Brad Spengler Date: Wed Dec 25 15:03:13 2013 -0500 Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use. Signed-off-by: Brad Spengler fs/xattr.c | 18 +++++++++++------- grsecurity/gracl_fs.c | 6 ++++++ grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 2 ++ 5 files changed, 27 insertions(+), 8 deletions(-) commit 482ec0da63b38a9c20cc2205bc7ea87a3985d164 Author: Brad Spengler Date: Fri Dec 20 20:18:56 2013 -0500 compile fix Signed-off-by: Brad Spengler fs/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 038cc5994b483905c9c0b9e6259a84f7333becc2 Author: Brad Spengler Date: Fri Dec 13 19:39:54 2013 -0500 Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy) In practice this causes bogus auditing messages for / and could potentially cause a subject without executable shared memory support to permit executable shared memory (if PaX is disabled on the binary). Instead just allocate these two special objects with kzalloc at enable time and free them at disable time. Thanks to nyt@countercultured.net for the report Signed-off-by: Brad Spengler grsecurity/gracl_policy.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit b67b5e4666934693bb1fc4804ca60724f98a54d7 Author: Brad Spengler Date: Wed Dec 4 18:15:02 2013 -0500 Don't duplicate __get_dumpable, also make sure we check against SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing detection when suid_dumpable was set to 2 Signed-off-by: Brad Spengler fs/coredump.c | 7 +++++-- grsecurity/grsec_sig.c | 14 ++------------ include/linux/grsecurity.h | 2 +- 3 files changed, 8 insertions(+), 15 deletions(-) commit ad3f9d56b43c4c448d5ba55d4e073e66a59898d7 Author: Brad Spengler Date: Tue Dec 3 19:39:04 2013 -0500 Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated. Disable KEXEC when GRKERNSEC_KMEM is enabled: http://mjg59.dreamwidth.org/28746.html Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present Signed-off-by: Brad Spengler arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/mips/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/tile/Kconfig | 1 + arch/x86/Kconfig | 1 + arch/x86/kernel/ioport.c | 12 ++++++------ grsecurity/Kconfig | 27 +++++++++++---------------- 8 files changed, 23 insertions(+), 22 deletions(-) commit 7044221d2d6e8d8e8fa26d5c30c72bd6e1d9b599 Author: Brad Spengler Date: Tue Nov 26 15:16:48 2013 -0500 Fix null deref on application of the shutdown role, reported by zakalwe Signed-off-by: Brad Spengler grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++- grsecurity/gracl_policy.c | 58 ++++----------------------------------------- 2 files changed, 62 insertions(+), 54 deletions(-) commit 1f894d3a1357fa9c7b2f849079546115fc797fd8 Author: Brad Spengler Date: Tue Nov 26 13:04:07 2013 -0500 Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root Signed-off-by: Brad Spengler kernel/kmod.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit aa561a3ad4b30e8c03837ff96bbcd868e363cb21 Author: Brad Spengler Date: Tue Nov 26 12:59:00 2013 -0500 Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe Signed-off-by: Brad Spengler grsecurity/gracl_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b031d4f071e25462e94f742166b0ea6b8874dae4 Author: Brad Spengler Date: Mon Nov 25 22:33:33 2013 -0500 compile fix Signed-off-by: Brad Spengler kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00a30755e85c7dbfd1042a0f4c5d911e288c8cc9 Author: Brad Spengler Date: Mon Nov 25 12:01:21 2013 -0500 Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity Signed-off-by: Brad Spengler kernel/kmod.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7177ab477fcc5d670718dafba3f6a454ed2e121e Author: Brad Spengler Date: Sun Nov 24 22:49:05 2013 -0500 Revert "HID: multitouch: validate feature report details" This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684. Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 +++++-------------------- 1 files changed, 5 insertions(+), 20 deletions(-) commit f0d33fb85de097278d1ae605c3d98fc99b578d56 Author: Brad Spengler Date: Sun Nov 24 22:48:49 2013 -0500 Revert "HID: lenovo-tpkbd: validate output report details" This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a. Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 0c2a1258705b5c90732c2895664965da6a16bebc Author: Brad Spengler Date: Sun Nov 24 22:48:33 2013 -0500 Revert "HID: steelseries: validate output report details" This reverts commit 0996966348dc3c3f7515567d3245292785d484fc. Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit b17b436bd1781a43866931ce6b6ba2811882ade5 Author: Brad Spengler Date: Sun Nov 24 22:08:33 2013 -0500 add missing header Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45eefce5c5dc37368ed21d2b22a2d15973b7c06b Author: Brad Spengler Date: Sun Nov 24 22:04:55 2013 -0500 Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 804611c10dcd6e9486cf374fcbfb2053a80f918d Author: Brad Spengler Date: Sun Nov 24 17:50:21 2013 -0500 remove unnecessary code/comments after new reload method Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ---- grsecurity/gracl_policy.c | 13 ------------- 2 files changed, 0 insertions(+), 17 deletions(-) commit 4aeb0dc39f03db1c2c55ebc0cb7797289948a872 Author: Brad Spengler Date: Sun Nov 24 16:05:01 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. Signed-off-by: Brad Spengler grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3903 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 2 + 12 files changed, 3082 insertions(+), 2787 deletions(-) commit cdfd01e44815f0e0cb700b5597b3b2eb44352903 Author: Brad Spengler Date: Sun Nov 24 15:08:28 2013 -0500 compile fix for recent GRKERNSEC_CHROOT_INITRD change Signed-off-by: Brad Spengler init/main.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 3ac09de20b5b3967c77a59ed064cd05e607ecca8 Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path Signed-off-by: Brad Spengler include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit 7fc979f0a8ffdc501b57e0c9c8b5251b8458d98e Author: Brad Spengler Date: Sat Nov 23 17:20:15 2013 -0500 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. Reported by acez on IRC Signed-off-by: Brad Spengler arch/arm/mm/fault.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 9b5ffb45694e2381a73275b029d1cde3ba090555 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. Conflicts: init/main.c Signed-off-by: Brad Spengler grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) commit 71ea2cc2fb940a4eaa6a4f6e5084efc91197bed1 Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected Signed-off-by: Brad Spengler kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 36895fdbcf3b528221475a894076611c6340bc6f Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well Signed-off-by: Brad Spengler fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 47474491a88a18956b3c23a0f8ea5a793aeaaf0b Author: Brad Spengler Date: Fri Nov 22 20:31:37 2013 -0500 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. It caused errors with traceroute, reported to upstream and fixed with http://patchwork.ozlabs.org/patch/293614/ But there's no reason for us to maintain this backport as we're already impervious to recvmsg/msg_name infoleaks Conflicts: net/ipv4/ping.c Signed-off-by: Brad Spengler net/ieee802154/dgram.c | 3 ++- net/ipv4/ping.c | 11 +++++++++-- net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 8 files changed, 35 insertions(+), 12 deletions(-) commit 8aeb360164c3165b8d843b90776f92748cb0826f Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC Signed-off-by: Brad Spengler grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 65982aa12f534a722a92dd211e9b2461cac099cd Author: Brad Spengler Date: Thu Nov 14 19:07:11 2013 -0500 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows Signed-off-by: Brad Spengler arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c07ac5819bfcbb29fe75896f409517acc95f09d0 Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ Will let this sit in -test for a while to weed out any app incompatibilities Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit 7a03cf3e714a075ce6d1b1c4e2cbe269968c32d9 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c Signed-off-by: Brad Spengler drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1822dec9af44fef43a2092fbb98d986d40688e92 Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 252aafc936113beb2c4b654c51ca4f69e34e7ece Author: Brad Spengler Date: Sun Nov 10 17:50:12 2013 -0500 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND Signed-off-by: Brad Spengler arch/arm/mm/Kconfig | 2 +- grsecurity/Kconfig | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletions(-) commit d91a8c0aac4fd7d52d861fa389d094b0dbe69d8b Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. Signed-off-by: Brad Spengler mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 521a19248a7f3ae875854835be586208d7e94362 Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 88abc9f686cef116d741924e96c8264c6feeb280 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking Conflicts: security/Kconfig Signed-off-by: Brad Spengler security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ca2e0bc771e1868a1b993013d725ab602d8e0454 Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c Signed-off-by: Brad Spengler lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 9f9fda5bdad944095d49943719343439cebceb34 Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/uio/uio.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 0f332bf501f3c2035c63fc3e58f07be9cc96924b Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change Signed-off-by: Brad Spengler grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit d6aeef5cb3bbaa011f74eb38133043965302cc32 Author: Brad Spengler Date: Sun Sep 22 18:14:07 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 02b18c56607ff93f00659ee100517bba70972aca Author: Brad Spengler Date: Sun Sep 15 09:19:21 2013 -0400 remove unnecessary check from when protocol was signed Signed-off-by: Brad Spengler net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8991fc98b032a2338b9fda708d2dad227fbcd83 Author: Brad Spengler Date: Sat Sep 14 21:12:45 2013 -0400 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) Signed-off-by: Brad Spengler lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c63230b915355cea2649fac21c9469a8c3f88876 Author: Brad Spengler Date: Sat Sep 14 19:16:48 2013 -0400 Fix a bad git merge, re-applied a previously reverted patch Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 0dcfe7e8eac4751d2bbabc48fb63a0118bb353eb Author: Brad Spengler Date: Sat Sep 14 16:56:37 2013 -0400 finish porting namei.c Signed-off-by: Brad Spengler fs/namei.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) commit 89d5374f91319363bb79c916764c747f3229759c Author: Brad Spengler Date: Sat Sep 14 16:44:08 2013 -0400 cred->user -> current_user() Signed-off-by: Brad Spengler fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fefeb37bc66cf8e1b8c32a1f1e9776f6b701b245 Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit e4a184da44ae23ab3ee9e250d4bc38050e4a3533 Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit c96e77a4ec0b7045e4e3e8f6d33937c078a79cb6 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 600c8f5a6a7b57e4ecbb16d10eab3bdfae399299 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) commit 979cb67c276ef34486ed64bb58ed30020bc8a53f Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit d259a636db5500db5e3ddacab82857db244bf46f Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() Signed-off-by: Brad Spengler grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 73872d212f992833add967be12de9628941bdd5b Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Signed-off-by: Brad Spengler drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 57a621395b231025d33da789f7593da0e9c591a4 Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 6261da1c18366e4b2e0ff28781e0a769a2d31d1b Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9a7678270debd6b7c14ed1e91fb502d73bfaee08 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit efb7731d700d5b4568871670ac0841a84f003029 Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs Signed-off-by: Brad Spengler arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 3469d59da7f6bd0c5838764e5b06bad97193f628 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 03b91bfc983379670fd439b2b3fbec633ea6468d Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2e9828b85e2ab096affe9e8b52cd68d7a0d8839d Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit aeddd9080b145f520dfdba52e07ffe7ac5c2940a Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Signed-off-by: Brad Spengler arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 8953b010e785f55d35e96de6d7913b7e6791d9f9 Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 Signed-off-by: Brad Spengler include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 346b6fb51f351bc8a2e52c158794c863b88c730b Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages Signed-off-by: Brad Spengler arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 5a95c583a8e74e8b980ae810c3755d7490f9f208 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 Signed-off-by: Brad Spengler security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit be64e6e8a615622f5c8b8feefdbae24dfe1eb13a Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! Signed-off-by: Brad Spengler kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) commit bf41ff82977f5629d76e58b4eec76e78b6e0794c Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 80c4d845fa846426a226c1807310670fdc3f4fb9 Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs Signed-off-by: Brad Spengler mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 29f82c7cc74a11260863cea855cb7bb7b79506db Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include Signed-off-by: Brad Spengler grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b313d3d863fe87ecf4f79f61e9670955df66685e Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation Signed-off-by: Brad Spengler include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit e0b580d61744ac72ba2275fb5211de2bfc570058 Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping Signed-off-by: Brad Spengler fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit 2860f00640ffc0745e102fc8eea1b4787747a34f Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define Signed-off-by: Brad Spengler grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 271a28185b48e1c659c497837e26350f0b98b56b Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit c7b8b1a6d33fb9f2f33b6661d98ccf034bc4fa88 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 506d84be8c4e9db0b655d3f6da2cec92482b610f Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 7b7d053d1c9209c6810ee0e82d902d633df55114 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit f9503913fa6c0b461e5a6c991eb04b8e369e0dd2 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit 4d203a112c51248189db81e89926ed2ccbbf3727 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t Signed-off-by: Brad Spengler include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98cc5ab35c0f012765475db240189e0d72e9e936 Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit aa8d1edbfb648b1b942996d59fa446fd830df989 Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 28b7a6a844d93d88bb83383bb6273cdc22c595ad Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 9490ca70e30846522d28b6f9ca7caf28cdb7b9e3 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 5f7d6c7e7e4ef41577b73936595ed1f28649e9e9 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit 91c416711e2e713d870dc52ce17af0607a82cb75 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 99cad551389634d849387cf5e2054d9aa2c1c1b4 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 9ec58c4629d5aba15d09d4a740b83bf4cdb6da90 Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit dd368be2aef36cae4f997fc798087069fb64d442 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 8970e77a91e35ddac604cf96462c600651e94baa Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit d5711d44bf668cdc5d29383e5e16ff884f1991ee Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit f9bf16c3f73ff249219c1a7d457f10b5f5448da1 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit afb88b8065edeb572c4d7992c6916d19a8bbc483 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 981fbde7260e575f99c7c9fc83239fca752cb543 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit c3ebfc69b7c5c12f54ee8b2c34776c503eb825f5 Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship Signed-off-by: Brad Spengler grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 5f3672544ae20bb1a595a849b304d1c168254e2b Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT Signed-off-by: Brad Spengler fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f892f6cf3070e516828ef6b81c39abdec77d7e93 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error Signed-off-by: Brad Spengler mm/madvise.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit bacca56a4c5ce1734004a310588d710ab642c14d Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel Signed-off-by: Brad Spengler mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit bb802e55264979a3517687cc4e3ea4043187a4d6 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit 80af0d78732fcd1345751765d6bdba75e4453096 Author: Brad Spengler Date: Sat Sep 14 16:15:10 2013 -0400 Initial port of grsecurity to 3.11 using new git method Signed-off-by: Brad Spengler Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 13 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 14 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 1 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 3 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 11 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 218 ++- fs/namespace.c | 16 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 2 +- grsecurity/gracl_fs.c | 6 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 40 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/locking/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 69 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 341 +++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 229 files changed, 4100 insertions(+), 2025 deletions(-) commit 75586073addae35174967d77e1b985e6b534e3f8 Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches Signed-off-by: Brad Spengler arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 0100435c11a01cfbedea13ac5aebd38fb03309b4 Author: Brad Spengler Date: Sat Jan 25 17:32:18 2014 -0500 Initial import of pax-linux-3.13-test2.patch Documentation/dontdiff | 47 +- Documentation/kernel-parameters.txt | 23 + Makefile | 102 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 442 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 95 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/module.c | 31 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 24 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 4 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/cache-l2x0.c | 2 +- arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 140 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 185 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 728 +++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 15 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 16 +- arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 2 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 6 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 106 +- arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +- arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 10 +- arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 173 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 269 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 166 +- arch/x86/include/asm/bitops.h | 18 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/calling.h | 118 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 78 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 20 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 106 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 136 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 15 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/preempt.h | 2 +- arch/x86/include/asm/processor.h | 79 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rmwcc.h | 84 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/tlbflush.h | 74 +- arch/x86/include/asm/uaccess.h | 162 +- arch/x86/include/asm/uaccess_32.h | 24 +- arch/x86/include/asm/uaccess_64.h | 177 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/include/uapi/asm/ptrace-abi.h | 1 - arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 69 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 132 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 ++- arch/x86/kernel/entry_64.S | 736 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 136 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/jump_label.c | 8 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 5 +- arch/x86/kernel/setup.c | 63 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 28 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 63 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 20 +- arch/x86/lib/copy_user_64.S | 81 +- arch/x86/lib/copy_user_nocache_64.S | 14 + arch/x86/lib/csum-copy_64.S | 18 +- arch/x86/lib/csum-wrappers_64.c | 8 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 10 +- arch/x86/lib/memmove_64.S | 4 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 2 + arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 12 +- arch/x86/lib/usercopy_32.c | 357 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 564 ++- arch/x86/mm/gup.c | 6 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 151 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 38 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/intel_mid_pci.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/intel-mid/intel-mid.c | 3 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 11 +- arch/x86/xen/smp.c | 21 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 29 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/null_blk.c | 27 +- drivers/block/pktcdvd.c | 4 +- drivers/bluetooth/btwilink.c | 2 +- drivers/bus/arm-cci.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 12 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 9 +- drivers/cpufreq/acpi-cpufreq.c | 13 +- drivers/cpufreq/cpufreq.c | 11 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 4 +- drivers/cpufreq/cpufreq_ondemand.c | 10 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/intel_pstate.c | 25 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 70 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/driver.c | 2 +- drivers/cpuidle/governor.c | 2 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdmac.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 2 +- drivers/firmware/efi/cper.c | 8 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 12 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 26 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- drivers/gpu/drm/qxl/qxl_drv.h | 8 +- drivers/gpu/drm/qxl/qxl_irq.c | 16 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 61 +- drivers/gpu/drm/tegra/dc.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/vga/vga_switcheroo.c | 4 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/nct6775.c | 6 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stats.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 4 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/platform/vivi.c | 4 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 67 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/mmci.c | 4 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_netlink.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 2 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath10k/htc.c | 7 +- drivers/net/wireless/ath/ath10k/htc.h | 4 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 6 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/chrome/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/powercap/powercap_sys.c | 136 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/gdm724x/gdm_tty.c | 2 +- drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- drivers/staging/lustre/lnet/selftest/framework.c | 4 - drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- drivers/staging/lustre/lustre/include/obd.h | 2 +- .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 12 +- drivers/tty/hvc/hvsi_lib.c | 4 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 5 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 8 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 15 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/devio.c | 10 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 6 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/host/ehci-hub.c | 4 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 8 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbmem.c | 6 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/omap2/dss/display.c | 8 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 2 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 6 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 678 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/file.c | 10 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 16 +- fs/dcache.c | 5 +- fs/ecryptfs/inode.c | 2 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/ext4/xattr.c | 5 +- fs/fhandle.c | 3 +- fs/file.c | 4 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 40 +- fs/fscache/internal.h | 200 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/hostfs/hostfs_kern.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 12 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 2 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 2 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 59 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 4 +- fs/splice.c | 41 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 16 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_readdir.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 212 +- include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/bitops/__fls.h | 2 +- include/asm-generic/bitops/fls.h | 2 +- include/asm-generic/bitops/fls64.h | 4 +- include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 15 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/i915_pciids.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/audit.h | 2 +- include/linux/binfmts.h | 3 +- include/linux/bitops.h | 6 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 8 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 12 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 4 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 6 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 12 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/jiffies.h | 12 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 10 +- include/linux/mempolicy.h | 7 + include/linux/mm.h | 118 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/padata.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/pm.h | 1 + include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 19 + include/linux/proc_ns.h | 2 +- include/linux/quota.h | 2 +- include/linux/random.h | 23 +- include/linux/rculist.h | 20 +- include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 68 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 - include/linux/semaphore.h | 2 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 14 +- include/linux/slub_def.h | 2 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vga_switcheroo.h | 8 +- include/linux/vmalloc.h | 7 +- include/linux/vmstat.h | 24 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 20 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 4 +- include/net/netns/ipv6.h | 4 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/checksum.h | 4 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 8 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 13 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 2 - include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 78 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 10 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/events/internal.h | 10 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 166 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 +- kernel/locking/lockdep.c | 7 +- kernel/locking/mutex-debug.c | 12 +- kernel/locking/mutex-debug.h | 4 +- kernel/locking/mutex.c | 10 +- kernel/locking/rtmutex-tester.c | 24 +- kernel/module.c | 337 +- kernel/notifier.c | 17 +- kernel/padata.c | 4 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcu/srcu.c | 4 +- kernel/rcu/tiny.c | 4 +- kernel/rcu/torture.c | 56 +- kernel/rcu/tree.c | 76 +- kernel/rcu/tree.h | 26 +- kernel/rcu/tree_plugin.h | 40 +- kernel/rcu/tree_trace.c | 22 +- kernel/rcu/update.c | 4 +- kernel/sched/auto_group.c | 4 +- kernel/sched/completion.c | 6 +- kernel/sched/core.c | 43 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 14 +- kernel/sys.c | 10 +- kernel/sysctl.c | 34 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 1 - kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/percpu-refcount.c | 2 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 28 +- mm/memory.c | 424 ++- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 583 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 42 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 106 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 88 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 2 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 75 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/fragmentation.c | 2 +- net/batman-adv/soft-interface.c | 6 +- net/batman-adv/types.h | 6 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 4 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 8 +- net/core/sock.c | 28 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 20 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 37 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 18 +- net/ipv6/addrconf.c | 12 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ip6_vti.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 28 +- net/ipv6/raw.c | 17 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 17 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 10 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 8 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/svcauth_unix.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 22 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/module-common.lds | 4 + scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 689 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/security.c | 9 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 11 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 8 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/soc/soc-core.c | 6 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 557 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 474 ++ tools/gcc/latent_entropy_plugin.c | 335 ++ tools/gcc/size_overflow_hash.data | 5618 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 4072 ++++++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/lib/lk/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 44 +- 1716 files changed, 34523 insertions(+), 8024 deletions(-) commit 512ab625d6d34c2f8602a044454bb1366b80b98e Author: Brad Spengler Date: Sat Jan 25 14:54:11 2014 -0500 Fix another compiler error caught by RANDSTRUCT sound/isa/sb/emu8000_synth.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 43bd0a97d977b78f2a54045bbf98ee967209c144 Author: Brad Spengler Date: Sat Jan 25 14:34:12 2014 -0500 Fix another compiler error caught by RANDSTRUCT drivers/net/wan/z85230.c | 24 ++++++++++++------------ 1 files changed, 12 insertions(+), 12 deletions(-) commit e833f51aa919e2c94bb7ac6979a68cf3f4fcc131 Author: Brad Spengler Date: Sat Jan 25 14:30:46 2014 -0500 fix compilation with RANDSTRUCT plugin sound/drivers/opl4/opl4_seq.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 743f2ccb4dc72e6366e0cf0b371d37951c67ce0d Author: Brad Spengler Date: Sat Jan 25 14:16:18 2014 -0500 avoid problems by just building our fake field decl node from scratch tools/gcc/randomize_layout_plugin.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 9345145bb31148c2fb4918fe989d45bbf1219373 Author: Brad Spengler Date: Sat Jan 25 13:45:18 2014 -0500 while in non-debug mode, don't emit notes for non-randomized struct types clear all signs from our fake field decl of being a bitfield tools/gcc/randomize_layout_plugin.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 946d2d5cafa4f123f6ee36596f67cf8571e461b4 Author: Brad Spengler Date: Sat Jan 25 12:56:05 2014 -0500 revert change to read-only marking of fake struct field tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c947104c6a4c0e05ed6440287ad8872e2cbdb2f3 Author: Brad Spengler Date: Sat Jan 25 12:42:48 2014 -0500 Update RANDSTRUCT plugin help tools/gcc/randomize_layout_plugin.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 3757914c9c5d2278f93a3a8dc7d19847c6ee8e3a Author: Brad Spengler Date: Sat Jan 25 12:25:43 2014 -0500 Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures automatically enabled by GRKERNSEC_CONFIG_AUTO performance mode is activated if the config priority is set to performance Documentation/dontdiff | 1 + Makefile | 12 +- arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/block/cciss.h | 30 +- drivers/block/drbd/drbd_interval.c | 6 +- drivers/block/smart1,2.h | 40 +- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/wan/lmc/lmc_media.c | 97 ++-- drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 20 +- drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- drivers/video/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/matrox/matroxfb_Ti3026.c | 5 +- fs/mount.h | 4 +- fs/proc/internal.h | 4 +- fs/reiserfs/item_ops.c | 24 +- grsecurity/Kconfig | 31 +- include/linux/compiler-gcc4.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 4 +- include/linux/dcache.h | 2 +- include/linux/fs.h | 14 +- include/linux/fs_struct.h | 2 +- include/linux/ipc_namespace.h | 2 +- include/linux/kobject.h | 2 +- include/linux/mm_types.h | 4 +- include/linux/module.h | 4 +- include/linux/mount.h | 2 +- include/linux/pid_namespace.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/rbtree_augmented.h | 4 +- include/linux/sched.h | 6 +- include/linux/sysctl.h | 2 +- include/linux/tty.h | 2 +- include/linux/tty_driver.h | 2 +- include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 2 +- lib/rbtree.c | 4 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/decnet/dn_dev.c | 2 +- net/vmw_vsock/vmci_transport_notify.c | 30 +- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- net/x25/sysctl_net_x25.c | 2 +- scripts/Makefile | 2 + scripts/gen-random-seed.sh | 8 + sound/core/seq/oss/seq_oss.c | 4 +- sound/core/seq/seq_midi.c | 4 +- sound/drivers/opl3/opl3_seq.c | 4 +- sound/pci/emu10k1/emu10k1_synth.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 2 + tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++ 74 files changed, 1222 insertions(+), 390 deletions(-) commit 44ebc77fd9886fdebf8e3942a935cbe2f3272c3d Author: Brad Spengler Date: Sun Jan 19 09:27:31 2014 -0500 add PRNG self-tests lib/random32.c | 207 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 files changed, 197 insertions(+), 10 deletions(-) commit 7780c290ada57bac294c5a7e5b0286dd604920c5 Author: Brad Spengler Date: Sun Jan 19 09:00:56 2014 -0500 compile fix include/linux/random.h | 4 ---- include/uapi/linux/random.h | 2 +- 2 files changed, 1 insertions(+), 5 deletions(-) commit 4c4359a96c7b208513eb3563c90558cd5d2ca1a0 Author: Daniel Borkmann Date: Mon Nov 11 12:20:36 2013 +0100 Upstream commit: a98814cef87946d2708812ad9f8b1e03b8366b6f random32: upgrade taus88 generator to taus113 from errata paper Since we use prandom*() functions quite often in networking code i.e. in UDP port selection, netfilter code, etc, upgrade the PRNG from Pierre L'Ecuyer's original paper "Maximally Equidistributed Combined Tausworthe Generators", Mathematics of Computation, 65, 213 (1996), 203--213 to the version published in his errata paper [1]. The Tausworthe generator is a maximally-equidistributed generator, that is fast and has good statistical properties [1]. The version presented there upgrades the 3 state LFSR to a 4 state LFSR with increased periodicity from about 2^88 to 2^113. The algorithm is presented in [1] by the very same author who also designed the original algorithm in [2]. Also, by increasing the state, we make it a bit harder for attackers to "guess" the PRNGs internal state. See also discussion in [3]. Now, as we use this sort of weak initialization discussed in [3] only between core_initcall() until late_initcall() time [*] for prandom32*() users, namely in prandom_init(), it is less relevant from late_initcall() onwards as we overwrite seeds through prandom_reseed() anyways with a seed source of higher entropy, that is, get_random_bytes(). In other words, a exhaustive keysearch of 96 bit would be needed. Now, with the help of this patch, this state-search increases further to 128 bit. Initialization needs to make sure that s1 > 1, s2 > 7, s3 > 15, s4 > 127. taus88 and taus113 algorithm is also part of GSL. I added a test case in the next patch to verify internal behaviour of this patch with GSL and ran tests with the dieharder 3.31.1 RNG test suite: $ dieharder -g 052 -a -m 10 -s 1 -S 4137730333 #taus88 $ dieharder -g 054 -a -m 10 -s 1 -S 4137730333 #taus113 With this seed configuration, in order to compare both, we get the following differences: algorithm taus88 taus113 rands/second [**] 1.61e+08 1.37e+08 sts_serial(4, 1st run) WEAK PASSED sts_serial(9, 2nd run) WEAK PASSED rgb_lagged_sum(31) WEAK PASSED We took out diehard_sums test as according to the authors it is considered broken and unusable [4]. Despite that and the slight decrease in performance (which is acceptable), taus113 here passes all 113 tests (only rgb_minimum_distance_5 in WEAK, the rest PASSED). In general, taus/taus113 is considered "very good" by the authors of dieharder [5]. The papers [1][2] states a single warm-up step is sufficient by running quicktaus once on each state to ensure proper initialization of ~s_{0}: Our selection of (s) according to Table 1 of [1] row 1 holds the condition L - k <= r - s, that is, (32 32 32 32) - (31 29 28 25) <= (25 27 15 22) - (18 2 7 13) with r = k - q and q = (6 2 13 3) as also stated by the paper. So according to [2] we are safe with one round of quicktaus for initialization. However we decided to include the warm-up phase of the PRNG as done in GSL in every case as a safety net. We also use the warm up phase to make the output of the RNG easier to verify by the GSL output. In prandom_init(), we also mix random_get_entropy() into it, just like drivers/char/random.c does it, jiffies ^ random_get_entropy(). random-get_entropy() is get_cycles(). xor is entropy preserving so it is fine if it is not implemented by some architectures. Note, this PRNG is *not* used for cryptography in the kernel, but rather as a fast PRNG for various randomizations i.e. in the networking code, or elsewhere for debugging purposes, for example. [*]: In order to generate some "sort of pseduo-randomness", since get_random_bytes() is not yet available for us, we use jiffies and initialize states s1 - s3 with a simple linear congruential generator (LCG), that is x <- x * 69069; and derive s2, s3, from the 32bit initialization from s1. So the above quote from [3] accounts only for the time from core to late initcall, not afterwards. [**] Single threaded run on MacBook Air w/ Intel Core i5-3317U [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps [3] http://thread.gmane.org/gmane.comp.encryption.general/12103/ [4] http://code.google.com/p/dieharder/source/browse/trunk/libdieharder/diehard_sums.c?spec=svn490&r=490#20 [5] http://www.phy.duke.edu/~rgb/General/dieharder.php Joint work with Hannes Frederic Sowa. Cc: Florian Weimer Cc: Theodore Ts'o Signed-off-by: Daniel Borkmann Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Conflicts: include/linux/random.h include/linux/random.h | 13 +++++-- lib/random32.c | 80 +++++++++++++++++++++++++++-------------------- 2 files changed, 55 insertions(+), 38 deletions(-) commit 53dd59a26859c9b98cadcad65791c951b162e91e Author: Hannes Frederic Sowa Date: Mon Nov 11 12:20:33 2013 +0100 Upstream commit: 6d31920246a9fc80be4f16acd27c0bbe8d7b8494 random32: add periodic reseeding The current Tausworthe PRNG is never reseeded with truly random data after the first attempt in late_initcall. As this PRNG is used for some critical random data as e.g. UDP port randomization we should try better and reseed the PRNG once in a while with truly random data from get_random_bytes(). When we reseed with prandom_seed we now make also sure to throw the first output away. This suffices the reseeding procedure. The delay calculation is based on a proposal from Eric Dumazet. Joint work with Daniel Borkmann. Cc: Eric Dumazet Cc: Theodore Ts'o Signed-off-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller Conflicts: lib/random32.c lib/random32.c | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-) commit 9deef5d021000495e04a730ba1880fb4b8951d45 Author: Hannes Frederic Sowa Date: Mon Nov 11 12:20:34 2013 +0100 Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9 random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized The Tausworthe PRNG is initialized at late_initcall time. At that time the entropy pool serving get_random_bytes is not filled sufficiently. This patch adds an additional reseeding step as soon as the nonblocking pool gets marked as initialized. On some machines it might be possible that late_initcall gets called after the pool has been initialized. In this situation we won't reseed again. (A call to prandom_seed_late blocks later invocations of early reseed attempts.) Joint work with Daniel Borkmann. Cc: Eric Dumazet Cc: Theodore Ts'o Signed-off-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Acked-by: "Theodore Ts'o" Signed-off-by: David S. Miller Conflicts: lib/random32.c drivers/char/random.c | 5 ++++- include/linux/random.h | 1 + lib/random32.c | 24 +++++++++++++++++++++++- 3 files changed, 28 insertions(+), 2 deletions(-) commit 7445d45f81df0b84bbb7fc6cc598e6b70522c286 Author: Brad Spengler Date: Sat Jan 18 20:43:43 2014 -0500 Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2c18c01da2a59df2cdaa0d99e0ed2f781c3cbf4e Author: Eric Dumazet Date: Wed Jan 15 06:50:07 2014 -0800 Upstream commit: aee636c4809fa54848ff07a899b326eb1f9987a2 bpf: do not use reciprocal divide At first Jakub Zawadzki noticed that some divisions by reciprocal_divide were not correct. (off by one in some cases) http://www.wireshark.org/~darkjames/reciprocal-buggy.c He could also show this with BPF: http://www.wireshark.org/~darkjames/set-and-dump-filter-k-bug.c The reciprocal divide in linux kernel is not generic enough, lets remove its use in BPF, as it is not worth the pain with current cpus. Signed-off-by: Eric Dumazet Reported-by: Jakub Zawadzki Cc: Mircea Gherzan Cc: Daniel Borkmann Cc: Hannes Frederic Sowa Cc: Matt Evans Cc: Martin Schwidefsky Cc: Heiko Carstens Cc: David S. Miller Signed-off-by: David S. Miller Conflicts: arch/x86/net/bpf_jit_comp.c arch/arm/net/bpf_jit_32.c | 6 +++--- arch/powerpc/net/bpf_jit_comp.c | 7 ++++--- arch/s390/net/bpf_jit_comp.c | 17 ++++++++++++----- arch/sparc/net/bpf_jit_comp.c | 17 ++++++++++++++--- arch/x86/net/bpf_jit_comp.c | 16 ++++++++++------ net/core/filter.c | 30 ++---------------------------- 6 files changed, 45 insertions(+), 48 deletions(-) commit 6986871c84f81084d5c8723538ccefc5c401b31c Author: Jie Liu Date: Wed Jan 1 19:28:03 2014 +0800 Upstream commit: bba719b5004234e55737e7074b81b337210c511d xfs: fix off-by-one error in xfs_attr3_rmt_verify With CRC check is enabled, if trying to set an attributes value just equal to the maximum size of XATTR_SIZE_MAX would cause the v3 remote attr write verification procedure failure, which would yield the back trace like below: XFS (sda7): Internal error xfs_attr3_rmt_write_verify at line 191 of file fs/xfs/xfs_attr_remote.c Call Trace: [] dump_stack+0x45/0x56 [] xfs_error_report+0x3b/0x40 [xfs] [] ? _xfs_buf_ioapply+0x6d/0x390 [xfs] [] xfs_corruption_error+0x55/0x80 [xfs] [] xfs_attr3_rmt_write_verify+0x14b/0x1a0 [xfs] [] ? _xfs_buf_ioapply+0x6d/0x390 [xfs] [] ? xfs_bdstrat_cb+0x55/0xb0 [xfs] [] _xfs_buf_ioapply+0x6d/0x390 [xfs] [] ? vm_map_ram+0x31a/0x460 [] ? wake_up_state+0x20/0x20 [] ? xfs_bdstrat_cb+0x55/0xb0 [xfs] [] xfs_buf_iorequest+0x6b/0xc0 [xfs] [] xfs_bdstrat_cb+0x55/0xb0 [xfs] [] xfs_bwrite+0x46/0x80 [xfs] [] xfs_attr_rmtval_set+0x334/0x490 [xfs] [] xfs_attr_leaf_addname+0x24a/0x410 [xfs] [] xfs_attr_set_int+0x223/0x470 [xfs] [] xfs_attr_set+0x96/0xb0 [xfs] [] xfs_xattr_set+0x42/0x70 [xfs] [] generic_setxattr+0x62/0x80 [] __vfs_setxattr_noperm+0x63/0x1b0 [] ? evm_inode_setxattr+0xe/0x10 [] vfs_setxattr+0xb5/0xc0 [] setxattr+0x12e/0x1c0 [] ? final_putname+0x22/0x50 [] ? putname+0x2b/0x40 [] ? user_path_at_empty+0x5f/0x90 [] ? __sb_start_write+0x49/0xe0 [] ? vm_mmap_pgoff+0x99/0xc0 [] SyS_setxattr+0x8f/0xe0 [] system_call_fastpath+0x1a/0x1f Tests: setfattr -n user.longxattr -v `perl -e 'print "A"x65536'` testfile This patch fix it to check the remote EA size is greater than the XATTR_SIZE_MAX rather than more than or equal to it, because it's valid if the specified EA value size is equal to the limitation as per VFS setxattr interface. Signed-off-by: Jie Liu Reviewed-by: Mark Tinguely Signed-off-by: Ben Myers (cherry picked from commit 85dd0707f0cad26d60f2dc574d17a5ab948d10f7) fs/xfs/xfs_attr_remote.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e8aa7f8223cf2bc0893c6bec7ada0b13edc07703 Author: Steven Rostedt Date: Thu Jan 9 21:46:34 2014 -0500 Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() While running stress tests on adding and deleting ftrace instances I hit this bug: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: selinux_inode_permission+0x85/0x160 PGD 63681067 PUD 7ddbe067 PMD 0 Oops: 0000 [#1] PREEMPT CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20 Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006 task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000 RIP: 0010:[] [] selinux_inode_permission+0x85/0x160 RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840 RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000 RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54 R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000 R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000 FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0 Call Trace: security_inode_permission+0x1c/0x30 __inode_permission+0x41/0xa0 inode_permission+0x18/0x50 link_path_walk+0x66/0x920 path_openat+0xa6/0x6c0 do_filp_open+0x43/0xa0 do_sys_open+0x146/0x240 SyS_open+0x1e/0x20 system_call_fastpath+0x16/0x1b Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff RIP selinux_inode_permission+0x85/0x160 CR2: 0000000000000020 Investigating, I found that the inode->i_security was NULL, and the dereference of it caused the oops. in selinux_inode_permission(): isec = inode->i_security; rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); Note, the crash came from stressing the deletion and reading of debugfs files. I was not able to recreate this via normal files. But I'm not sure they are safe. It may just be that the race window is much harder to hit. What seems to have happened (and what I have traced), is the file is being opened at the same time the file or directory is being deleted. As the dentry and inode locks are not held during the path walk, nor is the inodes ref counts being incremented, there is nothing saving these structures from being discarded except for an rcu_read_lock(). The rcu_read_lock() protects against freeing of the inode, but it does not protect freeing of the inode_security_struct. Now if the freeing of the i_security happens with a call_rcu(), and the i_security field of the inode is not changed (it gets freed as the inode gets freed) then there will be no issue here. (Linus Torvalds suggested not setting the field to NULL such that we do not need to check if it is NULL in the permission check). Note, this is a hack, but it fixes the problem at hand. A real fix is to restructure the destroy_inode() to call all the destructor handlers from the RCU callback. But that is a major job to do, and requires a lot of work. For now, we just band-aid this bug with this fix (it works), and work on a more maintainable solution in the future. Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home Cc: stable@vger.kernel.org Signed-off-by: Steven Rostedt Signed-off-by: Linus Torvalds security/selinux/hooks.c | 20 ++++++++++++++++++-- security/selinux/include/objsec.h | 5 ++++- 2 files changed, 22 insertions(+), 3 deletions(-) commit e19ed2ef10ac8fb5539ff49890f149230ba504a2 Author: Hugh Dickins Date: Sun Jan 12 01:25:21 2014 -0800 Upstream commit: eecc1e426d681351a6026a7d3e7d225f38955b6c thp: fix copy_page_rep GPF by testing is_huge_zero_pmd once only We see General Protection Fault on RSI in copy_page_rep: that RSI is what you get from a NULL struct page pointer. RIP: 0010:[] [] copy_page_rep+0x5/0x10 RSP: 0000:ffff880136e15c00 EFLAGS: 00010286 RAX: ffff880000000000 RBX: ffff880136e14000 RCX: 0000000000000200 RDX: 6db6db6db6db6db7 RSI: db73880000000000 RDI: ffff880dd0c00000 RBP: ffff880136e15c18 R08: 0000000000000200 R09: 000000000005987c R10: 000000000005987c R11: 0000000000000200 R12: 0000000000000001 R13: ffffea00305aa000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f195752f700(0000) GS:ffff880c7fc20000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000093010000 CR3: 00000001458e1000 CR4: 00000000000027e0 Call Trace: copy_user_huge_page+0x93/0xab do_huge_pmd_wp_page+0x710/0x815 handle_mm_fault+0x15d8/0x1d70 __do_page_fault+0x14d/0x840 do_page_fault+0x2f/0x90 page_fault+0x22/0x30 do_huge_pmd_wp_page() tests is_huge_zero_pmd(orig_pmd) four times: but since shrink_huge_zero_page() can free the huge_zero_page, and we have no hold of our own on it here (except where the fourth test holds page_table_lock and has checked pmd_same), it's possible for it to answer yes the first time, but no to the second or third test. Change all those last three to tests for NULL page. (Note: this is not the same issue as trinity's DEBUG_PAGEALLOC BUG in copy_page_rep with RSI: ffff88009c422000, reported by Sasha Levin in https://lkml.org/lkml/2013/3/29/103. I believe that one is due to the source page being split, and a tail page freed, while copy is in progress; and not a problem without DEBUG_PAGEALLOC, since the pmd_same check will prevent a miscopy from being made visible.) Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page") Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.10 v3.11 v3.12 Signed-off-by: Linus Torvalds mm/huge_memory.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 49bf1cc12db4954afc0a3e9a4506325a53259c13 Author: Christian Engelmayer Date: Sat Jan 11 22:19:30 2014 +0100 Upstream commit: 267d29a69c6af39445f36102a832b25ed483f299 ieee802154: Fix memory leak in ieee802154_add_iface() Fix a memory leak in the ieee802154_add_iface() error handling path. Detected by Coverity: CID 710490. Signed-off-by: Christian Engelmayer Signed-off-by: David S. Miller net/ieee802154/nl-phy.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4e2493507f0d3a43a3c9562a4e75ae806f993d84 Author: Hannes Frederic Sowa Date: Mon Jan 13 02:45:22 2014 +0100 Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e net: avoid reference counter overflows on fib_rules in multicast forwarding Bob Falken reported that after 4G packets, multicast forwarding stopped working. This was because of a rule reference counter overflow which freed the rule as soon as the overflow happend. This patch solves this by adding the FIB_LOOKUP_NOREF flag to fib_rules_lookup calls. This is safe even from non-rcu locked sections as in this case the flag only implies not taking a reference to the rule, which we don't need at all. Rules only hold references to the namespace, which are guaranteed to be available during the call of the non-rcu protected function reg_vif_xmit because of the interface reference which itself holds a reference to the net namespace. Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables") Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables") Reported-by: Bob Falken Cc: Patrick McHardy Cc: Thomas Graf Cc: Julian Anastasov Cc: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ipmr.c | 7 +++++-- net/ipv6/ip6mr.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 427e1a47ccd092da8d3834ec889bbf899bf02994 Author: NeilBrown Date: Mon Jan 6 10:35:34 2014 +1100 Upstream commit: e8b849158508565e0cd6bc80061124afc5879160 md/raid10: fix bug when raid10 recovery fails to recover a block. commit e875ecea266a543e643b19e44cf472f1412708f9 md/raid10 record bad blocks as needed during recovery. added code to the "cannot recover this block" path to record a bad block rather than fail the whole recovery. Unfortunately this new case was placed *after* r10bio was freed rather than *before*, yet it still uses r10bio. This is will crash with a null dereference. So move the freeing of r10bio down where it is safe. Cc: stable@vger.kernel.org (v3.1+) Fixes: e875ecea266a543e643b19e44cf472f1412708f9 Reported-by: Damian Nowak URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 Signed-off-by: NeilBrown drivers/md/raid10.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 528bc79bf4b9414269c3468527a1fb93992888ec Author: NeilBrown Date: Mon Jan 6 13:19:42 2014 +1100 Upstream commit: 1cc03eb93245e63b0b7a7832165efdc52e25b4e6 md/raid5: Fix possible confusion when multiple write errors occur. commit 5d8c71f9e5fbdd95650be00294d238e27a363b5c md: raid5 crash during degradation Fixed a crash in an overly simplistic way which could leave R5_WriteError or R5_MadeGood set in the stripe cache for devices for which it is no longer relevant. When those devices are removed and spares added the flags are still set and can cause incorrect behaviour. commit 14a75d3e07c784c004b4b44b34af996b8e4ac453 md/raid5: preferentially read from replacement device if possible. Fixed the same bug if a more effective way, so we can now revert the original commit. Reported-and-tested-by: Alexander Lyakas Cc: stable@vger.kernel.org (3.2+ - 3.2 will need a different fix though) Fixes: 5d8c71f9e5fbdd95650be00294d238e27a363b5c Signed-off-by: NeilBrown drivers/md/raid5.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 65e365f661bcc034ce8da73be4521dde4088cbc6 Author: NeilBrown Date: Tue Jan 14 10:38:09 2014 +1100 Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1 md/raid10: fix two bugs in handling of known-bad-blocks. If we discover a bad block when reading we split the request and potentially read some of it from a different device. The code path of this has two bugs in RAID10. 1/ we get a spin_lock with _irq, but unlock without _irq!! 2/ The calculation of 'sectors_handled' is wrong, as can be clearly seen by comparison with raid1.c This leads to at least 2 warnings and a probable crash is a RAID10 ever had known bad blocks. Cc: stable@vger.kernel.org (v3.1+) Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160 Reported-by: Damian Nowak URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 Signed-off-by: NeilBrown drivers/md/raid10.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 648634ea6eaa98407d5cee468eea365addf784d7 Author: Andreas Rohner Date: Tue Jan 14 17:56:36 2014 -0800 Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a nilfs2: fix segctor bug that causes file system corruption There is a bug in the function nilfs_segctor_collect, which results in active data being written to a segment, that is marked as clean. It is possible, that this segment is selected for a later segment construction, whereby the old data is overwritten. The problem shows itself with the following kernel log message: nilfs_sufile_do_cancel_free: segment 6533 must be clean Usually a few hours later the file system gets corrupted: NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0 NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660) The issue can be reproduced with a file system that is nearly full and with the cleaner running, while some IO intensive task is running. Although it is quite hard to reproduce. This is what happens: 1. The cleaner starts the segment construction 2. nilfs_segctor_collect is called 3. sc_stage is on NILFS_ST_SUFILE and segments are freed 4. sc_stage is on NILFS_ST_DAT current segment is full 5. nilfs_segctor_extend_segments is called, which allocates a new segment 6. The new segment is one of the segments freed in step 3 7. nilfs_sufile_cancel_freev is called and produces an error message 8. Loop around and the collection starts again 9. sc_stage is on NILFS_ST_SUFILE and segments are freed including the newly allocated segment, which will contain active data and can be allocated at a later time 10. A few hours later another segment construction allocates the segment and causes file system corruption This can be prevented by simply reordering the statements. If nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments the freed segments are marked as dirty and cannot be allocated any more. Signed-off-by: Andreas Rohner Reviewed-by: Ryusuke Konishi Tested-by: Andreas Rohner Signed-off-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/nilfs2/segment.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 380b201967bbe5769291311e5195a603006d391c Author: Mikulas Patocka Date: Tue Jan 14 17:56:40 2014 -0800 Upstream commit: 03e5ac2fc3bf6f4140db0371e8bb4243b24e3e02 mm: fix crash when using XFS on loopback Commit 8456a648cf44 ("slab: use struct page for slab management") causes a crash in the LVM2 testsuite on PA-RISC (the crashing test is fsadm.sh). The testsuite doesn't crash on 3.12, crashes on 3.13-rc1 and later. Bad Address (null pointer deref?): Code=15 regs=000000413edd89a0 (Addr=000006202224647d) CPU: 3 PID: 24008 Comm: loop0 Not tainted 3.13.0-rc6 #5 task: 00000001bf3c0048 ti: 000000413edd8000 task.ti: 000000413edd8000 YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI PSW: 00001000000001101111100100001110 Not tainted r00-03 000000ff0806f90e 00000000405c8de0 000000004013e6c0 000000413edd83f0 r04-07 00000000405a95e0 0000000000000200 00000001414735f0 00000001bf349e40 r08-11 0000000010fe3d10 0000000000000001 00000040829c7778 000000413efd9000 r12-15 0000000000000000 000000004060d800 0000000010fe3000 0000000010fe3000 r16-19 000000413edd82a0 00000041078ddbc0 0000000000000010 0000000000000001 r20-23 0008f3d0d83a8000 0000000000000000 00000040829c7778 0000000000000080 r24-27 00000001bf349e40 00000001bf349e40 202d66202224640d 00000000405a95e0 r28-31 202d662022246465 000000413edd88f0 000000413edd89a0 0000000000000001 sr00-03 000000000532c000 0000000000000000 0000000000000000 000000000532c000 sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000401fe42c 00000000401fe430 IIR: 539c0030 ISR: 00000000202d6000 IOR: 000006202224647d CPU: 3 CR30: 000000413edd8000 CR31: 0000000000000000 ORIG_R28: 00000000405a95e0 IAOQ[0]: vma_interval_tree_iter_first+0x14/0x48 IAOQ[1]: vma_interval_tree_iter_first+0x18/0x48 RP(r2): flush_dcache_page+0x128/0x388 Backtrace: flush_dcache_page+0x128/0x388 lo_splice_actor+0x90/0x148 [loop] splice_from_pipe_feed+0xc0/0x1d0 __splice_from_pipe+0xac/0xc0 lo_direct_splice_actor+0x1c/0x70 [loop] splice_direct_to_actor+0xec/0x228 lo_receive+0xe4/0x298 [loop] loop_thread+0x478/0x640 [loop] kthread+0x134/0x168 end_fault_vector+0x20/0x28 xfs_setsize_buftarg+0x0/0x90 [xfs] Kernel panic - not syncing: Bad Address (null pointer deref?) Commit 8456a648cf44 changes the page structure so that the slab subsystem reuses the page->mapping field. The crash happens in the following way: * XFS allocates some memory from slab and issues a bio to read data into it. * the bio is sent to the loopback device. * lo_receive creates an actor and calls splice_direct_to_actor. * lo_splice_actor copies data to the target page. * lo_splice_actor calls flush_dcache_page because the page may be mapped by userspace. In that case we need to flush the kernel cache. * flush_dcache_page asks for the list of userspace mappings, however that page->mapping field is reused by the slab subsystem for a different purpose. This causes the crash. Note that other architectures without coherent caches (sparc, arm, mips) also call page_mapping from flush_dcache_page, so they may crash in the same way. This patch fixes this bug by testing if the page is a slab page in page_mapping and returning NULL if it is. The patch also fixes VM_BUG_ON(PageSlab(page)) that could happen in earlier kernels in the same scenario on architectures without cache coherence when CONFIG_DEBUG_VM is enabled - so it should be backported to stable kernels. In the old kernels, the function page_mapping is placed in include/linux/mm.h, so you should modify the patch accordingly when backporting it. Signed-off-by: Mikulas Patocka Cc: John David Anglin ] Cc: Andi Kleen Cc: Christoph Lameter Acked-by: Pekka Enberg Reviewed-by: Joonsoo Kim Cc: Helge Deller Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/util.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit e71bfbceaa0246366fe3753a893c660f22568bb9 Merge: 83b84f4 e8219cf Author: Brad Spengler Date: Sat Jan 18 17:30:14 2014 -0500 Merge branch 'pax-test' into grsec-test commit 83b84f4f7b950eeddc319df9dabeca8df99c19e7 Author: Brad Spengler Date: Sat Jan 18 17:30:05 2014 -0500 Revert "Revert recent PaX marking change that broke a significant number" This reverts commit 59672b779a7ef3857bb9335c668f671ea04c8a19. fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++----------------------- 1 files changed, 30 insertions(+), 23 deletions(-) commit e8219cf65fbb6e3763c4298831239929d1c1f9fa Author: Brad Spengler Date: Sat Jan 18 17:29:19 2014 -0500 Update to pax-linux-3.12.8-test15.patch: - reworked the interaction between the various PaX control flag mechanisms for better consistency - fixed type attribute handling in the constify plugin, reported by spender fs/binfmt_elf.c | 144 +++++++++++++++++++++++------------------- include/linux/sched.h | 1 + include/uapi/linux/sysctl.h | 6 -- tools/gcc/constify_plugin.c | 20 +++--- 4 files changed, 89 insertions(+), 82 deletions(-) commit 88474da15f3f3f5d93848102d03bb4983b9a0b78 Merge: 59672b7 dbe1b0b28 Author: Brad Spengler Date: Thu Jan 16 07:00:51 2014 -0500 Merge branch 'pax-test' into grsec-test commit dbe1b0b28973953b8919fbfc479054d527066737 Merge: 229fa99 97f15f1 Author: Brad Spengler Date: Thu Jan 16 07:00:16 2014 -0500 Update to pax-linux-3.12.8-test14.patch: - added a generated file to dontdiff, reported by Emese - removed duplicated code due to a mismerge Merge branch 'linux-3.12.y' into pax-test Conflicts: arch/x86/include/asm/fpu-internal.h commit 59672b779a7ef3857bb9335c668f671ea04c8a19 Author: Brad Spengler Date: Thu Dec 26 19:23:25 2013 -0500 Revert recent PaX marking change that broke a significant number of existing systems. The marking system will be revamped in a later patch to fix softmode support while making XT markings more usable. fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------ 1 files changed, 23 insertions(+), 30 deletions(-) commit 528d5554e49536241bdf98c59ac3daedf2855a11 Merge: f17b6ff 229fa99 Author: Brad Spengler Date: Sun Jan 12 07:56:10 2014 -0500 Merge branch 'pax-test' into grsec-test commit 229fa990d096324284db79ed69b336d19df28afb Author: Brad Spengler Date: Sun Jan 12 07:55:36 2014 -0500 update to newer size_overflow hash table tools/gcc/size_overflow_hash.data | 150 +++++++++++++++++++++---------------- 1 files changed, 84 insertions(+), 66 deletions(-) commit f17b6ff4817c57c0aaae76c2c1cf2ee759773292 Merge: 93e7728 6e027b9 Author: Brad Spengler Date: Sat Jan 11 17:38:57 2014 -0500 Merge branch 'pax-test' into grsec-test commit 6e027b9f1196ed76313c256f8f962afd334d999f Author: Brad Spengler Date: Sat Jan 11 17:38:28 2014 -0500 Update to pax-linux-3.12.7-test12.patch: - new size overflow plugin and hash table from Emese, should really fix the canon_copy_from_read_buf problem - fixed incorrent module parameter type in vivi, caught by the size overflow plugin drivers/media/platform/vivi.c | 4 +- tools/gcc/size_overflow_hash.data | 120 ++++++++++++++++++------------------ tools/gcc/size_overflow_plugin.c | 64 +++++++++++++------- 3 files changed, 105 insertions(+), 83 deletions(-) commit 93e7728fe0c37e00421e82cc43f8d467d5161751 Merge: 41ac3ff eadfb9b Author: Brad Spengler Date: Thu Jan 9 17:47:29 2014 -0500 Merge branch 'pax-test' into grsec-test commit eadfb9b1066d32ee537369fd67683297eb791ed0 Merge: bccc569 4301b7a Author: Brad Spengler Date: Thu Jan 9 17:46:48 2014 -0500 Update to pax-linux-3.12.7-test11.patch: - fixed powerpc compilation, by Purushothama Siddaiah - updated size overflow hash table from Emese, reported by Brian Haslett Merge branch 'linux-3.12.y' into pax-test Conflicts: include/linux/reboot.h mm/fremap.c mm/memory-failure.c scripts/link-vmlinux.sh commit 41ac3ff0c57f5b8bc2e32fd6ee58d618a6c8feec Author: Brad Spengler Date: Wed Jan 8 20:24:27 2014 -0500 zeroing out btime from /proc/stat breaks ps aux, it's the seconds of uptime for the system, information which is also available elsewhere (/proc/uptime), so there's no reason to limit it fs/proc/stat.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a1c966be13a8cfa254a6814c8a79caed3b421f0a Author: Brad Spengler Date: Wed Jan 8 18:13:15 2014 -0500 fix typo mm/vmstat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f1b3c3eec89cd91474518f7fbd6ffe11c0cf22c7 Author: Brad Spengler Date: Wed Jan 8 18:06:53 2014 -0500 provide a zeroed out /proc/vmstat to unprivileged users instead of denied access, some poorly-written desktop apps bail out completely when it can't be opened mm/vmstat.c | 21 +++++++++++++++------ 1 files changed, 15 insertions(+), 6 deletions(-) commit 4e7ac33a7cf3cb6387d69a4d9ba248a2a2c95c52 Merge: ecdc265 bccc569 Author: Brad Spengler Date: Wed Jan 8 17:55:50 2014 -0500 Merge branch 'pax-test' into grsec-test commit bccc5691fbe71245abd1e39c4387c1c0146bb3fd Author: Brad Spengler Date: Wed Jan 8 17:55:08 2014 -0500 Update to pax-linux-3.12.6-test10.patch: - removed config reference to EXT4_FS_XATTR, reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3904) - Emese worked around a few intentional overflows that triggered the size overflow plugin - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907) - in canon_copy_from_read_buf, reported by dwokfur (http://forums.grsecurity.net/viewtopic.php?f=3&t=3905) drivers/tty/n_tty.c | 2 +- drivers/usb/core/devio.c | 2 +- security/Kconfig | 1 - tools/gcc/size_overflow_plugin.c | 173 ++++++++++++++++++++++++++++++++------ 4 files changed, 150 insertions(+), 28 deletions(-) commit ecdc2658f89f545acbfddbcef93c04a5bd3c9ce2 Author: Brad Spengler Date: Wed Jan 8 17:46:46 2014 -0500 back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers drivers/pci/pci-sysfs.c | 9 --------- drivers/pci/proc.c | 3 --- 2 files changed, 0 insertions(+), 12 deletions(-) commit 3b9532bcc2f2fda37c6316047764e65d05cfc0d7 Author: Brad Spengler Date: Thu Jan 2 17:05:39 2014 -0500 add missing #include fs/proc/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 44c29b5b08a4475bcd7ca653abe5ed172fa1f8a0 Author: Brad Spengler Date: Thu Jan 2 17:02:24 2014 -0500 Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc) Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0 checks currently drivers/pci/pci-sysfs.c | 17 +++++++---------- drivers/pci/proc.c | 13 ++----------- drivers/pci/syscall.c | 4 ---- 3 files changed, 9 insertions(+), 25 deletions(-) commit 5d6ce67e5ed3913c105cf2fc7c9db1d6e2a9f84a Author: Brad Spengler Date: Tue Dec 31 10:30:20 2013 -0500 Resolve compatibility with libgtop and recent restriction of /proc/stat, reported by KacKurx. We now provide a properly-formatted but zeroed /proc/stat instead of denying unpriv access to the entry fs/proc/stat.c | 34 ++++++++++++++++++++++++---------- 1 files changed, 24 insertions(+), 10 deletions(-) commit fb5263307b4892bbaefc83427412b54c12a4e422 Author: Brad Spengler Date: Mon Dec 30 11:19:53 2013 -0500 Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy Kulikov: http://www.openwall.com/lists/kernel-hardening/2011/11/07/1 fs/proc/interrupts.c | 4 ++++ fs/proc/stat.c | 4 ++++ 2 files changed, 8 insertions(+), 0 deletions(-) commit e5f67af1a42dbde9aae812c25e2498b908919689 Author: Brad Spengler Date: Mon Dec 30 11:13:49 2013 -0500 Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information. grsecurity/Kconfig | 16 ++++++++++------ grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++--- include/linux/grmsg.h | 2 +- ipc/util.c | 3 ++- 4 files changed, 42 insertions(+), 11 deletions(-) commit a5a7395ebf9054496b21fd84978daba0a9bfde5d Merge: b07a1fc bfce0d4 Author: Brad Spengler Date: Thu Dec 26 19:24:39 2013 -0500 Merge branch 'pax-test' into grsec-test commit bfce0d4c8f94977de165b9a559c531759d031b4b Author: Brad Spengler Date: Thu Dec 26 19:23:25 2013 -0500 Revert recent PaX marking change that broke a significant number of existing systems. The marking system will be revamped in a later patch to fix softmode support while making XT markings more usable. fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------ 1 files changed, 23 insertions(+), 30 deletions(-) commit b07a1fc3ab37cf27f8e7b56193a08adfadd569b6 Author: Brad Spengler Date: Thu Dec 26 19:20:26 2013 -0500 add missing #include grsecurity/grsec_mount.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5fbe9de8e020fdf6b911a2368e41ba88df554343 Author: Brad Spengler Date: Thu Dec 26 15:51:51 2013 -0500 Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM grsecurity/Kconfig | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit d26ce94a15a14d44494fd3e307baebc2511a09b8 Author: Brad Spengler Date: Thu Dec 26 15:35:31 2013 -0500 Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig). grsecurity/gracl.c | 2 +- grsecurity/grsec_mount.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 4bbb922e6241dad03e37919f66e9f422743f5b5e Author: Brad Spengler Date: Wed Dec 25 16:37:02 2013 -0500 Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532 Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not the other way around (to produce more secure settings when distro configs are used as a base) drivers/acpi/custom_method.c | 4 ++++ drivers/pci/pci-sysfs.c | 12 ++++++++++++ drivers/pci/proc.c | 12 ++++++++++++ drivers/pci/syscall.c | 4 ++++ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ kernel/power/Kconfig | 2 ++ security/Kconfig | 1 - 7 files changed, 46 insertions(+), 1 deletions(-) commit 3ae9170407e5782e6a7b2bd796b60149864e6c3e Author: Chad Hanson Date: Mon Dec 23 17:45:01 2013 -0500 Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc selinux: fix broken peer recv check Fix a broken networking check. Return an error if peer recv fails. If secmark is active and the packet recv succeeds the peer recv error is ignored. Signed-off-by: Chad Hanson Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/hooks.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit c870e769c2d34bff7a0eba239c092bb115bb9d71 Author: Oleg Nesterov Date: Mon Dec 23 17:45:01 2013 -0500 Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() selinux_setprocattr() does ptrace_parent(p) under task_lock(p), but task_struct->alloc_lock doesn't pin ->parent or ->ptrace, this looks confusing and triggers the "suspicious RCU usage" warning because ptrace_parent() does rcu_dereference_check(). And in theory this is wrong, spin_lock()->preempt_disable() doesn't necessarily imply rcu_read_lock() we need to access the ->parent. Reported-by: Evan McNabb Signed-off-by: Oleg Nesterov Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/hooks.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 717544da98db68da8cf1b902e33eefc098170128 Author: Benjamin LaHaise Date: Sat Dec 21 15:49:28 2013 -0500 Upstream commit: 1881686f842065d2f92ec9c6424830ffc17d23b0 aio: fix kioctx leak introduced by "aio: Fix a trinity splat" e34ecee2ae791df674dfb466ce40692ca6218e43 reworked the percpu reference counting to correct a bug trinity found. Unfortunately, the change lead to kioctxes being leaked because there was no final reference count to put. Add that reference count back in to fix things. Signed-off-by: Benjamin LaHaise Cc: stable@vger.kernel.org fs/aio.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 21649f0e322166802adf5872f2affc38a0d6eb18 Author: Jianguo Wu Date: Wed Dec 18 17:08:59 2013 -0800 Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747 mm/hugetlb: check for pte NULL pointer in __page_check_address() In __page_check_address(), if address's pud is not present, huge_pte_offset() will return NULL, we should check the return value. Signed-off-by: Jianguo Wu Cc: Naoya Horiguchi Cc: Mel Gorman Cc: qiuxishi Cc: Hanjun Guo Acked-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: mm/rmap.c mm/rmap.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 184b047d4bc06f058aadb07393270e5d972af3aa Author: Kirill A. Shutemov Date: Fri Dec 20 15:10:03 2013 +0200 Upstream commit: ee53664bda169f519ce3c6a22d378f0b946c8178 mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support Sasha Levin found a NULL pointer dereference that is due to a missing page table lock, which in turn is due to the pmd entry in question being a transparent huge-table entry. The code - introduced in commit 1998cc048901 ("mm: make madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it turns out that that function doesn't work correctly. pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would trigger if the transparent hugepage bit was set, but it doesn't do that if pmd_numa() is also set. Note that the NUMA bit only gets set on real NUMA machines, so people trying to reproduce this on most normal development systems would never actually trigger this. Fix it by removing the very subtle (and subtly incorrect) expectation, and instead just checking pmd_trans_huge() explicitly. Reported-by: Sasha Levin Acked-by: Andrea Arcangeli [ Additionally remove the now stale test for pmd_trans_huge() inside the pmd_bad() case - Linus ] Signed-off-by: Linus Torvalds include/asm-generic/pgtable.h | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 1d769ef5d57f3bb616929c7e3c600852e20d575e Author: Daniel Borkmann Date: Tue Dec 17 00:38:39 2013 +0100 Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f net: inet_diag: zero out uninitialized idiag_{src,dst} fields Jakub reported while working with nlmon netlink sniffer that parts of the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6. That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3]. In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab] memory through this. At least, in udp_dump_one(), we allocate a skb in ... rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL); ... and then pass that to inet_sk_diag_fill() that puts the whole struct inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0], r->id.idiag_dst[0] and leave the rest untouched: r->id.idiag_src[0] = inet->inet_rcv_saddr; r->id.idiag_dst[0] = inet->inet_daddr; struct inet_diag_msg embeds struct inet_diag_sockid that is correctly / fully filled out in IPv6 case, but for IPv4 not. So just zero them out by using plain memset (for this little amount of bytes it's probably not worth the extra check for idiag_family == AF_INET). Similarly, fix also other places where we fill that out. Reported-by: Jakub Zawadzki Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller Conflicts: net/ipv4/inet_diag.c net/ipv4/inet_diag.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) commit 11093b2d02f7bba2c9085b2d2d020b9ee34f8737 Author: Wenliang Fan Date: Tue Dec 17 11:25:28 2013 +0800 Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan Signed-off-by: David S. Miller drivers/net/hamradio/hdlcdrv.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e162be84a9971452943c1d85a59c866a5486222b Author: Ard Biesheuvel Date: Mon Dec 23 18:49:30 2013 +0100 Upstream commit: f60900f2609e893c7f8d0bccc7ada4947dac4cd5 auxvec.h: account for AT_HWCAP2 in AT_VECTOR_SIZE_BASE Commit 2171364d1a92 ("powerpc: Add HWCAP2 aux entry") introduced a new AT_ auxv entry type AT_HWCAP2 but failed to update AT_VECTOR_SIZE_BASE accordingly. Signed-off-by: Ard Biesheuvel Fixes: 2171364d1a92 (powerpc: Add HWCAP2 aux entry) Cc: stable@vger.kernel.org Acked-by: Michael Neuling Cc: Nishanth Aravamudan Cc: Benjamin Herrenschmidt Signed-off-by: Linus Torvalds include/linux/auxvec.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a60029d4fb8d62b6dd3617a8ab4031fd79b89fe3 Author: Brad Spengler Date: Wed Dec 25 15:11:51 2013 -0500 remove unused 'dentry' variable fs/xattr.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit d6e290d23c8c47c19536ed84f403eb81f224ed67 Author: Brad Spengler Date: Wed Dec 25 15:03:13 2013 -0500 Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use. fs/xattr.c | 18 +++++++++++------- grsecurity/gracl_fs.c | 6 ++++++ grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 2 ++ 5 files changed, 27 insertions(+), 8 deletions(-) commit 848b9c1e52382f446a2db679d6ee68c0a8cbc52e Merge: e45d1dd 846d19a Author: Brad Spengler Date: Sun Dec 22 10:36:48 2013 -0500 Merge branch 'pax-test' into grsec-test commit 846d19aa4207282ce5ac54237517e54324eda092 Author: Brad Spengler Date: Sun Dec 22 10:35:16 2013 -0500 Update to pax-linux-3.12.6-test9.patch: - updated size overflow hash table from spender - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899) virt/kvm/kvm_main.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) commit e45d1ddcd3c8005889acc55fbf9e57171339fbb4 Merge: b5c87f6 6754393 Author: Brad Spengler Date: Sat Dec 21 07:53:42 2013 -0500 Merge branch 'pax-test' into grsec-test commit 6754393ea42b9fb1d6d8e4635e8364674cee2bbd Author: Brad Spengler Date: Sat Dec 21 07:53:22 2013 -0500 Update size_overflow hash table tools/gcc/size_overflow_hash.data | 119 +++++++++++++++++++------------------ 1 files changed, 60 insertions(+), 59 deletions(-) commit b5c87f632d1cf19639a94c36276f96955221c77a Author: Brad Spengler Date: Fri Dec 20 20:18:56 2013 -0500 compile fix fs/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 47618a93b003d648b5704040d1e502f76de07093 Merge: ba0eeed 37eeb47 Author: Brad Spengler Date: Fri Dec 20 20:18:18 2013 -0500 Merge branch 'pax-test' into grsec-test commit 37eeb473486a08e3beae62841b19169aef36564d Author: Brad Spengler Date: Fri Dec 20 20:17:46 2013 -0500 Update to pax-linux-3.12.6-test8.patch: - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877) - updated size overflow hash table from spender fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++----------------------- 1 files changed, 30 insertions(+), 23 deletions(-) commit ba0eeed0532b602905d87e9bf25aad3664c3f36b Merge: 453a7f1 9dda34c Author: Brad Spengler Date: Fri Dec 20 19:17:33 2013 -0500 Merge branch 'pax-test' into grsec-test commit 9dda34cba200c6eadcbbbccbb4729627fd82e6be Merge: 63ebe2d2 d0266db Author: Brad Spengler Date: Fri Dec 20 19:17:18 2013 -0500 Merge branch 'linux-3.12.y' into pax-test Conflicts: arch/x86/boot/Makefile commit 453a7f1e18d89056fa27a9fdc777cea1a6fd7fe5 Merge: bb777f5 63ebe2d2 Author: Brad Spengler Date: Thu Dec 19 22:48:02 2013 -0500 Merge branch 'pax-test' into grsec-test commit 63ebe2d2adf8f5ebc1639c1b8d8577fbe5813fcd Author: Brad Spengler Date: Thu Dec 19 22:47:35 2013 -0500 add 42 functions to the size_overflow hash table tools/gcc/size_overflow_hash.data | 59 +++++++++++++++++++++++++++++------- 1 files changed, 47 insertions(+), 12 deletions(-) commit bb777f517e6c2a53909351245d7d2009d8ad4c5b Merge: cc59b1f a03d29c Author: Brad Spengler Date: Thu Dec 19 17:12:01 2013 -0500 Merge branch 'pax-test' into grsec-test commit a03d29c1eead36d4f9eac27b3a5d4b4266360a81 Author: Brad Spengler Date: Thu Dec 19 17:11:19 2013 -0500 Update to pax-linux-3.12.5-test7.patch: - fixed some more size overflow reports - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898) - better fix for the gcc induced intentional overflow in usbdev_read arch/x86/include/asm/atomic.h | 6 +++--- arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- drivers/usb/core/devio.c | 2 +- fs/file.c | 4 ++-- include/asm-generic/atomic-long.h | 2 +- tools/gcc/size_overflow_hash.data | 3 --- 7 files changed, 9 insertions(+), 12 deletions(-) commit cc59b1fbe8989a6f99d229b34653e40a84d871f4 Merge: 44842d2 6ffdbdf Author: Brad Spengler Date: Sun Dec 15 10:40:14 2013 -0500 Merge branch 'pax-test' into grsec-test commit 6ffdbdf295f56e22ce8626b555a03e4d2b8c6a61 Author: Brad Spengler Date: Sun Dec 15 10:38:59 2013 -0500 Update to pax-linux-3.12.5-test6.patch: - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver tools/gcc/size_overflow_plugin.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 44842d2f32b7fd6f325a90b15bd0a094f08feab9 Merge: c2c9b35 f85d978 Author: Brad Spengler Date: Sat Dec 14 10:58:46 2013 -0500 Merge branch 'pax-test' into grsec-test commit f85d978a63b7388c6ab97b54808992fe2ee4ac8c Author: Brad Spengler Date: Sat Dec 14 10:58:14 2013 -0500 Update to pax-linux-3.12.5-test5.patch: - properly fix the use-after-free in sys_remap_file_pages, by Rik van Riel (http://www.spinics.net/lists/linux-mm/msg66710.html) mm/fremap.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit c2c9b35fca510f7e29f80efa2999695448083b52 Author: Linus Torvalds Date: Thu Dec 12 09:38:42 2013 -0800 Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c futex: fix handling of read-only-mapped hugepages The hugepage code had the exact same bug that regular pages had in commit 7485d0d3758e ("futexes: Remove rw parameter from get_futex_key()"). The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix regression with read only mappings"), but the transparent hugepage case (added in a5b338f2b0b1: "thp: update futex compound knowledge") case remained broken. Found by Dave Jones and his trinity tool. Reported-and-tested-by: Dave Jones Cc: stable@kernel.org # v2.6.38+ Acked-by: Thomas Gleixner Cc: Mel Gorman Cc: Darren Hart Cc: Andrea Arcangeli Cc: Oleg Nesterov Signed-off-by: Linus Torvalds kernel/futex.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7fe4be2ce4c49484298f71455cdcac08149985cb Author: Andy Honig Date: Mon Nov 18 16:09:22 2013 -0800 Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96 KVM: Improve create VCPU parameter (CVE-2013-4587) In multiple functions the vcpu_id is used as an offset into a bitfield. Ag malicious user could specify a vcpu_id greater than 255 in order to set or clear bits in kernel memory. This could be used to elevate priveges in the kernel. This patch verifies that the vcpu_id provided is less than 255. The api documentation already specifies that the vcpu_id must be less than max_vcpus, but this is currently not checked. Reported-by: Andrew Honig Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini virt/kvm/kvm_main.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit e3a3b7a0010abaf6f28afb8521fcb29cee6b3c4c Author: Andy Honig Date: Tue Nov 19 14:12:18 2013 -0800 Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Under guest controllable circumstances apic_get_tmcct will execute a divide by zero and cause a crash. If the guest cpuid support tsc deadline timers and performs the following sequence of requests the host will crash. - Set the mode to periodic - Set the TMICT to 0 - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) - Set the TMICT to non-zero. Then the lapic_timer.period will be 0, but the TMICT will not be. If the guest then reads from the TMCCT then the host will perform a divide by 0. This patch ensures that if the lapic_timer.period is 0, then the division does not occur. Reported-by: Andrew Honig Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini arch/x86/kvm/lapic.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2b8e6adf070a8938133e318e9a6e2f633095f038 Author: Andy Honig Date: Wed Nov 20 10:23:22 2013 -0800 Upstream commit: fda4e2e85589191b123d31cdc21fd33ee70f50fd KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the potential to corrupt kernel memory if userspace provides an address that is at the end of a page. This patches concerts those functions to use kvm_write_guest_cached and kvm_read_guest_cached. It also checks the vapic_address specified by userspace during ioctl processing and returns an error to userspace if the address is not a valid GPA. This is generally not guest triggerable, because the required write is done by firmware that runs before the guest. Also, it only affects AMD processors and oldish Intel that do not have the FlexPriority feature (unless you disable FlexPriority, of course; then newer processors are also affected). Fixes: b93463aa59d6 ('KVM: Accelerated apic support') Reported-by: Andrew Honig Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini arch/x86/kvm/lapic.c | 27 +++++++++++++++------------ arch/x86/kvm/lapic.h | 4 ++-- arch/x86/kvm/x86.c | 40 +--------------------------------------- 3 files changed, 18 insertions(+), 53 deletions(-) commit 6261a034c2cc7f34b4c7663ace10d74f9c1fe479 Author: Gleb Natapov Date: Thu Dec 12 21:20:08 2013 +0100 Upstream commit: 17d68b763f09a9ce824ae23eb62c9efc57b69271 KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) A guest can cause a BUG_ON() leading to a host kernel crash. When the guest writes to the ICR to request an IPI, while in x2apic mode the following things happen, the destination is read from ICR2, which is a register that the guest can control. kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the cluster id. A BUG_ON is triggered, which is a protection against accessing map->logical_map with an out-of-bounds access and manages to avoid that anything really unsafe occurs. The logic in the code is correct from real HW point of view. The problem is that KVM supports only one cluster with ID 0 in clustered mode, but the code that has the bug does not take this into account. Reported-by: Lars Bull Cc: stable@vger.kernel.org Signed-off-by: Gleb Natapov Signed-off-by: Paolo Bonzini arch/x86/kvm/lapic.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit beb27f127ef300b52f8c20402d053b05bab7f4e3 Merge: 82c673f b8daf53 Author: Brad Spengler Date: Fri Dec 13 20:11:22 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/parisc/kernel/sys_parisc.c commit b8daf537ab923daf14f38d283ca5361424154fa8 Merge: 7689612 156c758 Author: Brad Spengler Date: Fri Dec 13 20:07:08 2013 -0500 Update to pax-linux-3.12.5-test4.patch: - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus - fixed underallocation in __d_alloc that would cause an out-of-bounds read later, reported by Dmitry Vyukov and Kees Cook, not understood by Al Viro (http://lkml.org/lkml/2013/10/3/493 and http://lkml.org/lkml/2013/10/11/293) - fixed use-after-free in sys_remap_file_pages, reported by Dmitry Vyukov (http://lkml.org/lkml/2013/9/17/30) - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver - fixed a btrfs bug caught by the size overflow plugin, reported by Jens Binnewies (http://forums.grsecurity.net/viewtopic.php?f=1&t=3887) turns out that it was fixed upstream already but never marked for stable backport: - https://bugzilla.kernel.org/show_bug.cgi?id=66661 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/btrfs/tree-log.c?id=ed9e8af88e2551aaa6bf51d8063a2493e2d71597 - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz SÅ‚awiÅ„ski (https://bugs.gentoo.org/show_bug.cgi?id=487938) - the mask register has been changed from r10 (used by DRAP) to r12 - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible) Merge branch 'linux-3.12.y' into pax-test Conflicts: arch/parisc/kernel/sys_parisc.c fs/pipe.c commit 82c673fdfd9925cda2e94b67f775be70b8ef4cca Author: Brad Spengler Date: Fri Dec 13 19:39:54 2013 -0500 Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy) In practice this causes bogus auditing messages for / and could potentially cause a subject without executable shared memory support to permit executable shared memory (if PaX is disabled on the binary). Instead just allocate these two special objects with kzalloc at enable time and free them at disable time. Thanks to nyt@countercultured.net for the report grsecurity/gracl_policy.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit b0be33b9efb31e2cb745d1b33eee4f89b315d5bf Merge: 4c60da7 7689612 Author: Brad Spengler Date: Sun Dec 8 17:07:04 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/ipv4/ping.c commit 7689612bef2f353f37a2fe94ff0ef8c72634b522 Merge: 2f004b8 289b6c7 Author: Brad Spengler Date: Sun Dec 8 17:05:58 2013 -0500 Merge branch 'linux-3.12.y' into pax-test Conflicts: net/compat.c net/ipv4/ping.c net/ipv6/sit.c net/socket.c commit 4c60da771d2fba442fe7831d590277e6fe80e908 Author: Brad Spengler Date: Sun Dec 8 16:12:01 2013 -0500 Backport of: If we allocate less than sizeof(struct attrlist) then we end up corrupting memory or doing a ZERO_PTR_SIZE dereference. This can only be triggered with CAP_SYS_ADMIN. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter fs/xfs/xfs_ioctl.c | 3 ++- fs/xfs/xfs_ioctl32.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) commit bd50af2c306bfe6287631e0e1745cc5d2fbad0c2 Author: Hannes Frederic Sowa Date: Thu Dec 5 23:29:19 2013 +0100 Upstream commit: 239c78db9c41a8f524cce60507440d72229d73bc net: clear local_df when passing skb between namespaces We must clear local_df when passing the skb between namespaces as the packet is not local to the new namespace any more and thus may not get fragmented by local rules. Fred Templin noticed that other namespaces do fragment IPv6 packets while forwarding. Instead they should have send back a PTB. The same problem should be present when forwarding DF-IPv4 packets between namespaces. Reported-by: Templin, Fred L Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/core/skbuff.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7803212c99050491bd0a2618e039f62c825f82e5 Author: Linus Torvalds Date: Mon Dec 2 11:50:37 2013 -0800 Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d uio: we cannot mmap unaligned page contents In commit 7314e613d5ff ("Fix a few incorrectly checked [io_]remap_pfn_range() calls") the uio driver started more properly checking the passed-in user mapping arguments against the size of the actual uio driver data. That in turn exposed that some driver authors apparently didn't realize that mmap can only work on a page granularity, and had tried to use it with smaller mappings, with the new size check catching that out. So since it's not just the user mmap() arguments that can be confused, make the uio mmap code also verify that the uio driver has the memory allocated at page boundaries in order for mmap to work. If the device memory isn't properly aligned, we return [ENODEV] The fildes argument refers to a file whose type is not supported by mmap(). as per the open group documentation on mmap. Reported-by: Holger Brunck Acked-by: Greg KH Signed-off-by: Linus Torvalds drivers/uio/uio.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e5fb91d26cb825c36042d62373c0a32a176cfe2d Merge: 6b9d9e2 2f004b8 Author: Brad Spengler Date: Sun Dec 8 10:18:49 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: mm/mmap.c commit 2f004b87204d113e467ba360ac8b0a9cbfcf01cb Merge: c04a09b 81605d3 Author: Brad Spengler Date: Sun Dec 8 10:16:53 2013 -0500 Update to pax-linux-3.12.3-test2.patch: - forward port to 3.12.3 - fixed incorrect ACCESS_ONCE accessors in rcutree, reported by mcp - fixed the usual arm/CONSTIFY fallout, reported by Michael Tremer - changed the constify plugin to give better error messages - worked around a gcc induced intentional integer overflow in usbdev_read, reported by quasar366 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3889) - better fix for http://forums.grsecurity.net/viewtopic.php?f=3&t=3885 - fixed crash under qemu when INVPCID was enabled (say, on -cpu Haswell) but PCID itself wasn't, reported by spender - updated size overflow plugin from Emese, coverage will increase further Merge branch 'linux-3.12.y' into pax-test Conflicts: kernel/trace/ftrace.c mm/mmap.c commit 6b9d9e2fe7cd30598a4c22c159ff3b06339e23c8 Author: David Herrmann Date: Tue Nov 26 13:58:18 2013 +0100 Upstream commit: 80897aa787ecd58eabb29deab7cbec9249c9b7e6 HID: uhid: fix leak for 64/32 UHID_CREATE UHID allows short writes so user-space can omit unused fields. We automatically set them to 0 in the kernel. However, the 64/32 bit compat-handler didn't do that in the UHID_CREATE fallback. This will reveal random kernel heap data (of random size, even) to user-space. Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems') Reported-by: Ben Hutchings Signed-off-by: David Herrmann Cc: stable@vger.kernel.org Signed-off-by: Jiri Kosina drivers/hid/uhid.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a06981f0117d614ba4d30f6b5dd6eff7d418ffae Author: Brad Spengler Date: Wed Dec 4 18:15:02 2013 -0500 Don't duplicate __get_dumpable, also make sure we check against SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing detection when suid_dumpable was set to 2 fs/coredump.c | 7 +++++-- grsecurity/grsec_sig.c | 14 ++------------ include/linux/grsecurity.h | 2 +- 3 files changed, 8 insertions(+), 15 deletions(-) commit fc706a922b49e3157cac848fb0c8d1dcf4f360bb Merge: 0f023d5 c04a09b Author: Brad Spengler Date: Tue Dec 3 21:41:57 2013 -0500 Merge branch 'pax-test' into grsec-test commit c04a09b7dbfafdbee85e09c224e90ebc665ce4f5 Author: Brad Spengler Date: Tue Dec 3 21:41:20 2013 -0500 fix up ACCESS_ONCE -> ACCESS_ONCE_RW, as reported by mcp kernel/rcutree_plugin.h | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0f023d59d361b9880155dd8ddb0c1e19a48437c6 Author: Brad Spengler Date: Tue Dec 3 19:39:04 2013 -0500 Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated. Disable KEXEC when GRKERNSEC_KMEM is enabled: http://mjg59.dreamwidth.org/28746.html Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/mips/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/tile/Kconfig | 1 + arch/x86/Kconfig | 1 + arch/x86/kernel/ioport.c | 12 ++++++------ grsecurity/Kconfig | 27 +++++++++++---------------- 8 files changed, 23 insertions(+), 22 deletions(-) commit 9f610c9c398e7e61183feb7fec6b91b9f2223b61 Merge: fed624e 1395b8f Author: Brad Spengler Date: Mon Dec 2 17:33:01 2013 -0500 Merge branch 'pax-test' into grsec-test commit 1395b8f8832d179a0c73e890754534c9d5442201 Author: Brad Spengler Date: Mon Dec 2 17:31:35 2013 -0500 Forward-ported the following fix from 3.2: - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885) This caused filesystem corruption in the reported XFS case, problem introduced with Nov 24th patch (IPA-based size overflow plugin) arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fed624ebfd1d08ee6db247733cdb44df0e1be8b0 Author: Brad Spengler Date: Mon Dec 2 17:20:00 2013 -0500 Fix qemu -cpu Haswell booting with pax_nouderef on the kernel cmdline init/main.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a72ed588cbbda00d356529507b6bdca56c19d4c3 Merge: 3f201fe db6d69f Author: Brad Spengler Date: Sat Nov 30 10:46:15 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/dcache.c ipc/shm.c net/sunrpc/clnt.c commit db6d69f61412f929242423f92d52f4c2c74bab5d Merge: 1f411d7 050dcf4 Author: Brad Spengler Date: Sat Nov 30 10:40:33 2013 -0500 Merge branch 'linux-3.12.y' into pax-test commit 3f201fe9a368a4b0339a2f3cf1259b785ae8374c Author: Brad Spengler Date: Tue Nov 26 15:16:48 2013 -0500 Fix null deref on application of the shutdown role, reported by zakalwe grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++- grsecurity/gracl_policy.c | 58 ++++----------------------------------------- 2 files changed, 62 insertions(+), 54 deletions(-) commit f5648d16a7cc79abe6de7ae62e284fa511bb750a Author: Brad Spengler Date: Tue Nov 26 13:04:07 2013 -0500 Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root kernel/kmod.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit c610c1f0f580069a1dc9d58c0eb0bddd33cbc25c Author: Brad Spengler Date: Tue Nov 26 12:59:00 2013 -0500 Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe grsecurity/gracl_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4026c926f19d7642c1f89895b556fe2addaef239 Author: Al Viro Date: Wed Nov 13 07:45:40 2013 -0500 Upstream commit: ede4cebce16f5643c61aedd6d88d9070a1d23a68 prepend_path() needs to reinitialize dentry/vfsmount/mnt on restarts ... and equivalent is needed in 3.12; it's broken there as well Signed-off-by: Al Viro Conflicts: fs/dcache.c fs/dcache.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) commit c68d27fa66951166bff79a5c1bcc26985ac3f8bc Merge: 94b560b 1f411d7 Author: Brad Spengler Date: Mon Nov 25 23:09:47 2013 -0500 Merge branch 'pax-test' into grsec-test commit 1f411d73c56904d2be9cde1f78aaec7f4554dab1 Merge: 5f17cd8 6beb1be Author: Brad Spengler Date: Mon Nov 25 23:09:34 2013 -0500 Merge branch 'linux-3.12.y' into pax-test commit 94b560b0163a20b9eab9ec77b83f0bff853fe601 Author: Brad Spengler Date: Mon Nov 25 22:33:33 2013 -0500 compile fix kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 58c014d37769d384c2e3c06ce5f60fe54f855b24 Merge: 48ac6ac 5f17cd8 Author: Brad Spengler Date: Mon Nov 25 22:27:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c commit 5f17cd87d5c7faf606255f061dd394f6761e38df Author: Brad Spengler Date: Mon Nov 25 22:25:42 2013 -0500 Update to pax-linux-3.12.1-test2.patch: - made arm/UDEREF violation reports more consistent, reported by acez and spender - added a bit more amd64 kernel page table hardening - fixed some constify related compiler errors - fixed stack trace reports under i386/KERNEXEC, reported by ncopa and minipli - updated the size overflow hash table arch/arm/mm/fault.c | 16 ++- arch/x86/include/asm/paravirt_types.h | 2 +- arch/x86/kernel/head_64.S | 18 ++- drivers/gpu/drm/radeon/radeon_ttm.c | 2 +- drivers/gpu/vga/vga_switcheroo.c | 4 +- drivers/hwmon/nct6775.c | 6 +- drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- drivers/staging/lustre/lnet/selftest/framework.c | 4 - drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- drivers/staging/lustre/lustre/include/obd.h | 2 +- .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- include/linux/hwmon-sysfs.h | 1 + include/linux/pm.h | 1 + include/linux/vga_switcheroo.h | 8 +- net/core/sysctl_net_core.c | 2 +- scripts/link-vmlinux.sh | 4 +- sound/soc/soc-core.c | 6 +- tools/gcc/size_overflow_hash.data | 142 ++++++++++++-------- 21 files changed, 145 insertions(+), 111 deletions(-) commit 48ac6ac8a1fd55f2b276bf5326ce52782b7c554f Author: Brad Spengler Date: Mon Nov 25 12:01:21 2013 -0500 Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity kernel/kmod.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9ed081196dcaa72bae91d5a31329e35bd480d92b Author: Brad Spengler Date: Sun Nov 24 22:49:05 2013 -0500 Revert "HID: multitouch: validate feature report details" This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684. drivers/hid/hid-multitouch.c | 25 +++++-------------------- 1 files changed, 5 insertions(+), 20 deletions(-) commit 801d69b26655ea7240df45ad14f96054e4d9803a Author: Brad Spengler Date: Sun Nov 24 22:48:49 2013 -0500 Revert "HID: lenovo-tpkbd: validate output report details" This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a. drivers/hid/hid-lenovo-tpkbd.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 1f70f596dd47ca9467a06b19ffc341c147ea4a23 Author: Brad Spengler Date: Sun Nov 24 22:48:33 2013 -0500 Revert "HID: steelseries: validate output report details" This reverts commit 0996966348dc3c3f7515567d3245292785d484fc. drivers/hid/hid-steelseries.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 8101ee4167c83f850cc2366088e3f60d01dcb9f7 Author: Brad Spengler Date: Sun Nov 24 22:22:03 2013 -0500 remove __no_const from pv_lock_ops as it's not constified by the plugin arch/x86/include/asm/paravirt_types.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a94e46e08a9d8236544f881faa9cccecfe9c702b Author: Brad Spengler Date: Sun Nov 24 22:08:33 2013 -0500 add missing header fs/proc/proc_sysctl.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit f0018c34f5ef840fffac10eb60fed9048317832f Author: Brad Spengler Date: Sun Nov 24 22:04:55 2013 -0500 Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace fs/proc/proc_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 99a6a515bf625395fa31892f46311c3877a3fa93 Author: Brad Spengler Date: Sun Nov 24 17:50:21 2013 -0500 remove unnecessary code/comments after new reload method Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ---- grsecurity/gracl_policy.c | 13 ------------- 2 files changed, 0 insertions(+), 17 deletions(-) commit 10b6650a259b9a5911a33fc9aaf6677920830eee Author: Brad Spengler Date: Sun Nov 24 16:05:01 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. Signed-off-by: Brad Spengler grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3903 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 2 + 12 files changed, 3082 insertions(+), 2787 deletions(-) commit b035ba537ccc7dc58b9643ab58a2f5a7b4e6738e Author: Brad Spengler Date: Sun Nov 24 15:08:28 2013 -0500 compile fix for recent GRKERNSEC_CHROOT_INITRD change Signed-off-by: Brad Spengler init/main.c | 12 +++--------- 1 files changed, 3 insertions(+), 9 deletions(-) commit a898fff136a97e265c63375a2a03ebd91c9c1286 Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path Signed-off-by: Brad Spengler include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit 1ae8347eb782c4e961210052e2de554bfdb52980 Author: Brad Spengler Date: Sat Nov 23 17:20:15 2013 -0500 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. Reported by acez on IRC Signed-off-by: Brad Spengler arch/arm/mm/fault.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 71643b46e6b67e76e52153559d0dc4004c402141 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. Conflicts: init/main.c Signed-off-by: Brad Spengler grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) commit e357e72d769e5c35167e2bf934c722fc825ee2cd Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected Signed-off-by: Brad Spengler kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 4ed2dc55aa2344b9ade6cddbe5ee8b51b6239c54 Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well Signed-off-by: Brad Spengler fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 211bbd408a1d7bc2e9ef72df07aa7ce0cbd6c49d Author: Brad Spengler Date: Fri Nov 22 20:31:37 2013 -0500 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. It caused errors with traceroute, reported to upstream and fixed with http://patchwork.ozlabs.org/patch/293614/ But there's no reason for us to maintain this backport as we're already impervious to recvmsg/msg_name infoleaks Conflicts: net/ipv4/ping.c Signed-off-by: Brad Spengler net/ieee802154/dgram.c | 3 ++- net/ipv4/ping.c | 11 +++++++++-- net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 8 files changed, 35 insertions(+), 12 deletions(-) commit 4bd8414bb148cf8681c8f1d2deda5739cafb6917 Author: Hannes Frederic Sowa Date: Mon Nov 18 07:07:45 2013 +0100 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 ping: prevent NULL pointer dereference on write to msg_name A plain read() on a socket does set msg->msg_name to NULL. So check for NULL pointer first. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ipv4/ping.c | 34 +++++++++++++++++++--------------- 1 files changed, 19 insertions(+), 15 deletions(-) commit ccc6e0dd63fc36c5c7fd1bbe4f8fed6533d188a1 Author: Hannes Frederic Sowa Date: Mon Nov 18 04:20:45 2013 +0100 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb Suggested-by: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ieee802154/dgram.c | 3 +-- net/ipv4/ping.c | 19 +++++++------------ net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- net/phonet/datagram.c | 9 ++++----- 8 files changed, 17 insertions(+), 38 deletions(-) commit 0db1e136415d5696b2342b953361ef7c3017247d Author: Jeff Layton Date: Wed Nov 13 09:08:21 2013 -0500 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. There is no guarantee that doing so will work however, so we can end up retrying the call in an infinite loop. Worse yet, we create the new client using rpc_clone_client_set_auth, which creates the new client as a child of the old one. Thus, we can end up with a *very* long lineage of rpc_clnts. When we go to put all of the references to them, we can end up with a long call chain that can smash the stack as each rpc_free_client() call can recurse back into itself. This patch fixes this by simply ensuring that the SETCLIENTID call will only be retried in this situation if the last attempt did not use RPC_AUTH_UNIX. Note too that with this change, we don't need the (i > 2) check in the -EACCES case since we now have a more reliable test as to whether we should reattempt. Cc: stable@vger.kernel.org # v3.10+ Cc: Chuck Lever Tested-by/Acked-by: Weston Andros Adamson Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Brad Spengler fs/nfs/nfs4state.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 74d59ef1b28635f588c47b270777cd69b0e8291f Author: Trond Myklebust Date: Tue Nov 12 17:24:36 2013 -0500 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b SUNRPC: Avoid deep recursion in rpc_release_client In cases where an rpc client has a parent hierarchy, then rpc_free_client may end up calling rpc_release_client() on the parent, thus recursing back into rpc_free_client. If the hierarchy is deep enough, then we can get into situations where the stack simply overflows. The fix is to have rpc_release_client() loop so that it can take care of the parent rpc client hierarchy without needing to recurse. Reported-by: Jeff Layton Reported-by: Weston Andros Adamson Reported-by: Bruce Fields Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust Signed-off-by: Brad Spengler net/sunrpc/clnt.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 8ae59cf66f3a302d45578171337df2d8fe35458c Author: Trond Myklebust Date: Fri Nov 8 16:03:50 2013 -0500 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 SUNRPC: Fix a data corruption issue when retransmitting RPC calls The following scenario can cause silent data corruption when doing NFS writes. It has mainly been observed when doing database writes using O_DIRECT. 1) The RPC client uses sendpage() to do zero-copy of the page data. 2) Due to networking issues, the reply from the server is delayed, and so the RPC client times out. 3) The client issues a second sendpage of the page data as part of an RPC call retransmission. 4) The reply to the first transmission arrives from the server _before_ the client hardware has emptied the TCP socket send buffer. 5) After processing the reply, the RPC state machine rules that the call to be done, and triggers the completion callbacks. 6) The application notices the RPC call is done, and reuses the pages to store something else (e.g. a new write). 7) The client NIC drains the TCP socket send buffer. Since the page data has now changed, it reads a corrupted version of the initial RPC call, and puts it on the wire. This patch fixes the problem in the following manner: The ordering guarantees of TCP ensure that when the server sends a reply, then we know that the _first_ transmission has completed. Using zero-copy in that situation is therefore safe. If a time out occurs, we then send the retransmission using sendmsg() (i.e. no zero-copy), We then know that the socket contains a full copy of the data, and so it will retransmit a faithful reproduction even if the RPC call completes, and the application reuses the O_DIRECT buffer in the meantime. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org Signed-off-by: Brad Spengler net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- 1 files changed, 21 insertions(+), 7 deletions(-) commit 1a40aeaa23860a26df02c9c8729937b6da2bcdd6 Author: Dan Carpenter Date: Thu Nov 14 11:21:10 2013 +0300 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 isdnloop: use strlcpy() instead of strcpy() These strings come from a copy_from_user() and there is no way to be sure they are NUL terminated. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Brad Spengler drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit a7a1549064b332e878efa22fdebed32035cc8f07 Author: Eric Dumazet Date: Thu Nov 14 13:37:54 2013 -0800 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf ipv4: fix possible seqlock deadlock ip4_datagram_connect() being called from process context, it should use IP_INC_STATS() instead of IP_INC_STATS_BH() otherwise we can deadlock on 32bit arches, or get corruptions of SNMP counters. Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") Signed-off-by: Eric Dumazet Reported-by: Dave Jones Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ipv4/datagram.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 96b7719c933229c8619f8ad207c141dcc70d546e Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC Signed-off-by: Brad Spengler grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0001071fa9ff6ef9370a370bea51bef2f1e3c2ab Author: Brad Spengler Date: Thu Nov 14 19:07:11 2013 -0500 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows Signed-off-by: Brad Spengler arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 05ae94add600530e3ae98f9a153cb6423b91e46a Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ Will let this sit in -test for a while to weed out any app incompatibilities Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit f5be6d902d5b36c0fb40aabb61f686e510a2d887 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c Signed-off-by: Brad Spengler drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e60c412c422f72a52c819465db8b81991d861390 Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 17d5ff67a76aab404c8cbe13576d492a7a8b342a Author: Brad Spengler Date: Sun Nov 10 17:50:12 2013 -0500 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND Signed-off-by: Brad Spengler arch/arm/mm/Kconfig | 2 +- grsecurity/Kconfig | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletions(-) commit b4aa2136272e6b1cdbb285a74ee17471dd679dfa Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. Signed-off-by: Brad Spengler mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 197a69f1783917091d60db2a3ffd7ff14d41489d Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 010702a965acb2aea4d81510f99d788ab6564123 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking Conflicts: security/Kconfig Signed-off-by: Brad Spengler security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 09ce0d45a4fc86ca1389260bf28a62f98ccff362 Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c Signed-off-by: Brad Spengler lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 60a1f79d72bdfc2c6aed1be9537559959a0b8b55 Author: Jason Wang Date: Fri Nov 1 15:01:10 2013 +0800 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd net: flow_dissector: fail on evil iph->ihl We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae (rps: support IPIP encapsulation). Cc: Eric Dumazet Cc: Petr Matousek Cc: Michael S. Tsirkin Cc: Daniel Borkmann Signed-off-by: Jason Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/core/flow_dissector.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9743a1eca0b0172da4ec07bc07fa30fcccb9fba7 Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/uio/uio.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 187b4936fbaaafd087556919bae3b719e67536b8 Author: Brad Spengler Date: Wed Oct 16 18:36:25 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause Signed-off-by: Brad Spengler kernel/audit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0e48ab30113de43958987e9f0d20fb816892c090 Author: Brad Spengler Date: Wed Oct 16 19:02:32 2013 -0400 add 2nd chunk of audit nlmsg_len() fix from minipli Signed-off-by: Brad Spengler kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5e6b4bcb3a38c94605e9fa68d6c5936438fb0d8 Author: Brad Spengler Date: Wed Oct 16 18:37:59 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd Signed-off-by: Brad Spengler kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb491ad409ee7efadcb00041cd31e9e411efebb Author: Brad Spengler Date: Wed Oct 16 18:41:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , Bart De Schuymer Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Bart De Schuymer Signed-off-by: Mathias Krause Conflicts: net/bridge/netfilter/ebt_ulog.c Signed-off-by: Brad Spengler net/bridge/netfilter/ebt_ulog.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 637ef6f911201af0136b794b5b602eb14efb6b7c Author: Brad Spengler Date: Wed Oct 16 18:43:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Signed-off-by: Mathias Krause Conflicts: net/ipv4/netfilter/ipt_ULOG.c Signed-off-by: Brad Spengler net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 103af82880576436f1fceafec93da69f0d55d019 Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change Signed-off-by: Brad Spengler grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit 7749496c3667613ea505823948c0f4f4d9c1d90c Author: Brad Spengler Date: Sun Sep 22 18:14:07 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 4463e68a60d4fb557d37f993f42e3039041550fc Author: Brad Spengler Date: Sun Sep 15 09:19:21 2013 -0400 remove unnecessary check from when protocol was signed Signed-off-by: Brad Spengler net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit efafe8039b3287f73e0abcb4f7be18e83a5c9a2e Author: Brad Spengler Date: Sun Sep 15 08:53:27 2013 -0400 resync with PaX Signed-off-by: Brad Spengler security/selinux/hooks.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 79b41d988ecb86d7dd46f3319b50f4c4d46e65a7 Author: Brad Spengler Date: Sat Sep 14 21:12:45 2013 -0400 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) Signed-off-by: Brad Spengler lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0f3840d1103e4bf77d4e2098afc4750bb6440ecc Author: Brad Spengler Date: Sat Sep 14 19:16:48 2013 -0400 Fix a bad git merge, re-applied a previously reverted patch Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit c5f66cfeabad4b64a521d1442f7ea9149c011320 Author: Brad Spengler Date: Sat Sep 14 16:56:37 2013 -0400 finish porting namei.c Signed-off-by: Brad Spengler fs/namei.c | 50 +++++++++++--------------------------------------- 1 files changed, 11 insertions(+), 39 deletions(-) commit c264c5b4c33c462b41d224091602fe5c9acb163b Author: Brad Spengler Date: Sat Sep 14 16:44:08 2013 -0400 cred->user -> current_user() Signed-off-by: Brad Spengler fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af7bdc7d41a1a8b631802772088968ceacd0d6b4 Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 00eb4028fcc737e2451332e3177705913c9b1bb1 Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7adc4a28e2a0ef38f89bbd648a2e1ba70cad852e Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 472e0e1d1516b3002ce1e256dfcd58701358d5f8 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) commit 92745146ec948d5761ac00f98c4a1612c8e6037e Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit eac5b7076235de7b21757cab257415ab779cc7c8 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() Signed-off-by: Brad Spengler grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8e4ea40613a9763d1dc128fdf29c0279001b5e04 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Signed-off-by: Brad Spengler drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 0996966348dc3c3f7515567d3245292785d484fc Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 91bfda18a5711db32c984c632f47fa57458d993a Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 8aeb7645473b408fc6b2bd78a72671351fc8e684 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 1a624940a4733c04c0f997820c1dcd1eebfcd5bc Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs Signed-off-by: Brad Spengler arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit acca67efb4aeee03672b5d2947da311dcfc2a1d6 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit cb33df1c5ce5f74fcb7d4a2f5b2d07d54d4e1fd8 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 72e55282becb58c925f9034fe717cad96f7fc51d Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 2f8d8b1de901cce7ac5a5dc4f3b8731ba58653d9 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Signed-off-by: Brad Spengler arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit c414e04ef91fca7dfd260ae307272b1b9a29d1bd Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 Signed-off-by: Brad Spengler include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit b11ccf0d90b1244a91e0422ecd1a1b4918384ff7 Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages Signed-off-by: Brad Spengler arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 81c244a4d186918eb5bde824945878803fb5aeeb Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 Signed-off-by: Brad Spengler security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0f32f992d91442e87628fa805f488c2431930df7 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! Signed-off-by: Brad Spengler kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) commit b570e8d61ff1670d0737acd9919316ac32fce732 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f580da3b1ddbecc3f65a7957986742bea34c5851 Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs Signed-off-by: Brad Spengler mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2b23c36d322e9ebea5621652b77ad2569a3826d Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include Signed-off-by: Brad Spengler grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ecb7724fd1bcd4fa57059d6297d4f74d4ec93fe6 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation Signed-off-by: Brad Spengler include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a2d7b00383303a5d537e64519dbd31d51645d28e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping Signed-off-by: Brad Spengler fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit 9513c974076339e5b4ba8974b50fd3e9fe18a0d8 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define Signed-off-by: Brad Spengler grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 97af65d0dbfaf8680a7f9a17c45a10892fe907d0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit b2362a07aecb8b86d3dd5e0696ea6dc546ea3144 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 9c0a788e099e0a78bb83961bf02d82ac2c32e21c Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1975575638ae15faba25f749a9040345a73e12e1 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 1282e76e8da58821760a5519cd7bd2510ad7deaf Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit 6aa728a7c77d5fe62dd0b731e76b518f85db7808 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t Signed-off-by: Brad Spengler include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 176f65b9498eb83576294934d94bb80f3830e99a Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit f039eddf22e143d336421325eb689a76227956b3 Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 4594be163c41c9a400f0b377e6c35d8fb5599387 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 54a18c9ea152b14381ed3fb4b0a86ef78bd611af Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 166e0c9ff369a931bec65abda32811bb0b548506 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit ee1e4712f5b32f43da0130efedbeb158d7f63562 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit a629a151f557380fed415b226fe5e0e234a285eb Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 218c33ffd6a34fe09037784138dda02b817c1c20 Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit e7291feaff2e3dd3d4d01016419cc1dd16ab9658 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 527c8e008b6729ad595c652119128c0a858c0f7e Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 0a6c24237be46318780bd5aa0a0c37837336e40a Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 0c11bf85db37db5667cfb61caf0c72e8437e4197 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit c32fb26e578c2b1b98654e72ceeafc58906acf06 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 80bb153435dac25476b0da4a61238b229ba2b631 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit d7f8a40e0fc1dc1466a271ac33074b6f90226a1a Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship Signed-off-by: Brad Spengler grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 00e035016762dfa49b15cf310ab57fc7011fb4dd Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT Signed-off-by: Brad Spengler fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a144fc9f2f2f6a1d5999b6bd226d964b8b551e31 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error Signed-off-by: Brad Spengler mm/madvise.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit 26dd795769f903add193b605f051bed55bf95507 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel Signed-off-by: Brad Spengler mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit c441e54c74284d2dac3aaaf282391f6572239e24 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit ecea885713f4d818032182d839c86dc74ac95b04 Author: Brad Spengler Date: Sat Sep 14 16:15:10 2013 -0400 Initial port of grsecurity to 3.11 using new git method Signed-off-by: Brad Spengler Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 12 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 128 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 256 ++- fs/namespace.c | 16 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 29 + kernel/capability.c | 40 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 69 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 341 +++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 228 files changed, 4141 insertions(+), 2027 deletions(-) commit 62c18efae524d4cd41939c1d63989d3582b1131a Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches Signed-off-by: Brad Spengler arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 718ed34658f4e4716ff3c9e6d098552d357d19f1 Author: Brad Spengler Date: Sun Nov 24 20:58:05 2013 -0500 Initial import of pax-linux-3.12.1-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 23 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 95 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/module.c | 31 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 24 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 4 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 134 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 185 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 728 ++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 16 +- arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 2 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 6 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 157 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 8 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 74 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 20 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 136 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 79 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/tlbflush.h | 74 +- arch/x86/include/asm/uaccess.h | 108 +- arch/x86/include/asm/uaccess_32.h | 96 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 69 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 130 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 +- arch/x86/kernel/entry_64.S | 666 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 138 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/jump_label.c | 6 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 5 +- arch/x86/kernel/setup.c | 63 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 28 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 63 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 89 +- arch/x86/lib/copy_user_nocache_64.S | 22 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 8 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 22 +- arch/x86/lib/memmove_64.S | 36 +- arch/x86/lib/memset_64.S | 11 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 359 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 564 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 139 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 38 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 11 +- arch/x86/xen/smp.c | 21 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 29 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 4 +- drivers/bluetooth/btwilink.c | 2 +- drivers/bus/arm-cci.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 9 +- drivers/cpufreq/acpi-cpufreq.c | 13 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 4 +- drivers/cpufreq/cpufreq_ondemand.c | 10 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 67 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdmac.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 2 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 8 +- drivers/gpu/drm/drm_fops.c | 16 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 20 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- drivers/gpu/drm/qxl/qxl_drv.h | 8 +- drivers/gpu/drm/qxl/qxl_irq.c | 16 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/host1x/drm/dc.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bcache/super.c | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stats.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 4 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 67 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/mmci.c | 4 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 2 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath10k/htc.c | 7 +- drivers/net/wireless/ath/ath10k/htc.h | 4 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 6 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/gdm724x/gdm_tty.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 12 +- drivers/tty/hvc/hvsi_lib.c | 6 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 8 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 15 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 6 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/host/ehci-hub.c | 4 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 8 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbmem.c | 6 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 2 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 6 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 656 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 18 +- fs/dcache.c | 3 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 +- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/ext4/xattr.c | 5 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 40 +- fs/fscache/internal.h | 200 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hostfs/hostfs_kern.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 2 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 4 +- fs/splice.c | 41 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_readdir.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/i915_pciids.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/audit.h | 2 +- include/linux/binfmts.h | 3 +- include/linux/bitops.h | 4 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 8 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 12 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 4 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 12 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/jiffies.h | 12 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 10 +- include/linux/mempolicy.h | 7 + include/linux/mm.h | 118 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 19 + include/linux/proc_ns.h | 2 +- include/linux/quota.h | 2 +- include/linux/random.h | 19 +- include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 - include/linux/semaphore.h | 2 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 14 +- include/linux/slub_def.h | 2 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 9 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 20 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 4 +- include/net/netns/ipv6.h | 4 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 13 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 10 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 12 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 166 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 10 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 26 +- kernel/rcutree_plugin.h | 30 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 49 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 14 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 1 - kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/percpu-refcount.c | 2 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 +- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 591 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 42 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 108 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 88 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 2 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 75 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 2 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 4 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 6 +- net/core/sock.c | 28 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ieee802154/6lowpan.c | 2 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 18 +- net/ipv6/addrconf.c | 12 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 28 +- net/ipv6/raw.c | 17 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 17 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 10 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/svcauth_unix.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 4 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 22 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/module-common.lds | 4 + scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 690 ++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 11 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 8 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 471 ++ tools/gcc/latent_entropy_plugin.c | 335 + tools/gcc/size_overflow_hash.data | 7613 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 3840 ++++++++++ tools/gcc/stackleak_plugin.c | 327 + tools/gcc/structleak_plugin.c | 277 + tools/lib/lk/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1701 files changed, 36050 insertions(+), 7719 deletions(-) commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466 Author: Brad Spengler Date: Sun Nov 24 17:50:21 2013 -0500 remove unnecessary code/comments after new reload method grsecurity/gracl.c | 4 ---- grsecurity/gracl_policy.c | 13 ------------- 2 files changed, 0 insertions(+), 17 deletions(-) commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d Author: Brad Spengler Date: Sun Nov 24 16:05:01 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3903 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 2 + 12 files changed, 3082 insertions(+), 2787 deletions(-) commit d8981a4fd03025434a466fd87a0eaea93755bc70 Author: Brad Spengler Date: Sun Nov 24 15:08:28 2013 -0500 compile fix for recent GRKERNSEC_CHROOT_INITRD change init/main.c | 12 +++--------- 1 files changed, 3 insertions(+), 9 deletions(-) commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit ecdd0610bef058fd33fee50b489d949c1a0db07a Author: Brad Spengler Date: Sat Nov 23 17:20:15 2013 -0500 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. Reported by acez on IRC arch/arm/mm/fault.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 3f4adfade80bba0d865b5c603bd58da555ca4553 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. Conflicts: init/main.c grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) commit d4a9bb63091852b5b49ebd216796b374e5c0dc71 Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit e727db195f8bed17c65d050e1772643d730fe565 Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb Merge: 2fcc3a5 2d1263b Author: Brad Spengler Date: Fri Nov 22 21:11:44 2013 -0500 Merge branch 'pax-test' into grsec-test commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1 Merge: d52f291 e0cd057 Author: Brad Spengler Date: Fri Nov 22 21:11:33 2013 -0500 Merge branch 'linux-3.11.y' into pax-test Conflicts: drivers/net/ethernet/chelsio/cxgb3/sge.c commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972 Author: Brad Spengler Date: Fri Nov 22 20:31:37 2013 -0500 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. It caused errors with traceroute, reported to upstream and fixed with http://patchwork.ozlabs.org/patch/293614/ But there's no reason for us to maintain this backport as we're already impervious to recvmsg/msg_name infoleaks Conflicts: net/ipv4/ping.c net/ieee802154/dgram.c | 3 ++- net/ipv4/ping.c | 11 +++++++++-- net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 8 files changed, 35 insertions(+), 12 deletions(-) commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b Author: Hannes Frederic Sowa Date: Mon Nov 18 07:07:45 2013 +0100 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 ping: prevent NULL pointer dereference on write to msg_name A plain read() on a socket does set msg->msg_name to NULL. So check for NULL pointer first. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv4/ping.c | 34 +++++++++++++++++++--------------- 1 files changed, 19 insertions(+), 15 deletions(-) commit 8bb32f2682953e1b748a59c4a4363b237c3510df Author: Hannes Frederic Sowa Date: Mon Nov 18 04:20:45 2013 +0100 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb Suggested-by: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ieee802154/dgram.c | 3 +-- net/ipv4/ping.c | 19 +++++++------------ net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- net/phonet/datagram.c | 9 ++++----- 8 files changed, 17 insertions(+), 38 deletions(-) commit 642d754081c130a151e7df27e5c07edf2f368106 Author: Jeff Layton Date: Wed Nov 13 09:08:21 2013 -0500 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. There is no guarantee that doing so will work however, so we can end up retrying the call in an infinite loop. Worse yet, we create the new client using rpc_clone_client_set_auth, which creates the new client as a child of the old one. Thus, we can end up with a *very* long lineage of rpc_clnts. When we go to put all of the references to them, we can end up with a long call chain that can smash the stack as each rpc_free_client() call can recurse back into itself. This patch fixes this by simply ensuring that the SETCLIENTID call will only be retried in this situation if the last attempt did not use RPC_AUTH_UNIX. Note too that with this change, we don't need the (i > 2) check in the -EACCES case since we now have a more reliable test as to whether we should reattempt. Cc: stable@vger.kernel.org # v3.10+ Cc: Chuck Lever Tested-by/Acked-by: Weston Andros Adamson Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2 Author: Chuck Lever Date: Wed Jul 24 12:28:28 2013 -0400 Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e NFS: Use root's credential for lease management when keytab is missing Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting" Fri Sep 14 17:24:32 2012 introduced Uniform Client String support, which forces our NFS client to establish a client ID immediately during a mount operation rather than waiting until a user wants to open a file. Normally machine credentials (eg. from a keytab) are used to perform a mount operation that is protected by Kerberos. Before 05fc350, SETCLIENTID used a machine credential, or fell back to a regular user's credential if no keytab is available. On clients that don't have a keytab, performing SETCLIENTID early means there's no user credential to fall back on, since no regular user has kinit'd yet. 05f4c350 seems to have broken the ability to mount with sec=krb5 on clients that don't have a keytab in kernels 3.7 - 3.10. To address this regression, commit 4edaa308 (NFS: Use "krb5i" to establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013, was merged in 3.10. This commit forces the NFS client to fall back to AUTH_SYS for lease management operations if no keytab is available. Neil Brown noticed that, since root is required to kinit to do a sec=krb5 mount when a client doesn't have a keytab, we can try to use root's Kerberos credential before AUTH_SYS. Now, when determining a principal and flavor to use for lease management, the NFS client tries in this order: 1. Flavor: AUTH_GSS, krb5i Principal: service principal (via keytab) 2. Flavor: AUTH_GSS, krb5i Principal: user principal established for UID 0 (via kinit) 3. Flavor: AUTH_SYS Principal: UID 0 / GID 0 Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 19 ++++++++++++++++++- 1 files changed, 18 insertions(+), 1 deletions(-) commit 6ebab64904f37af82e950b0c6d321437e810b248 Author: Trond Myklebust Date: Tue Nov 12 17:24:36 2013 -0500 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b SUNRPC: Avoid deep recursion in rpc_release_client In cases where an rpc client has a parent hierarchy, then rpc_free_client may end up calling rpc_release_client() on the parent, thus recursing back into rpc_free_client. If the hierarchy is deep enough, then we can get into situations where the stack simply overflows. The fix is to have rpc_release_client() loop so that it can take care of the parent rpc client hierarchy without needing to recurse. Reported-by: Jeff Layton Reported-by: Weston Andros Adamson Reported-by: Bruce Fields Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit fcb4306973aed105cc6d042077bf31e21b812008 Author: Trond Myklebust Date: Fri Nov 8 16:03:50 2013 -0500 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 SUNRPC: Fix a data corruption issue when retransmitting RPC calls The following scenario can cause silent data corruption when doing NFS writes. It has mainly been observed when doing database writes using O_DIRECT. 1) The RPC client uses sendpage() to do zero-copy of the page data. 2) Due to networking issues, the reply from the server is delayed, and so the RPC client times out. 3) The client issues a second sendpage of the page data as part of an RPC call retransmission. 4) The reply to the first transmission arrives from the server _before_ the client hardware has emptied the TCP socket send buffer. 5) After processing the reply, the RPC state machine rules that the call to be done, and triggers the completion callbacks. 6) The application notices the RPC call is done, and reuses the pages to store something else (e.g. a new write). 7) The client NIC drains the TCP socket send buffer. Since the page data has now changed, it reads a corrupted version of the initial RPC call, and puts it on the wire. This patch fixes the problem in the following manner: The ordering guarantees of TCP ensure that when the server sends a reply, then we know that the _first_ transmission has completed. Using zero-copy in that situation is therefore safe. If a time out occurs, we then send the retransmission using sendmsg() (i.e. no zero-copy), We then know that the socket contains a full copy of the data, and so it will retransmit a faithful reproduction even if the RPC call completes, and the application reuses the O_DIRECT buffer in the meantime. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- 1 files changed, 21 insertions(+), 7 deletions(-) commit 2c59d4080ae744532dbe595f6923dcba72279977 Merge: b2b99c6 d52f291 Author: Brad Spengler Date: Mon Nov 18 19:07:55 2013 -0500 Merge branch 'pax-test' into grsec-test commit d52f291621da9227cda5fd647e82dfe9bfc11265 Author: Brad Spengler Date: Mon Nov 18 19:07:14 2013 -0500 Update to pax-linux-3.11.8-test14.patch: - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878) mm/page_alloc.c | 2 +- tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 11 deletions(-) commit b2b99c6972e345565d561b722de210f071e5e259 Author: Brad Spengler Date: Thu Nov 14 20:47:37 2013 -0500 Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e ipv6: fix headroom calculation in udp6_ufo_fragment Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp fragmentation for tunnel traffic.") changed the calculation if there is enough space to include a fragment header in the skb from a skb->mac_header dervived one to skb_headroom. Because we already peeled off the skb to transport_header this is wrong. Change this back to check if we have enough room before the mac_header. This fixes a panic Saran Neti reported. He used the tbf scheduler which skb_gso_segments the skb. The offsets get negative and we panic in memcpy because the skb was erroneously not expanded at the head. Reported-by: Saran Neti Cc: Pravin B Shelar Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/udp_offload.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 012ee7647e16f464f8d1ad004e28eac2ba778158 Author: Dan Carpenter Date: Thu Nov 14 11:21:10 2013 +0300 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 isdnloop: use strlcpy() instead of strcpy() These strings come from a copy_from_user() and there is no way to be sure they are NUL terminated. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f Author: Eric Dumazet Date: Thu Nov 14 13:37:54 2013 -0800 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf ipv4: fix possible seqlock deadlock ip4_datagram_connect() being called from process context, it should use IP_INC_STATS() instead of IP_INC_STATS_BH() otherwise we can deadlock on 32bit arches, or get corruptions of SNMP counters. Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") Signed-off-by: Eric Dumazet Reported-by: Dave Jones Signed-off-by: David S. Miller net/ipv4/datagram.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1a642170613ae336331f2df38aa8f2c1227d3c96 Merge: 60c6423 84d78c7 Author: Brad Spengler Date: Thu Nov 14 20:28:51 2013 -0500 Merge branch 'pax-test' into grsec-test commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730 Author: Brad Spengler Date: Thu Nov 14 20:28:07 2013 -0500 Update to pax-linux-3.11.8-test13.patch: - forward port to 3.11.8 - removed some no longer used code from bpf jit - fixed some atomic_unchecked_t usage in oprofile and uio - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy arch/x86/include/asm/mmu_context.h | 8 ++++++++ arch/x86/kernel/setup.c | 2 +- drivers/bluetooth/btwilink.c | 2 +- drivers/md/dm-table.c | 2 +- drivers/message/i2o/i2o_proc.c | 16 ++++++++-------- drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/oprofilefs.c | 4 ++-- drivers/platform/x86/msi-wmi.c | 2 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++------------- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++---- drivers/usb/serial/console.c | 2 +- include/linux/filter.h | 4 ---- kernel/audit.c | 2 +- 20 files changed, 41 insertions(+), 45 deletions(-) commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43 Author: Brad Spengler Date: Thu Nov 14 19:07:11 2013 -0500 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ Will let this sit in -test for a while to weed out any app incompatibilities grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit 27c3b43bd5ad9c9b877016f26192dbc30da54018 Merge: 08e883f d0a09ad Author: Brad Spengler Date: Wed Nov 13 22:27:13 2013 -0500 Merge branch 'pax-test' into grsec-test commit d0a09ad6430008135b98da6e1941e98a6110b59e Merge: 4e826ac 02709ef Author: Brad Spengler Date: Wed Nov 13 22:27:03 2013 -0500 Merge branch 'linux-3.11.y' into pax-test commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 094c08532f9877a287ffac7a87b05841a56b4e5d Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e383790f8252620f52895e202cc057c4318da3f4 Author: Brad Spengler Date: Sun Nov 10 17:50:12 2013 -0500 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND arch/arm/mm/Kconfig | 2 +- grsecurity/Kconfig | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletions(-) commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26 Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 17f832897194f46c4759aa02e048ad5623a04eed Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20 Merge: fb281bd 4e826ac Author: Brad Spengler Date: Wed Nov 6 17:27:16 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/l2tp/l2tp_core.c commit 4e826ac763867707352d93b7d23ed86e4c6829cf Merge: e309bfb 39773be Author: Brad Spengler Date: Wed Nov 6 17:26:23 2013 -0500 Merge branch 'linux-3.11.y' into pax-test Conflicts: net/compat.c commit fb281bdee5ccb76facfe1172318a867b624011f4 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking Conflicts: security/Kconfig security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba Author: Dan Carpenter Date: Tue Oct 29 23:01:43 2013 +0300 Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 Staging: sb105x: info leak in mp_get_count() The icount.reserved[] array isn't initialized so it leaks stack information to userspace. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/sb105x/sb_pci_mp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de Author: Dan Carpenter Date: Tue Oct 29 22:06:04 2013 +0300 Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write() We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds arch/um/kernel/exitcode.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 1285d10ec38f216f3c5de7ce085ce43447c78916 Author: Jason Wang Date: Fri Nov 1 15:01:10 2013 +0800 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd net: flow_dissector: fail on evil iph->ihl We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae (rps: support IPIP encapsulation). Cc: Eric Dumazet Cc: Petr Matousek Cc: Michael S. Tsirkin Cc: Daniel Borkmann Signed-off-by: Jason Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/core/flow_dissector.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc Author: Ming Lei Date: Thu Oct 31 16:34:17 2013 -0700 Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper functions") introduces two sg buffer copy helpers, and calls flush_kernel_dcache_page() on pages in SG list after these pages are written to. Unfortunately, the commit may introduce a potential bug: - Before sending some SCSI commands, kmalloc() buffer may be passed to block layper, so flush_kernel_dcache_page() can see a slab page finally - According to cachetlb.txt, flush_kernel_dcache_page() is only called on "a user page", which surely can't be a slab page. - ARCH's implementation of flush_kernel_dcache_page() may use page mapping information to do optimization so page_mapping() will see the slab page, then VM_BUG_ON() is triggered. Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, and this patch fixes the bug by adding test of '!PageSlab(miter->page)' before calling flush_kernel_dcache_page(). Signed-off-by: Ming Lei Reported-by: Aaro Koskinen Tested-by: Simon Baatz Cc: Russell King - ARM Linux Cc: Will Deacon Cc: Aaro Koskinen Acked-by: Catalin Marinas Cc: FUJITA Tomonori Cc: Tejun Heo Cc: "James E.J. Bottomley" Cc: Jens Axboe Cc: [3.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/scatterlist.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4 Author: Dan Carpenter Date: Tue Oct 29 23:01:11 2013 +0300 Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba Staging: bcm: info leak in ioctl The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/bcm/Bcmchar.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a2ab9d69265a08280241a2f2152e535316d02f53 Author: Dan Carpenter Date: Tue Oct 29 22:11:06 2013 +0300 Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5 aacraid: missing capable() check in compat ioctl In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the check as well. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/scsi/aacraid/linit.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e Author: Dan Carpenter Date: Tue Oct 29 23:00:15 2013 +0300 Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054 staging: wlags49_h2: buffer overflow setting station name We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit afd645c1684265260b64ec8189cbc2703b91f6ab Author: Dan Carpenter Date: Tue Oct 29 22:07:47 2013 +0300 Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15 staging: ozwpan: prevent overflow in oz_cdev_write() We need to check "count" so we don't overflow the ei->data buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/ozwpan/ozcdev.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 4a907baeb462b7e0f50923be5a9d842aec93c97a Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds Date: Sun Oct 27 15:17:05 2013 -0400 Merge branch 'pax-test' into grsec-test commit e309bfbf7b506b2294b30233f7a3299173a75cf7 Author: Hugh Dickins Date: Wed Oct 16 13:47:09 2013 -0700 Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779 mm: revert mremap pud_free anti-fix Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail calling pmd_alloc()"). The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map() ensure that the pud, pmd, pt is already allocated, and seldom do they need to allocate; on failure, upper levels are freed if appropriate by the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an unconditional pud_free() of a most-likely still-in-use pud: saved only by the near-impossiblity of pmd_alloc() failing. Signed-off-by: Hugh Dickins Cc: Chen Gang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mremap.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 0970b16a9df08b8cca6929b6443f67df432ac3e5 Author: Eric Dumazet Date: Tue Oct 1 21:04:11 2013 -0700 Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693 net: do not call sock_put() on TIMEWAIT sockets commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. We should instead use inet_twsk_put() Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/inet_hashtables.c | 2 +- net/ipv6/inet6_hashtables.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28 Author: Andi Kleen Date: Mon Sep 30 13:29:08 2013 -0700 Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645 igb: Avoid uninitialized advertised variable in eee_set_cur eee_get_cur assumes that the output data is already zeroed. It can read-modify-write the advertised field: if (ipcnfg & E1000_IPCNFG_EEE_100M_AN) 2594 edata->advertised |= ADVERTISED_100baseT_Full; This is ok for the normal ethtool eee_get call, which always zeroes the input data before. But eee_set_cur also calls eee_get_cur and it did not zero the input field. Later on it then compares agsinst the field, which can contain partial stack garbage. Zero the input field in eee_set_cur() too. Cc: jeffrey.t.kirsher@intel.com Cc: netdev@vger.kernel.org Signed-off-by: Andi Kleen Acked-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 651730a8caabce37f78d8e6c84283b96e434d19f Author: Dan Carpenter Date: Thu Oct 3 00:27:20 2013 +0300 Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8 net: heap overflow in __audit_sockaddr() We need to cap ->msg_namelen or it leads to a buffer overflow when we to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to exploit this bug. The call tree is: ___sys_recvmsg() move_addr_to_user() audit_sockaddr() __audit_sockaddr() Reported-by: Jüri Aedla Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Conflicts: net/compat.c net/compat.c | 2 ++ net/socket.c | 24 ++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc Author: Salva Peiró Date: Wed Oct 16 12:46:50 2013 +0200 Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 wanxl: fix info leak in ioctl The wanxl_ioctl() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: David S. Miller drivers/net/wan/wanxl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f Author: Geyslan G. Bem Date: Fri Oct 11 16:49:16 2013 -0300 Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4 ecryptfs: Fix memory leakage in keystore.c In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem Signed-off-by: Tyler Hicks Cc: stable@vger.kernel.org # v2.6.28+ fs/ecryptfs/keystore.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 0ccb7b191245318a36bbd1f59a1846dda72cb738 Author: Colin Ian King Date: Thu Oct 24 14:08:07 2013 +0000 Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e eCryptfs: fix 32 bit corruption issue Shifting page->index on 32 bit systems was overflowing, causing data corruption of > 4GB files. Fix this by casting it first. https://launchpad.net/bugs/1243636 Signed-off-by: Colin Ian King Reported-by: Lars Duesing Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Tyler Hicks fs/ecryptfs/crypto.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4 Author: Brad Spengler Date: Sun Oct 27 13:29:49 2013 -0400 This is a replacement patch only for stable which does fix the problems handled by the following two commits in -net: "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) Three frames are written on a corked udp socket for which the output netdevice has UFO enabled. If the first and third frame are smaller than the mtu and the second one is bigger, we enqueue the second frame with skb_append_datato_frags without initializing the gso fields. This leads to the third frame appended regulary and thus constructing an invalid skb. This fixes the problem by always using skb_append_datato_frags as soon as the first frag got enqueued to the skb without marking the packet as SKB_GSO_UDP. The problem with only two frames for ipv6 was fixed by "ipv6: udp packets following an UFO enqueued packet need also be handled by UFO" (2811ebac2521ceac84f2bdae402455baa6a7fb47). Cc: Jiri Pirko Cc: Eric Dumazet Cc: David Miller Signed-off-by: Hannes Frederic Sowa include/linux/skbuff.h | 5 +++++ net/ipv4/ip_output.c | 2 +- net/ipv6/ip6_output.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) commit aead8ff29424c6a5d25eb4614be91a01f9f6af00 Merge: 5cf8361 ddadc82 Author: Brad Spengler Date: Sat Oct 26 08:42:26 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec Author: Brad Spengler Date: Sat Oct 26 08:41:24 2013 -0400 - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs and Natanael Copa (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e) - updated config help for latent entropy to reflect recent changes arch/x86/include/asm/uaccess_64.h | 4 ++-- security/Kconfig | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad Author: Johannes Weiner Date: Wed Oct 16 13:47:00 2013 -0700 Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc fs: buffer: move allocation failure loop into the allocator Buffer allocation has a very crude indefinite loop around waking the flusher threads and performing global NOFS direct reclaim because it can not handle allocation failures. The most immediate problem with this is that the allocation may fail due to a memory cgroup limit, where flushers + direct reclaim might not make any progress towards resolving the situation at all. Because unlike the global case, a memory cgroup may not have any cache at all, only anonymous pages but no swap. This situation will lead to a reclaim livelock with insane IO from waking the flushers and thrashing unrelated filesystem cache in a tight loop. Use __GFP_NOFAIL allocations for buffers for now. This makes sure that any looping happens in the page allocator, which knows how to orchestrate kswapd, direct reclaim, and the flushers sensibly. It also allows memory cgroups to detect allocations that can't handle failure and will allow them to ultimately bypass the limit if reclaim can not make progress. Reported-by: azurIt Signed-off-by: Johannes Weiner Cc: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/buffer.c | 14 ++++++++++++-- mm/memcontrol.c | 2 ++ 2 files changed, 14 insertions(+), 2 deletions(-) commit 799326c8683d8d70b2035b1e5ab913c159112b6b Author: Miklos Szeredi Date: Thu Oct 10 16:48:19 2013 +0200 Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 ext[34]: fix double put in tmpfile d_tmpfile() already swallowed the inode ref. Signed-off-by: Miklos Szeredi Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ext3/namei.c | 5 ++--- fs/ext4/namei.c | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3 Author: Jan Klos Date: Sun Oct 6 21:08:20 2013 +0200 Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20 cifs: Fix inability to write files >2GB to SMB2/3 shares When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super(). The patch fixes this by checking for the correct bit according to the protocol version. CC: Stable Signed-off-by: Jan Klos Reviewed-by: Jeff Layton Signed-off-by: Steve French fs/cifs/cifsfs.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22 Author: Tim Gardner Date: Sun Oct 13 13:29:03 2013 -0600 Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a cifs: ntstatus_to_dos_map[] is not terminated Functions that walk the ntstatus_to_dos_map[] array could run off the end. For example, ntstatus_to_dos() loops while ntstatus_to_dos_map[].ntstatus is not 0. Granted, this is mostly theoretical, but could be used as a DOS attack if the error code in the SMB header is bogus. [Might consider adding to stable, as this patch is low risk - Steve] Reviewed-by: Jeff Layton Signed-off-by: Tim Gardner Signed-off-by: Steve French fs/cifs/netmisc.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit ed8c09a96fa260e1864c632e1dd91b1320876305 Author: Eric Dumazet Date: Tue Oct 15 11:54:30 2013 -0700 Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9 tcp: must unclone packets before mangling them TCP stack should make sure it owns skbs before mangling them. We had various crashes using bnx2x, and it turned out gso_size was cleared right before bnx2x driver was populating TC descriptor of the _previous_ packet send. TCP stack can sometime retransmit packets that are still in Qdisc. Of course we could make bnx2x driver more robust (using ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. We have identified two points where skb_unclone() was needed. This patch adds a WARN_ON_ONCE() to warn us if we missed another fix of this kind. Kudos to Neal for finding the root cause of this bug. Its visible using small MSS. Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Cc: Yuchung Cheng Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit e5dcf1772ca2a85952da10a21d0650507dc061d3 Author: Dan Carpenter Date: Mon Oct 14 15:28:38 2013 +0300 Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5 yam: integer underflow in yam_ioctl() We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be negative. I don't know the impact of using a negative bitrate but let's prevent it. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller include/linux/yam.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1f5d72d633f317248bba25158c326a61394aebf2 Merge: 7ca4328 4df1b96 Author: Brad Spengler Date: Fri Oct 18 19:36:17 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: ipc/shm.c commit 4df1b965687831808af2548487e0f35a2ccc5c29 Merge: e41125e 5070441 Author: Brad Spengler Date: Fri Oct 18 19:35:31 2013 -0400 Merge branch 'linux-3.11.y' into pax-test Conflicts: arch/x86/kernel/setup.c commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525 Author: Brad Spengler Date: Wed Oct 16 18:35:00 2013 -0400 From: Mathias Krause To: Evgeniy Polyakov Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org # v2.6.14+ Signed-off-by: Mathias Krause drivers/connector/connector.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489 Author: Brad Spengler Date: Wed Oct 16 18:36:25 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause kernel/audit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9557a8727fd46e68f092dec0830a982e85b231f7 Author: Brad Spengler Date: Wed Oct 16 19:02:32 2013 -0400 add 2nd chunk of audit nlmsg_len() fix from minipli kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd Author: Brad Spengler Date: Wed Oct 16 18:37:59 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7547b29750381c776dfd47f4b1277a492d5b0f72 Author: Brad Spengler Date: Wed Oct 16 18:41:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , Bart De Schuymer Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Bart De Schuymer Signed-off-by: Mathias Krause Conflicts: net/bridge/netfilter/ebt_ulog.c net/bridge/netfilter/ebt_ulog.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528 Author: Brad Spengler Date: Wed Oct 16 18:43:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Signed-off-by: Mathias Krause Conflicts: net/ipv4/netfilter/ipt_ULOG.c net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 2965f6e6122325a18e69296ad3817c66ca59b7e3 Author: Brad Spengler Date: Wed Oct 16 18:49:45 2013 -0400 From: Mathias Krause To: "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH net] unix_diag: fix info leak When filling the netlink message we miss to wipe the pad field, therefore leak one byte of heap memory to userland. Fix this by setting pad to 0. Signed-off-by: Mathias Krause net/unix/diag.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc Author: Mathias Krause Date: Mon Sep 30 22:03:06 2013 +0200 Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682 proc connector: fix info leaks Initialize event_data for all possible message types to prevent leaking kernel stack contents to userland (up to 20 bytes). Also set the flags member of the connector message to 0 to prevent leaking two more stack bytes this way. Cc: stable@vger.kernel.org # v2.6.15+ Signed-off-by: Mathias Krause Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04 Author: AKASHI Takahiro Date: Wed Oct 9 15:58:29 2013 +0100 Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() In ftrace_syscall_enter(), syscall_get_arguments(..., 0, n, ...) if (i == 0) { ...; n--;} memcpy(..., n * sizeof(args[0])); If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in syscall_get_arguments(), none of arguments should be copied by memcpy(). Otherwise 'n--' can be a big positive number and unexpected amount of data will be copied. Tracing system calls which take no argument, say sync(void), may hit this case and eventually make the system corrupted. This patch fixes the issue both in syscall_get_arguments() and syscall_set_arguments(). Cc: Acked-by: Will Deacon Signed-off-by: AKASHI Takahiro Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/include/asm/syscall.h | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2 Author: Dave Jones Date: Thu Oct 10 20:05:35 2013 -0400 Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc ext4: fix memory leak in xattr If we take the 2nd retry path in ext4_expand_extra_isize_ea, we potentionally return from the function without having freed these allocations. If we don't do the return, we over-write the previous allocation pointers, so we leak either way. Spotted with Coverity. [ Fixed by tytso to set is and bs to NULL after freeing these pointers, in case in the retry loop we later end up triggering an error causing a jump to cleanup, at which point we could have a double free bug. -- Ted ] Signed-off-by: Dave Jones Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Cc: stable@vger.kernel.org fs/ext4/xattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 224e55268fbd4f81fca479e315c9483df591411d Author: Salva Peiró Date: Fri Oct 11 12:50:03 2013 +0300 Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194 farsync: fix info leak in ioctl The fst_get_iface() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/wan/farsync.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9 Author: James Hogan Date: Mon Oct 7 12:14:26 2013 +0100 Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92 MIPS: stack protector: Fix per-task canary switch Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary per task) was merged in v3.11 and introduced assembly in the MIPS resume functions to update the value of the current canary in __stack_chk_guard. However it used PTR_L resulting in a load of the canary value, instead of PTR_LA to construct its address. The value is intended to be random but is then treated as an address in the subsequent LONG_S (store). This was observed to cause a fault and panic: CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4 Oops[#1]: ... $24 : 139fea20 1e1f7cb6 ... Call Trace: [<8000cc0c>] resume+0xac/0x118 [<8034f2a4>] __schedule+0x5f8/0x78c [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c [<80348eec>] rest_init+0x74/0x84 [<804dc990>] start_kernel+0x43c/0x454 Code: 3c18804b 8f184030 8cb901f8 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc This can also be forced by modifying arch/mips/include/asm/stackprotector.h so that the default __stack_chk_guard value is more likely to be a bad (or unaligned) pointer. Fix it to use PTR_LA instead, to load the address of the canary value, which the LONG_S can then use to write into it. Reported-by: bobjones (via #mipslinux on IRC) Signed-off-by: James Hogan Cc: Ralf Baechle Cc: Gregory Fong Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/6026/ Signed-off-by: Ralf Baechle arch/mips/kernel/octeon_switch.S | 2 +- arch/mips/kernel/r2300_switch.S | 2 +- arch/mips/kernel/r4k_switch.S | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c Author: Fan Du Date: Tue Sep 17 15:14:13 2013 +0800 Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda xfrm: Guard IPsec anti replay window against replay bitmap For legacy IPsec anti replay mechanism: bitmap in struct xfrm_replay_state could only provide a 32 bits window size limit in current design, thus user level parameter sadb_sa_replay should honor this limit, otherwise misleading outputs("replay=244") by setkey -D will be: 192.168.25.2 192.168.22.2 esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=1 pid=4854 refcnt=0 192.168.22.2 192.168.25.2 esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=0 pid=4854 refcnt=0 And also, optimizing xfrm_replay_check window checking by setting the desirable x->props.replay_window with only doing the comparison once for all when xfrm_state is first born. Signed-off-by: Fan Du Signed-off-by: Steffen Klassert net/key/af_key.c | 3 ++- net/xfrm/xfrm_replay.c | 3 +-- net/xfrm/xfrm_user.c | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541 Author: Thomas Egerer Date: Thu Sep 19 13:19:19 2013 +0200 Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c xfrm: Fix aevent generation for each received packet If asynchronous events are enabled for a particular netlink socket, the notify function is called by the advance function. The notify function creates and dispatches a km_event if a replay timeout occurred, or at least replay_maxdiff packets have been received since the last asynchronous event has been sent. The function is supposed to return if neither of the two events were detected for a state, or replay_maxdiff is equal to zero. Replay_maxdiff is initialized in xfrm_state_construct to the value of the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state if the netlink attribute XFRMA_REPLAY_THRESH is set. If, however, replay_maxdiff is set to zero, then all of the three notify implementations perform a break from the switch statement instead of checking whether a timeout occurred, and -- if not -- return. As a result an asynchronous event is generated for every replay update of a state that has a zero replay_maxdiff value. This patch modifies the notify functions such that they immediately return if replay_maxdiff has the value zero, unless a timeout occurred. Signed-off-by: Thomas Egerer Signed-off-by: Steffen Klassert net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++---------------------- 1 files changed, 27 insertions(+), 24 deletions(-) commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8 Author: Steffen Klassert Date: Tue Oct 8 10:49:45 2013 +0200 Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee xfrm: Add refcount handling to queued policies We need to ensure that policies can't go away as long as the hold timer is armed, so take a refcont when we arm the timer and drop one if we delete it. Bug was introduced with git commit a0073fe18 ("xfrm: Add a state resolution packet queue") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 24 +++++++++++++++++------- 1 files changed, 17 insertions(+), 7 deletions(-) commit b4948dc963442682534b3a039664b564c764e4f8 Author: Steffen Klassert Date: Tue Oct 8 10:49:51 2013 +0200 Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0 xfrm: check for a vaild skb in xfrm_policy_queue_process We might dreference a NULL pointer if the hold_queue is empty, so add a check to avoid this. Bug was introduced with git commit a0073fe18 ("xfrm: Add a state resolution packet queue") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit fad7f264b264b0b17a307aa16162cb43c7688a30 Author: Marc Kleine-Budde Date: Mon Oct 7 23:19:58 2013 +0200 Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89 net: vlan: fix nlmsg size calculation in vlan_get_size() This patch fixes the calculation of the nlmsg size, by adding the missing nla_total_size(). Cc: Patrick McHardy Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller net/8021q/vlan_netlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd Author: François Cachereul Date: Wed Oct 2 10:16:02 2013 +0200 Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses IPv4 mapped addresses cause kernel panic. The patch juste check whether the IPv6 address is an IPv4 mapped address. If so, use IPv4 API instead of IPv6. [ 940.026915] general protection fault: 0000 [#1] [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 [ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 [ 940.026915] Stack: [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 [ 940.026915] Call Trace: [ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 [ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] [ 940.026915] [] ? pskb_expand_head+0x161/0x214 [ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] [ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] [ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] [ 940.026915] [] ? vfs_write+0xa2/0x106 [ 940.026915] [] ? SyS_write+0x56/0x8a [ 940.026915] [] ? system_call_fastpath+0x16/0x1b [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 [ 940.026915] RIP [] ip6_xmit+0x276/0x326 [ 940.026915] RSP [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: François CACHEREUL Signed-off-by: David S. Miller net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- net/l2tp/l2tp_core.h | 3 +++ 2 files changed, 26 insertions(+), 4 deletions(-) commit 2db6fe58460d400bc8b995fa2328be03e27e55e1 Merge: 28f9622 e41125e Author: Brad Spengler Date: Tue Oct 15 10:00:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/ds.c net/sysctl_net.c commit e41125e4742f332cd8cd8cf0c00cb189dba0e037 Merge: 740e5ec a145cb9 Author: Brad Spengler Date: Tue Oct 15 09:58:29 2013 -0400 Merge branch 'linux-3.11.y' into pax-test commit 28f9622091224541efadf3ae006f0e5651c7fa45 Author: Brad Spengler Date: Tue Oct 1 22:48:34 2013 -0400 Fix this strlcpy crap properly arch/sparc/kernel/ds.c | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) commit 837193210e4125fe4e9e554b28d7bc33985f3554 Author: David S. Miller Date: Fri Sep 27 13:46:04 2013 -0700 Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355 sparc64: Fix buggy strlcpy() conversion in ldom_reboot(). Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using strlcpy() instead of strcpy()") added a bug to ldom_reboot in arch/sparc/kernel/ds.c - strcpy(full_boot_str + strlen("boot "), boot_command); + strlcpy(full_boot_str + strlen("boot "), boot_command, + sizeof(full_boot_str + strlen("boot "))); That last sizeof() expression evaluates to sizeof(size_t) which is not what was intended. Also even the corrected: sizeof(full_boot_str) + strlen("boot ") is not right as the destination buffer length is just plain "sizeof(full_boot_str)" and that's what the final argument should be. Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249 Author: Hannes Frederic Sowa Date: Sun Sep 29 05:40:50 2013 +0200 Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae ipv6: gre: correct calculation of max_headroom gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header, so initialize max_headroom to zero. Otherwise the if (encap_limit >= 0) { max_headroom += 8; mtu -= 8; } increments an uninitialized variable before max_headroom was reset. Found with coverity: 728539 Cc: Dmitry Kozlov Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller Conflicts: net/ipv6/ip6_gre.c net/ipv6/ip6_gre.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0d68ac550952d0eaf60851497ceee68dbba24516 Merge: 64257ad 740e5ec Author: Brad Spengler Date: Tue Oct 1 18:11:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/hid/hid-core.c drivers/hid/hid-lg2ff.c drivers/hid/hid-lg3ff.c drivers/hid/hid-lg4ff.c drivers/hid/hid-lgff.c drivers/hid/hid-logitech-dj.c drivers/hid/hid-steelseries.c drivers/hid/hid-zpff.c include/linux/hid.h commit 740e5ec087969afd43ae0b552b4e05914437ed32 Merge: c38c6b0 db20388 Author: Brad Spengler Date: Tue Oct 1 17:40:46 2013 -0400 Merge branch 'linux-3.11.y' into pax-test commit 64257ad95c51285d415f93ebdd486fae6bb9415d Author: Hannes Frederic Sowa Date: Sat Sep 21 06:27:00 2013 +0200 Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47 ipv6: udp packets following an UFO enqueued packet need also be handled by UFO In the following scenario the socket is corked: If the first UDP packet is larger then the mtu we try to append it to the write queue via ip6_ufo_append_data. A following packet, which is smaller than the mtu would be appended to the already queued up gso-skb via plain ip6_append_data. This causes random memory corruptions. In ip6_ufo_append_data we also have to be careful to not queue up the same skb multiple times. So setup the gso frame only when no first skb is available. This also fixes a shortcoming where we add the current packet's length to cork->length but return early because of a packet > mtu with dontfrag set (instead of sutracting it again). Found with trinity. Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 53 ++++++++++++++++++++---------------------------- 1 files changed, 22 insertions(+), 31 deletions(-) commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6 Author: Dan Carpenter Date: Tue Sep 24 15:27:45 2013 -0700 Just a whitespace fix to sync with upstream as we already applied this fix via Vasiliy Kulikov in 2010. It fell through the cracks upstream cciss: fix info leak in cciss_ioctl32_passthru() The arg64 struct has a hole after ->buf_size which isn't cleared. Or if any of the calls to copy_from_user() fail then that would cause an information leak as well. This was assigned CVE-2013-2147. Signed-off-by: Dan Carpenter Acked-by: Mike Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: drivers/block/cciss.c drivers/block/cciss.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e Author: Paul E. McKenney Date: Tue Sep 24 18:29:11 2013 -0700 Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b mm: Place preemption point in do_mlockall() loop There is a loop in do_mlockall() that lacks a preemption point, which means that the following can happen on non-preemptible builds of the kernel. Dave Jones reports: "My fuzz tester keeps hitting this. Every instance shows the non-irq stack came in from mlockall. I'm only seeing this on one box, but that has more ram (8gb) than my other machines, which might explain it. INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0) sending NMI to all CPUs: NMI backtrace for cpu 3 CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32 Call Trace: lru_add_drain_all+0x15/0x20 SyS_mlockall+0xa5/0x1a0 tracesys+0xdd/0xe2" This commit addresses this problem by inserting the required preemption point. Reported-by: Dave Jones Signed-off-by: Paul E. McKenney Cc: KOSAKI Motohiro Cc: Michel Lespinasse Cc: Andrew Morton Signed-off-by: Linus Torvalds mm/mlock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9 Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit 55f1e409275973513a3314fe5bfa76a4781c0db7 Merge: 2eac654 c38c6b0 Author: Brad Spengler Date: Fri Sep 27 20:35:04 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/hid/hid-picolcd_core.c commit c38c6b0bbbe53bd528aeeb4a059764abc028c276 Merge: 115bf6a a3308b5 Author: Brad Spengler Date: Fri Sep 27 20:34:15 2013 -0400 Merge branch 'linux-3.11.y' into pax-test Conflicts: arch/x86/ia32/ia32_signal.c arch/x86/include/asm/checksum_32.h arch/x86/include/asm/mmu_context.h arch/x86/kernel/signal.c arch/x86/lib/csum-wrappers_64.c include/linux/compat.h commit 2eac65435fdffca548a56e5187840908438fc95c Merge: ba0ebde 115bf6a Author: Brad Spengler Date: Thu Sep 26 20:00:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit 115bf6af0083ea28c751d551a39cfdba1798e9dc Author: Brad Spengler Date: Thu Sep 26 19:59:14 2013 -0400 Update to pax-linux-3.11.1-test10.patch: - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040) - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released) - beefed up latent entropy extraction - latent_entropy itself will be initialized to a compile-time random value (instead of 0) - entropy will be collected from various irq and softirq handlers arch/arm/kernel/module.c | 2 ++ arch/arm/kernel/vmlinux.lds.S | 2 +- block/blk-iopoll.c | 2 +- block/blk-softirq.c | 2 +- fs/binfmt_elf.c | 8 +++++--- include/linux/genhd.h | 2 +- include/linux/random.h | 4 ++-- kernel/hrtimer.c | 2 +- kernel/rcutiny.c | 2 +- kernel/rcutree.c | 2 +- kernel/sched/fair.c | 2 +- kernel/softirq.c | 4 ++-- kernel/timer.c | 2 +- lib/percpu-refcount.c | 2 +- net/core/dev.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 2 +- 16 files changed, 24 insertions(+), 20 deletions(-) commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6 Author: Brad Spengler Date: Sun Sep 22 18:14:07 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35 Merge: f1e4228 90db383 Author: Brad Spengler Date: Wed Sep 18 17:34:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 90db383fd7d650172d52229b0116ad7604c9bec1 Author: Brad Spengler Date: Wed Sep 18 17:32:42 2013 -0400 Update to pax-linux-3.11.1-test9.patch: - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer - better implementation of __read_only for modules - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard arch/arm/kernel/entry-common.S | 12 ++++++------ arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++-- arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++- arch/x86/include/asm/cache.h | 4 ---- drivers/bus/arm-cci.c | 2 +- drivers/clk/socfpga/clk.c | 2 +- drivers/mmc/host/mmci.c | 4 +++- drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +- include/linux/cache.h | 4 ++++ net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- scripts/module-common.lds | 4 ++++ 12 files changed, 49 insertions(+), 19 deletions(-) commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810 Author: Brad Spengler Date: Wed Sep 18 17:32:25 2013 -0400 Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error" This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f. net/sctp/protocol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f1e42285e17479067b6cbcffc43916720e6dedd3 Merge: 456ca17 5e30989 Author: Brad Spengler Date: Mon Sep 16 21:42:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5e30989102e2d0df166ab6ff915b90f675f8786f Author: Brad Spengler Date: Mon Sep 16 21:41:44 2013 -0400 mark sctp_af_inet forward declaration as __read_only to fix compile error net/sctp/protocol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 456ca176141f10355c1569b29225c9ce4b7db18e Merge: b406eac 5df8f36 Author: Brad Spengler Date: Mon Sep 16 20:02:05 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6 Author: Brad Spengler Date: Mon Sep 16 20:01:38 2013 -0400 Update to pax-linux-3.11.1-test7.patch: - fixed arm compile error, reported by Arnaud Ebalard - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743) - fixed od_ops constification, fixes cpufreq ondemand on AMD - latent entropy will now be gathered from module init code as well (i.e., at module load/init time) - __read_only will now be enforced in modules as well - removed unneccessary __read_only from ntfs arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/x86/include/asm/cache.h | 4 ++++ drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 2 +- fs/ntfs/file.c | 4 ++-- include/linux/init.h | 5 ----- include/net/xfrm.h | 5 ++++- init/main.c | 9 +++------ mm/page_alloc.c | 1 + net/ipv4/xfrm4_policy.c | 4 ++-- net/ipv6/xfrm6_policy.c | 4 ++-- net/xfrm/xfrm_policy.c | 11 ++--------- 12 files changed, 23 insertions(+), 30 deletions(-) commit b406eac579bb3a5faa1c9d73b8af5530f942009a Author: Brad Spengler Date: Mon Sep 16 12:53:22 2013 -0400 Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce author Steffen Klassert 2013-09-09 07:39:01 (GMT) committer Steffen Klassert 2013-09-16 07:39:37 (GMT) xfrm: Fix replay size checking on async events We pass the wrong netlink attribute to xfrm_replay_verify_len(). It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as we currently doing. This causes memory corruptions if the replay esn attribute has incorrect length. Fix this by passing the right attribute to xfrm_replay_verify_len(). Reported-by: Michael Rossberg Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9 Merge: 84843a3 0a0ced6 Author: Brad Spengler Date: Sun Sep 15 11:24:30 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/wireless/ath/ath10k/core.c drivers/net/wireless/ath/ath10k/htc.c commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d Author: Brad Spengler Date: Sun Sep 15 11:21:43 2013 -0400 Update to pax-linux-3.11.1-test6.patch: - forward port to 3.11.1 - fixed some CONSTIFY fallout, reported by spender - fixed INVPCID on i386, reported by spender - simplified/consolidated the recent security_ops change arch/x86/include/asm/mmu_context.h | 4 ++-- arch/x86/include/asm/tlbflush.h | 6 +++--- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- drivers/net/wireless/ath/ath10k/core.c | 6 +++--- drivers/net/wireless/ath/ath10k/htc.c | 7 ++++--- include/linux/security.h | 2 -- security/security.c | 3 --- security/selinux/hooks.c | 5 +++-- 8 files changed, 16 insertions(+), 19 deletions(-) commit 84843a394cde0578be728cb5fd34da9859dcf110 Author: Brad Spengler Date: Sun Sep 15 09:19:21 2013 -0400 remove unnecessary check from when protocol was signed net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cc7c916cac4c2eb0ec243690627e2b6a13234fef Author: Brad Spengler Date: Sun Sep 15 08:53:27 2013 -0400 resync with PaX security/selinux/hooks.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit fdeadf7ba061242685e07a2504c6be99161f292c Author: Brad Spengler Date: Sat Sep 14 23:04:53 2013 -0400 Fix constification of ath10k_hif_cb struct located on stack drivers/net/wireless/ath/ath10k/hif.h | 1 + drivers/net/wireless/ath/ath10k/htc.c | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-) commit 73c6875760e610cb636f86566a1be7a744d89b82 Author: Brad Spengler Date: Sat Sep 14 22:41:06 2013 -0400 use a no_const typedef for ath10k_htc_ops, which is located on the stack drivers/net/wireless/ath/ath10k/core.c | 6 +++--- drivers/net/wireless/ath/ath10k/htc.h | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) commit bffb0279b95b717c739365a5a25ca0391e7479b1 Author: Brad Spengler Date: Sat Sep 14 22:13:46 2013 -0400 fix compilation error under constify drivers/net/wireless/ath/ath10k/core.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1044c726fd98de89a711c6655f811600d4051e46 Merge: ffc8003 e39d12a Author: Brad Spengler Date: Sat Sep 14 21:57:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit e39d12a3b877293ba677bf7642c8887144ae1576 Author: Brad Spengler Date: Sat Sep 14 21:56:56 2013 -0400 Update to pax-linux-3.11-test5.patch: - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd) - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin mm/mremap.c | 5 ++++- tools/gcc/kernexec_plugin.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b Author: Brad Spengler Date: Sat Sep 14 21:48:03 2013 -0400 fix compile error introduced by pipacs security/selinux/hooks.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 874e80f445b1325df45f04cc317f67587e241218 Author: Brad Spengler Date: Sat Sep 14 21:12:45 2013 -0400 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a Author: Brad Spengler Date: Sat Sep 14 19:53:56 2013 -0400 change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs arch/x86/include/asm/tlbflush.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838 Author: Daniel Borkmann Date: Sat Sep 7 16:44:59 2013 +0200 Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95 net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE If we do not add braces around ... mask |= POLLERR | sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0; ... then this condition always evaluates to true as POLLERR is defined as 8 and binary or'd with whatever result comes out of sock_flag(). Hence instead of (X | Y) ? A : B, transform it into X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix smatch warnings inside datagram_poll") forgot about SCTP. :-( Introduced by 7d4c04fc170 ("net: add option to enable error queue packets waking select"). Signed-off-by: Daniel Borkmann Cc: Jacob Keller Acked-by: Neil Horman Acked-by: Vlad Yasevich Acked-by: Jacob Keller Signed-off-by: David S. Miller net/sctp/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986 Author: Jason Wang Date: Wed Sep 11 18:09:48 2013 +0800 Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0 tuntap: correctly handle error in tun_set_iff() Commit c8d68e6be1c3b242f1c598595830890b65cea64a (tuntap: multiqueue support) only call free_netdev() on error in tun_set_iff(). This causes several issues: - memory of tun security were leaked - use after free since the flow gc timer was not deleted and the tfile were not detached This patch solves the above issues. Reported-by: Wannes Rombouts Cc: Michael S. Tsirkin Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/net/tun.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit b504140d8590bd67ed481ea84824a9846dde2d74 Author: Herbert Xu Date: Sun Sep 8 14:33:50 2013 +1000 Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa crypto: api - Fix race condition in larval lookup crypto_larval_lookup should only return a larval if it created one. Any larval created by another entity must be processed through crypto_larval_wait before being returned. Otherwise this will lead to a larval being killed twice, which will most likely lead to a crash. Cc: stable@vger.kernel.org Reported-by: Kees Cook Tested-by: Kees Cook Signed-off-by: Herbert Xu crypto/api.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit f4212fa9ec1c34c59fabc43904e16112b776b6b2 Author: Daniel Borkmann Date: Wed Sep 11 16:58:36 2013 +0200 Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7 net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport does not seem to have the desired effect: SCTP + IPv4: 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): SCTP + IPv6: 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] Moreover, Alan says: This problem was seen with both Racoon and Racoon2. Other people have seen this with OpenSwan. When IPsec is configured to encrypt all upper layer protocols the SCTP connection does not initialize. After using Wireshark to follow packets, this is because the SCTP packet leaves Box A unencrypted and Box B believes all upper layer protocols are to be encrypted so it drops this packet, causing the SCTP connection to fail to initialize. When IPsec is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" string on the other end, results in cleartext on the wire where SCTP eventually does not report any errors, thus in the latter case that Alan reports, the non-paranoid user might think he's communicating over an encrypted transport on SCTP although he's not (tcpdump ... -X): ... 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the receiver side. Initial follow-up analysis from Alan's bug report was done by Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). This has the implication that it probably never really got updated along with changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since a call to inet6_csk_xmit() would solve this problem, but result in unecessary route lookups, let us just use the cached flowi6 instead that we got through sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), we do the route lookup / flow caching in sctp_transport_route(), hold it in tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() instead to get the correct source routed dst entry, which we assign to the skb. Also source address routing example from 625034113 ("sctp: fix sctp to work with ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 it is actually 'recommended' to not use that anyway due to traffic amplification [1]. So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if we overwrite the flow destination here, the lower IPv6 layer will be unable to put the correct destination address into IP header, as routing header is added in ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, result of this patch is that we do not have any XfrmInTmplMismatch increase plus on the wire with this patch it now looks like: SCTP + IPv6: 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 This fixes Kernel Bugzilla 24412. This security issue seems to be present since 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have its fun with that. lksctp-tools IPv6 regression test suite passes as well with this patch. [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf Reported-by: Alan Chester Reported-by: Alexey Dobriyan Signed-off-by: Daniel Borkmann Cc: Steffen Klassert Cc: Hannes Frederic Sowa Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/ipv6.c | 42 +++++++++++++----------------------------- 1 files changed, 13 insertions(+), 29 deletions(-) commit 726915e42b1a23b88cd420029003d82208a30006 Author: Kees Cook Date: Fri Sep 13 14:52:04 2013 -0700 Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7 isdn: clean up debug format string usage Avoid unneeded local string buffers for constructing debug output. Also cleans up debug calls that contain a single parameter so that they cannot be accidentally parsed as format strings. Signed-off-by: Kees Cook Cc: Karsten Keil Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: David S. Miller drivers/isdn/hisax/amd7930_fn.c | 4 +- drivers/isdn/hisax/avm_pci.c | 4 +- drivers/isdn/hisax/config.c | 2 +- drivers/isdn/hisax/diva.c | 4 +- drivers/isdn/hisax/elsa.c | 2 +- drivers/isdn/hisax/elsa_ser.c | 2 +- drivers/isdn/hisax/hfc_pci.c | 2 +- drivers/isdn/hisax/hfc_sx.c | 2 +- drivers/isdn/hisax/hscx_irq.c | 4 +- drivers/isdn/hisax/icc.c | 4 +- drivers/isdn/hisax/ipacx.c | 8 +++--- drivers/isdn/hisax/isac.c | 4 +- drivers/isdn/hisax/isar.c | 6 ++-- drivers/isdn/hisax/jade.c | 18 ++++---------- drivers/isdn/hisax/jade_irq.c | 4 +- drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++------------------------- drivers/isdn/hisax/netjet.c | 2 +- drivers/isdn/hisax/q931.c | 6 ++-- drivers/isdn/hisax/w6692.c | 8 +++--- 19 files changed, 57 insertions(+), 79 deletions(-) commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3 Author: Brad Spengler Date: Sat Sep 14 19:16:48 2013 -0400 Fix a bad git merge, re-applied a previously reverted patch arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 5dea4b212b0405d6bcbea57516d77b21035d1178 Author: Brad Spengler Date: Sat Sep 14 16:56:37 2013 -0400 finish porting namei.c fs/namei.c | 50 +++++++++++--------------------------------------- 1 files changed, 11 insertions(+), 39 deletions(-) commit a7d5c5e2d0fd4831df19247e41c73c362809b00f Author: Brad Spengler Date: Sat Sep 14 16:44:08 2013 -0400 cred->user -> current_user() fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit be3db5fa6532557384fb66d2d9297d77666912cf Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce9afc12137b65991bfc7cce70e28d86bbb76956 Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 84aa149aa0f178516f5784d028522d60d35696c9 Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1145b56059535549be226da9891b56ab2d902b2f Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4 Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 74dc00678ec84a254617b500a2880974dac95220 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() Signed-off-by: Brad Spengler grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Signed-off-by: Brad Spengler drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 889852764d245f44e416da4eb203fda0bd327584 Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit f30e932a87f25b53779d1f92b49923f8a2dc9834 Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit f9eac59133855befee23d0c899e0d0e6ebcd3d44 Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9f5ae466957014bc300929374ebb7afdd9d116d6 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit b643b8f8af23488d92f16a817bf16c162d612ce1 Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 975723a41239b1befae172e88082ff4422753508 Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 05c3db7daee82d79c628c15b304f8621159e14f3 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a79f25f59fdd0abaf4ecfab93017aa49de089498 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 6fe8eb06e432f165872d3486fdce0d09de1515b3 Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c147e32922dd91edf1969b8a6eb333aafb4abb79 Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683 Author: Kees Cook Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs Signed-off-by: Brad Spengler arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit abde07f6c047c0331f511318cb49a36d49218dfc Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Signed-off-by: Brad Spengler arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit d502375416b17270008ebdf11f1c3be7837f7c50 Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 Signed-off-by: Brad Spengler include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit f6c363aba68cccff2815a488a7e9ed68990100d2 Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages Signed-off-by: Brad Spengler arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 Signed-off-by: Brad Spengler security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! Signed-off-by: Brad Spengler kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) commit 5c0737b045d057152a39154746d8c8e5d59185ed Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8 Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs Signed-off-by: Brad Spengler mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6 Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include Signed-off-by: Brad Spengler grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation Signed-off-by: Brad Spengler include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d4d49138661d5cb646f0dd012178447380b79956 Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping Signed-off-by: Brad Spengler fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define Signed-off-by: Brad Spengler grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4a307f7d3ff3ab232c0b6341415088e7618c494e Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 78011eb5c2454b8afc96b98bd86ac172e589b13c Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e670dc535e4501fd12d8bf00f1e1306c44266fe7 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 2834fe28e69176da6ac4989c6e3dc713faafefe5 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit 2669672647f6955f0e5154596492c73cd4fda330 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t Signed-off-by: Brad Spengler include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 75de5da79f5e03936a79ffe2c827462000001985 Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 9055a8feb8493a30d1ad0fcef25eb496630d223f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 129b6204587740fd082e731a54d00e8a9fc35f8b Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit 67fc73af0876d311c0d01d3b16fa429f44af12b9 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 798adb5cab6c3a8056e1b415e6f34a270f369721 Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 4d4945ce90d83784634b898f83cb5a7699537733 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6db464f72eff84f77335b69dc2748a3759e151d1 Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit e78a78dcfc089142273243b54509840d3b50c538 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b27005e62bebc09e6604a6f5dc099742bb6b4434 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 101b84a778c254dfd7399f5bcd6264ff437f1176 Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship Signed-off-by: Brad Spengler grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT Signed-off-by: Brad Spengler fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3e182e4da46de4c6b9a9f45d41030bef19260954 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error Signed-off-by: Brad Spengler mm/madvise.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel Signed-off-by: Brad Spengler mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 32537d92b8da84f38bf45eb85b6953f452064936 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70 Author: Brad Spengler Date: Sat Sep 14 16:15:10 2013 -0400 Initial port of grsecurity to 3.11 using new git method Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 12 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 128 ++- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++--------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 256 +++- fs/namespace.c | 16 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 ++- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 69 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 341 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 +++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 235 files changed, 4384 insertions(+), 1312 deletions(-) commit a76b033c58b4886552911442f1b89e0cee041dae Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches Signed-off-by: Brad Spengler arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit d1cf217118e0750f54aca9136d8c6a41f0ae439c Author: Brad Spengler Date: Sat Sep 14 14:36:40 2013 -0400 Initial import of pax-linux-3.11-test4.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 23 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 95 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 104 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 185 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 728 +++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 16 +- arch/x86/ia32/ia32entry.S | 157 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 74 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 20 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 128 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 82 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/tlbflush.h | 74 +- arch/x86/include/asm/uaccess.h | 112 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 130 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 +- arch/x86/kernel/entry_64.S | 669 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 138 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 5 +- arch/x86/kernel/setup.c | 65 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 19 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 28 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 89 +- arch/x86/lib/copy_user_nocache_64.S | 22 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 13 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 22 +- arch/x86/lib/memmove_64.S | 36 +- arch/x86/lib/memset_64.S | 11 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 571 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 139 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 39 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 7 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 24 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/host1x/drm/dc.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bcache/super.c | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 2 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.h | 4 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 12 +- drivers/tty/hvc/hvsi_lib.c | 6 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 648 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 18 +- fs/dcache.c | 3 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 38 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 6 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 41 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 5 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 17 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 8 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 19 + include/linux/proc_ns.h | 2 +- include/linux/random.h | 15 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 +- include/linux/seq_file.h | 1 + include/linux/signal.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 32 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 18 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 84 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 12 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 170 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 10 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 74 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 49 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 32 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 14 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 588 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 108 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 88 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 10 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 2 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 6 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ieee802154/6lowpan.c | 2 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 28 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 10 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 4 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 690 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 12 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 6 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 8 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 471 ++ tools/gcc/latent_entropy_plugin.c | 321 + tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2113 +++++++ tools/gcc/stackleak_plugin.c | 327 + tools/gcc/structleak_plugin.c | 277 + tools/lib/lk/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1664 files changed, 32957 insertions(+), 7636 deletions(-) commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c Merge: c3ccfb2 777e08c Author: Brad Spengler Date: Sun Sep 8 19:49:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 Author: Brad Spengler Date: Sun Sep 8 19:47:32 2013 -0400 Update to pax-linux-3.10.11-test26.patch: - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 14 +- tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- 3 files changed, 247 insertions(+), 194 deletions(-) commit 5c3161364270c842d901789faac731f79a9f9cd6 Merge: cf9c476 85cdabb Author: Brad Spengler Date: Sun Sep 8 19:24:25 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c3ccfb29794a03413095422100ce90d40ef7df0f Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit d260badf708d6aa16c44f56f54727532dcae826e Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 Author: Dan Carpenter Date: Thu Aug 29 11:47:00 2013 +0300 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 mISDN: return -EINVAL on error in dsp_control_req() If skb->len is too short then we should return an error. Otherwise we read beyond the end of skb->data for several bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/mISDN/dsp_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit da68dbcd96c617923a0aedb177d36b2701f9c858 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit ce0e893adc830ee110f97071cc17e661fb35ae3d Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd Merge: 7ee3899 cf9c476 Author: Brad Spengler Date: Sun Sep 1 13:56:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit cf9c47690fa0f3da590de766ea8c6a543984ee3c Author: Brad Spengler Date: Sun Sep 1 13:56:16 2013 -0400 Update to pax-linux-3.10.10-test25.patch: - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop block/blk-cgroup.c | 4 ++-- drivers/video/hyperv_fb.c | 4 ++-- fs/namespace.c | 4 ++-- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/output_core.c | 15 ++++++--------- net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- 7 files changed, 21 insertions(+), 27 deletions(-) commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa Merge: fd0338c 2bdeae7 Author: Brad Spengler Date: Sat Aug 31 22:07:38 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 Author: Brad Spengler Date: Sat Aug 31 22:06:55 2013 -0400 Update to pax-linux-3.10.10-test24.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users drivers/acpi/apei/ghes.c | 4 ++-- drivers/ata/libata-core.c | 4 ++-- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/block/drbd/drbd_nl.c | 4 ++-- drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/hv/hv_balloon.c | 18 +++++++++--------- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/input/misc/ims-pcu.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/v4l2-core/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/pci/hotplug/pciehp_hpc.c | 4 +--- drivers/regulator/core.c | 4 ++-- drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ drivers/staging/android/timed_output.c | 6 +++--- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/target/sbp/sbp_target.c | 4 ++-- drivers/tty/hvc/hvsi.c | 12 ++++++------ drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/btrfs/delayed-inode.c | 6 +++--- fs/btrfs/delayed-inode.h | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- net/ceph/messenger.c | 4 ++-- net/core/netpoll.c | 4 ++-- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 43 files changed, 93 insertions(+), 95 deletions(-) commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 Merge: 1bdf7ec 85099d2 Author: Brad Spengler Date: Sat Aug 31 21:07:29 2013 -0400 Merge branch 'pax-test' into grsec-test commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed Author: Brad Spengler Date: Sat Aug 31 21:06:55 2013 -0400 Update to pax-linux-3.10.10-test23.patch: - added the necessary atomic_unchecked_t conversion for mips - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/arm/kvm/arm.c | 8 ++++---- arch/arm/mm/context.c | 10 +++++----- arch/mips/kernel/irq.c | 6 +++--- arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- 8 files changed, 45 insertions(+), 45 deletions(-) commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 Merge: 995a168 38ee86c Author: Brad Spengler Date: Fri Aug 30 19:23:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 38ee86c05df0f8db582df8776b9f23f317d42bbb Author: Brad Spengler Date: Fri Aug 30 19:23:11 2013 -0400 Update to pax-linux-3.10.10-test22.patch: - fixed !REFCOUNT/mips compilation, by Corey Minyard - fixed a few more format strings arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- drivers/md/bcache/super.c | 2 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- drivers/pci/hotplug/pciehp_hpc.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- drivers/vfio/vfio.c | 4 ++-- fs/ntfs/super.c | 6 +++--- include/linux/workqueue.h | 6 +++--- net/mac80211/main.c | 2 +- sound/pci/hda/hda_codec.c | 8 ++------ 11 files changed, 32 insertions(+), 25 deletions(-) commit 995a16841e2097c3a9dfc652e856469679c4a0ba Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 Merge: be2497c 1052971 Author: Brad Spengler Date: Thu Aug 29 20:44:29 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/sched.h commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 Merge: e902dad 8bf3379 Author: Brad Spengler Date: Thu Aug 29 20:39:50 2013 -0400 Update to pax-linux-3.10.10-test21.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 Merge: 081c22b e902dad Author: Brad Spengler Date: Wed Aug 28 20:52:44 2013 -0400 Merge branch 'pax-test' into grsec-test commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 Author: Brad Spengler Date: Wed Aug 28 20:51:21 2013 -0400 Update to pax-linux-3.10.9-test21.patch: - removed unnecessary type cast in do_PrefetchAbort, noticed by spender - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov - fixed a REFCOUNT false positive in UHID - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network arch/arm/mm/fault.c | 2 +- arch/mips/kernel/traps.c | 2 -- drivers/hid/uhid.c | 6 +++--- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/usb/dwc3/gadget.c | 2 -- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- 10 files changed, 14 insertions(+), 16 deletions(-) commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 8044382257ec75a03f3d784ce048ef14e94b90ca Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 270ba9096ddecdc3cf6c4d76e6892184820116be Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 60115e8108e508060815bce5ef9504233c81898c Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38627769bb2b9a550e251b2caf1babda7566fb4a Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 813f51e0881e4ea6d221da828b1cced02ad9694d Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 95e3cfb5a995dabe45b98cafb77e59d074de151f Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 96a55ce1b2f3af376c400a02059174e79ce4399c Author: Brad Spengler Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit eb1106eef5f17bfda833ca3cf89e315919173257 Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 Author: Brad Spengler Date: Wed Aug 28 17:01:21 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 Author: Andy Lutomirski Date: Thu Aug 22 11:39:15 2013 -0700 Upstream commit: d661684cf6820331feae71146c35da83d794467e net: Check the correct namespace when spoofing pid over SCM_RIGHTS This is a security bug. The follow-up will fix nsproxy to discourage this type of issue from happening again. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/core/scm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 8333e0981469a226a47d0142ff31090a48db95a4 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 xen/events: initialize local per-cpu mask for all possible events The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk CC: stable@vger.kernel.org drivers/xen/events.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2a9a83768433937a2b7a97001ba1627156c0efed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit e6fe57dee152671afd618d6bc8cbf23155be6c34 Merge: cdc8f7d f2095a4 Author: Brad Spengler Date: Tue Aug 27 18:13:35 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c security/Kconfig commit f2095a4787f7d332e5919f0bd00f8de6021ad612 Author: Brad Spengler Date: Tue Aug 27 18:08:23 2013 -0400 Update to pax-linux-3.10.9-test20.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - added REFCOUNT support for mips, by Corey Minyard - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) arch/arm/mm/fault.c | 11 +- arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- arch/mips/kernel/traps.c | 14 +- arch/x86/include/asm/tlbflush.h | 4 + arch/x86/include/asm/uaccess_64.h | 2 +- fs/ntfs/file.c | 2 +- kernel/events/internal.h | 4 +- kernel/events/uprobes.c | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 +- security/Kconfig | 2 +- tools/gcc/kernexec_plugin.c | 18 +- tools/gcc/latent_entropy_plugin.c | 26 +- tools/gcc/size_overflow_plugin.c | 3 +- 14 files changed, 750 insertions(+), 70 deletions(-) commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 Merge: 5a9ae57 745975e Author: Brad Spengler Date: Mon Aug 26 20:27:33 2013 -0400 Merge branch 'pax-test' into grsec-test commit 745975e3b3b74b64e00e85778f9a22714d1274f2 Author: Brad Spengler Date: Mon Aug 26 20:26:33 2013 -0400 Fix compilation when UDEREF is enabled and KERNEXEC is disabled, as reported by fabled on the forums: http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 arch/arm/include/asm/pgtable.h | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 Merge: 486ec00 f68df21 Author: Brad Spengler Date: Tue Aug 20 20:15:20 2013 -0400 Merge branch 'pax-test' into grsec-test commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 Author: Brad Spengler Date: Tue Aug 20 20:14:50 2013 -0400 Update to pax-linux-3.10.9-test18.patch: - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) - forward port to 3.10.9 arch/x86/kernel/entry_64.S | 18 +++++++++--------- arch/x86/kernel/i386_ksyms_32.c | 4 ++++ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f Merge: f47a293 d8fed0e Author: Brad Spengler Date: Tue Aug 20 20:12:47 2013 -0400 Merge branch 'pax-test' into grsec-test commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 Merge: f6ace8e 0a4b6d4 Author: Brad Spengler Date: Tue Aug 20 20:12:33 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit f47a293a1440da2a3e2c239d43d636e37ca74f10 Merge: f1e8ec7 f6ace8e Author: Brad Spengler Date: Tue Aug 20 18:20:05 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/kernel/perf_event.c include/linux/sched.h commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 Merge: b4fa847 6f54059 Author: Brad Spengler Date: Tue Aug 20 18:18:02 2013 -0400 Update to pax-linux-3.10.8-test18.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca Merge: 6f88011 b4fa847 Author: Brad Spengler Date: Tue Aug 20 18:05:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 Author: Brad Spengler Date: Tue Aug 20 18:04:14 2013 -0400 Update to pax-linux-3.10.7-test18.patch: - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) - fixed a UDEREF resume regression due to the constification of clone_pgd_mask - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause arch/arm/kernel/process.c | 2 +- arch/x86/include/asm/processor.h | 25 ++----------------------- arch/x86/kernel/cpu/common.c | 4 ++++ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/staging/zcache/tmem.c | 4 ++-- drivers/staging/zcache/tmem.h | 6 ++---- 6 files changed, 47 insertions(+), 30 deletions(-) commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 Merge: 6eba999 5de93c8 Author: Brad Spengler Date: Sun Aug 18 22:03:19 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db Author: Brad Spengler Date: Sun Aug 18 22:02:47 2013 -0400 Update to pax-linux-3.10.7-test15.patch: - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) - fixed some new REFCOUNT false positives, caught by inspection arch/x86/kernel/cpu/common.c | 5 +++-- arch/x86/kernel/entry_64.S | 11 +++++++---- fs/ceph/super.c | 4 ++-- mm/backing-dev.c | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) commit 94c119587c76723c1072237b98fff9886ccb7689 Author: Brad Spengler Date: Sun Aug 18 20:49:39 2013 -0400 fix pipacs' DEMORGAN typo arch/x86/include/asm/tlbflush.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 Merge: df347f6 64a293e Author: Brad Spengler Date: Sun Aug 18 18:13:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 Author: Brad Spengler Date: Sun Aug 18 18:12:37 2013 -0400 Update to pax-linux-3.10.7-test14.patch: - fixed compile error introduced by the previous PCID change - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) arch/x86/include/asm/tlbflush.h | 2 +- kernel/posix-timers.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 Merge: d8efbc5 e11b314 Author: Brad Spengler Date: Sun Aug 18 08:15:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit e11b314734c5b7317f5468be75305ad812e78c2b Author: Brad Spengler Date: Sun Aug 18 08:14:26 2013 -0400 Update to pax-linux-3.10.7-test13.patch: - always enable the use of PCID and INVPCID when available in the CPU - kvm guest kernels can use these features even if the host kernel lacks UDEREF arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- 2 files changed, 70 insertions(+), 47 deletions(-) commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c8feffa95ce2db280160015027b52bb41a344c8 Merge: dbf6930 0bb1c2b Author: Brad Spengler Date: Sat Aug 17 11:57:50 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 Author: Brad Spengler Date: Sat Aug 17 11:56:43 2013 -0400 Update to pax-linux-3.10.7-test12.patch: - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause - fixed some arm compile problems arch/x86/include/asm/tlbflush.h | 2 +- drivers/clocksource/bcm_kona_timer.c | 2 +- kernel/signal.c | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) commit dbf69305ad4f8a037aae95af90f9201f556dcb48 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 Merge: 68bd16f f562e3e Author: Brad Spengler Date: Sat Aug 17 10:35:02 2013 -0400 Merge branch 'pax-test' into grsec-test commit f562e3ef7737ea8d80431a722479b36a12504ace Author: Brad Spengler Date: Sat Aug 17 10:34:51 2013 -0400 add uderef_64.c arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ 1 files changed, 37 insertions(+), 0 deletions(-) commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 Author: Asbjoern Sloth Toennesen Date: Mon Aug 12 16:30:09 2013 +0000 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by: Asbjoern Sloth Toennesen Reviewed-by: Vlad Yasevich Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c7bc5bafddddff55ed4687203a977e96f72540a Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb Author: Daniel Borkmann Date: Fri Aug 9 16:25:21 2013 +0200 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/transport.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3925eab5483946fd746575a46f97bee9d566bb77 Author: Stephane Grosjean Date: Fri Aug 9 11:44:06 2013 +0200 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e can: pcan_usb: fix wrong memcpy() bytes length Fix possibly wrong memcpy() bytes length since some CAN records received from PCAN-USB could define a DLC field in range [9..15]. In that case, the real DLC value MUST be used to move forward the record pointer but, only 8 bytes max. MUST be copied into the data field of the struct can_frame object of the skb given to the network core. Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c1ac6642baae4a400d1f87115024d1bb1ef53598 Author: Linus Lüssing Date: Tue Aug 6 20:21:15 2013 +0200 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 batman-adv: fix potential kernel paging errors for unicast transmissions There are several functions which might reallocate skb data. Currently some places keep reusing their old ethhdr pointer regardless of whether they became invalid after such a reallocation or not. This potentially leads to kernel paging errors. This patch fixes these by refetching the ethdr pointer after the potential reallocations. Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli net/batman-adv/bridge_loop_avoidance.c | 2 ++ net/batman-adv/gateway_client.c | 13 ++++++++++++- net/batman-adv/gateway_client.h | 3 +-- net/batman-adv/soft-interface.c | 9 ++++++++- net/batman-adv/unicast.c | 13 ++++++++++--- 5 files changed, 33 insertions(+), 7 deletions(-) commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue_core.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f Author: Pablo Neira Ayuso Date: Thu Jul 25 10:46:46 2013 +0200 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 netfilter: xt_TCPOPTSTRIP: fix possible off by one access Fix a possible off by one access since optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen that stores the TCP header length, to save some cycles. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 4634def261cf5f635bc60afe8a6ad436b3ec151e Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 Author: Dave Jones Date: Fri Aug 9 11:16:34 2013 -0700 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e 8139cp: Fix skb leak in rx_status_loop failure path. Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 ("8139cp: Add dma_mapping_error checking") Signed-off-by: Dave Jones Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 227b279491a0bbcc70ca3654f34903282c378600 Author: Timo Teräs Date: Tue Aug 6 13:45:43 2013 +0300 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b ip_gre: fix ipgre_header to return correct offset Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar Signed-off-by: Timo Teräs Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit f02bce292d1c2fe610be509c96593e70b3de387b Author: Julia Lawall Date: Mon Aug 5 16:47:38 2013 +0200 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 net/vmw_vsock/af_vsock.c: drop unneeded semicolon Drop the semicolon at the end of the list_for_each_entry loop header. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 Author: Tiger Yang Date: Tue Aug 13 16:00:58 2013 -0700 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as the struct file pointer, it finally result in a null pointer dereference in ocfs2_duplicate_clusters_by_page. This patch replace file pointer with inode pointer in cow_duplicate_clusters to fix this issue. [jeff.liu@oracle.com: rebased patch against linux-next tree] Signed-off-by: Tiger Yang Signed-off-by: Jie Liu Cc: Joel Becker Cc: Mark Fasheh Acked-by: Tao Ma Tested-by: David Weber Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 2 +- fs/ocfs2/file.c | 6 ++-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- fs/ocfs2/refcounttree.h | 6 ++-- 5 files changed, 16 insertions(+), 53 deletions(-) commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 Author: Dan Carpenter Date: Thu Aug 15 15:52:57 2013 +0300 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 26ad267ddda451919357965a0cf271ca24d1bcf2 Author: Weiping Pan Date: Tue Aug 13 21:46:56 2013 +0800 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 tun: compare with 0 instead of total_len Since we set "len = total_len" in the beginning of tun_get_user(), so we should compare the new len with 0, instead of total_len, or the if statement always returns false. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller drivers/net/tun.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 Author: Guenter Roeck Date: Fri Aug 16 20:50:55 2013 -0700 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 s390: Fix broken build Fix this build error: In file included from fs/exec.c:61:0: arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range invalidation corner cases"). Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] Signed-off-by: Linus Torvalds arch/s390/include/asm/tlb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4e57312c2de2a25ddb181d129dafbc0251062c33 Author: Linus Torvalds Date: Thu Aug 15 11:42:25 2013 -0700 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce Fix TLB gather virtual address range invalidation corner cases Ben Tebulin reported: "Since v3.7.2 on two independent machines a very specific Git repository fails in 9/10 cases on git-fsck due to an SHA1/memory failures. This only occurs on a very specific repository and can be reproduced stably on two independent laptops. Git mailing list ran out of ideas and for me this looks like some very exotic kernel issue" and bisected the failure to the backport of commit 53a59fc67f97 ("mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). That commit itself is not actually buggy, but what it does is to make it much more likely to hit the partial TLB invalidation case, since it introduces a new case in tlb_next_batch() that previously only ever happened when running out of memory. The real bug is that the TLB gather virtual memory range setup is subtly buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: enable tlb flush range in generic mmu_gather"), and the range handling was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots"), but that fix was not complete. The problem with the TLB gather virtual address range is that it isn't set up by the initial tlb_gather_mmu() initialization (which didn't get the TLB range information), but it is set up ad-hoc later by the functions that actually flush the TLB. And so any such case that forgot to update the TLB range entries would potentially miss TLB invalidates. Rather than try to figure out exactly which particular ad-hoc range setup was missing (I personally suspect it's the hugetlb case in zap_huge_pmd(), which didn't have the same logic as zap_pte_range() did), this patch just gets rid of the problem at the source: make the TLB range information available to tlb_gather_mmu(), and initialize it when initializing all the other tlb gather fields. This makes the patch larger, but conceptually much simpler. And the end result is much more understandable; even if you want to play games with partial ranges when invalidating the TLB contents in chunks, now the range information is always there, and anybody who doesn't want to bother with it won't introduce subtle bugs. Ben verified that this fixes his problem. Reported-bisected-and-tested-by: Ben Tebulin Build-testing-by: Stephen Rothwell Build-testing-by: Richard Weinberger Reviewed-by: Michal Hocko Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/arm/include/asm/tlb.h | 7 +++++-- arch/arm64/include/asm/tlb.h | 7 +++++-- arch/ia64/include/asm/tlb.h | 9 ++++++--- arch/s390/include/asm/tlb.h | 8 ++++++-- arch/sh/include/asm/tlb.h | 6 ++++-- arch/um/include/asm/tlb.h | 6 ++++-- fs/exec.c | 4 ++-- include/asm-generic/tlb.h | 2 +- mm/hugetlb.c | 2 +- mm/memory.c | 36 +++++++++++++++++++++--------------- mm/mmap.c | 4 ++-- 11 files changed, 57 insertions(+), 34 deletions(-) commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 Merge: 5568c80 ffceabf Author: Brad Spengler Date: Sat Aug 17 09:11:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit ffceabfcc65c60109ba5fca694d78d4dc7047809 Author: Brad Spengler Date: Sat Aug 17 09:10:44 2013 -0400 Update to pax-linux-3.10.7-test11.patch: - simplified some arm code - disabled preemption when calling show_regs, reported by Corey Minyard - added PCID based support for UDEREF on amd64 (blog will have more details) - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc - nopcid turns it off - by default a strong form of UDEREF is used under PCID - pax_weakuderef switches to the older, less secure UDEREF - fixed several bugs that would also have manifested under SMAP - INVPCID is used when available (Haswell) - added a few more return insn instrumentation in new amd64 crypto code Documentation/kernel-parameters.txt | 7 + arch/arm/include/asm/uaccess.h | 3 + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ arch/x86/ia32/ia32_signal.c | 2 +- arch/x86/ia32/ia32entry.S | 24 ++++- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/fpu-internal.h | 2 + arch/x86/include/asm/futex.h | 4 + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- arch/x86/include/asm/pgtable.h | 10 +- arch/x86/include/asm/processor.h | 15 +++- arch/x86/include/asm/segment.h | 5 +- arch/x86/include/asm/smap.h | 64 +++++++++++- arch/x86/include/asm/tlbflush.h | 63 +++++++++-- arch/x86/include/asm/uaccess.h | 18 +++- arch/x86/include/asm/xsave.h | 4 + arch/x86/kernel/cpu/common.c | 38 +++++++ arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- arch/x86/kernel/head_32.S | 2 +- arch/x86/kernel/head_64.S | 8 +- arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/setup.c | 8 +- arch/x86/kernel/signal.c | 4 +- arch/x86/kernel/smpboot.c | 15 ++- arch/x86/lib/copy_user_64.S | 50 +-------- arch/x86/lib/copy_user_nocache_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 11 ++- arch/x86/lib/memcpy_64.S | 4 +- arch/x86/lib/memmove_64.S | 2 +- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/usercopy_64.c | 5 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/fault.c | 29 ++++-- arch/x86/mm/init.c | 7 +- arch/x86/mm/init_64.c | 9 ++- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 3 + arch/x86/platform/efi/efi_32.c | 2 +- arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/realmode/rm/trampoline_64.S | 1 + fs/exec.c | 2 + include/asm-generic/uaccess.h | 8 ++ include/linux/compat.h | 1 + include/linux/preempt.h | 19 +++ include/linux/signal.h | 1 + include/linux/smp.h | 2 + init/main.c | 14 ++- kernel/signal.c | 16 +++ security/Kconfig | 5 + tools/lib/lk/Makefile | 2 +- tools/perf/Makefile | 2 +- 64 files changed, 673 insertions(+), 136 deletions(-) commit 5568c8059e78d6d002815409df4e90c83b3b08a8 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 Author: Brad Spengler Date: Fri Aug 16 22:55:24 2013 -0400 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b arch/arm/kernel/perf_event.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3637bc893b57a227b01852fe34685ab237285b10 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 11802e1f961a088c39af58d1c1b14d861eedfb35 Author: Brad Spengler Date: Fri Aug 16 22:53:30 2013 -0400 More ARM backports arch/arm/kernel/entry-armv.S | 3 ++- arch/arm/kernel/fiq.c | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0a3dac834746de241c10d4978bf61b4f146ba89d Merge: dc19474 e12de30 Author: Brad Spengler Date: Fri Aug 16 17:39:01 2013 -0400 Merge branch 'pax-test' into grsec-test commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 Author: Brad Spengler Date: Fri Aug 16 17:34:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch: - Emese fixed a size overflow false positive reported by Sven Vermeulen - fixed some arm compile problems reported by spender - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard eventually we'll have full REFCOUNT support on mips arch/arm/kernel/process.c | 5 ++- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 3 ++ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ mm/internal.h | 2 +- 5 files changed, 65 insertions(+), 4 deletions(-) commit dc19474d0ea6ea3c939544ae5f906067b1784a10 Merge: 51b78c0 82266f9 Author: Brad Spengler Date: Thu Aug 15 21:47:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 82266f90a3f87ab5017329fb539aebf94c42253a Author: Brad Spengler Date: Thu Aug 15 21:14:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch arch/arm/kernel/process.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 51b78c06d1f41614f593cd36456b4af559e9d7fa Merge: e32d904 cb77ead Author: Brad Spengler Date: Thu Aug 15 20:53:45 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit cb77ead0eccb5abb75f7e437a3725d0254558ccd Merge: 13675b8 519be45 Author: Brad Spengler Date: Thu Aug 15 20:50:47 2013 -0400 Update to pax-linux-3.10.7-test8.patch Merge branch 'linux-3.10.y' into pax-test commit e32d904b87292288e74e2637b900fd1115687b8e Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c Author: Oleg Nesterov Date: Thu Aug 8 18:55:32 2013 +0200 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 another local DoS found in reaction to the one I reported, we don't allow unpriv user ns use so this doesn't matter much to us userns: limit the maximum depth of user_namespace->parent chain Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/user_namespace.h | 1 + kernel/user_namespace.c | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) commit 223ac007ef18bf3a5095ba0a56675c1f16200149 Merge: 1c92de4 13675b8 Author: Brad Spengler Date: Thu Aug 8 20:45:24 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 13675b848cf02bffd26924b2b84d927095bc253d Author: Brad Spengler Date: Thu Aug 8 20:43:52 2013 -0400 Update to pax-linux-3.10.5-test8.patch: - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard arch/arm/include/asm/pgtable-2level.h | 4 +++- arch/arm/mm/proc-v7-2level.S | 3 --- arch/mips/mm/fault.c | 8 ++++++++ arch/x86/include/asm/processor.h | 3 ++- include/linux/math64.h | 2 +- security/Kconfig | 2 -- 6 files changed, 14 insertions(+), 8 deletions(-) commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 Merge: e65aa3d 1660f49 Author: Brad Spengler Date: Mon Aug 5 18:50:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 1660f496848b8400d263f7920989dae15e72185a Merge: 7f91ba1 dc51cd2 Author: Brad Spengler Date: Mon Aug 5 18:50:12 2013 -0400 Update to pax-linux-3.10.5-test7.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/head_64.S mm/mempolicy.c commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 50d20ebce56b6e0b9622685930e007e46c7c04bb Author: Daniel Borkmann Date: Fri Aug 2 11:32:43 2013 +0200 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by: Daniel Borkmann Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/devinet.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 Author: Himanshu Madhani Date: Fri Aug 2 23:15:56 2013 -0400 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 qlcnic: Free up memory in error path. Signed-off-by: Himanshu Madhani Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a Author: Shahed Shaikh Date: Fri Aug 2 23:15:54 2013 -0400 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f qlcnic: Fix MAC address filter issue on 82xx adapter Driver was passing the address of a pointer instead of the pointer itself. Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 24 ++++++++++++++++++++++-- 2 files changed, 22 insertions(+), 19 deletions(-) commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b8966a5d577e9220fbc63306eee978f819f24e2e Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1704c23fdc55b68f512dc9927940e72237f3f43e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit faf81c100c8565524e21c9af780a0ad2ce3fd925 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c Merge: 65019c9 7f91ba1 Author: Brad Spengler Date: Wed Jul 31 17:47:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 65019c9bd05f860437071cbf00e2027fd2d68615 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 Author: Brad Spengler Date: Wed Jul 31 17:46:00 2013 -0400 Update to pax-linux-3.10.4-test7.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - fixed a UDEREF/i386 regression, __get_user_8 would always fail arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/lib/getuser.S | 4 +- arch/x86/xen/smp.c | 2 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- fs/exec.c | 50 +++++++++++++-------------- include/linux/sched.h | 2 + 14 files changed, 88 insertions(+), 47 deletions(-) commit 043130da54cb7cc8dc44e0ce889d426e889a0532 Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ed0a195abd4e41c2449a020a53a19c74dc866d78 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit e75b3f504692b97960a7530ad0855d91441d79c0 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e5abbaf95313066a724e1a843d4fc902a9a6450e Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 877d6c2f8b3518ff39601084560bb33c58d35a1f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 23278a1ee1c7738dd1e7005241394d32b82196e4 Author: Brad Spengler Date: Tue Jul 30 19:48:58 2013 -0400 revert recent PaX change that causes boot failures with 32bit userland arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit ec27f71a813656fea8ab37faecb2b485fe99d08e Merge: 3a11bcf 05f0a61 Author: Brad Spengler Date: Tue Jul 30 19:42:21 2013 -0400 Merge branch 'pax-test' into grsec-test commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 Author: Brad Spengler Date: Tue Jul 30 19:41:44 2013 -0400 Update to pax-linux-3.10.4-test6.patch: - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender include/linux/syscalls.h | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8b744005f8bae565e24c1fd88af77e6e619b9434 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b93b829afcc98b6108b18d99ff63c53642d0b951 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit ac695a081d1124fb28bec46814535d34c5e40611 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 82631f451cc7432b6c5578cf8d24155473feb25c Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 84c4a433dfb096e4a1162ee5e68025122c70b421 Merge: c9d3ed3 9fe5897 Author: Brad Spengler Date: Mon Jul 29 17:08:56 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9fe58978938e357642885866ca48090a7753d403 Merge: 8f693ad 6f7bb6b Author: Brad Spengler Date: Mon Jul 29 17:08:43 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 Merge: d5e5bfd 8f693ad Author: Brad Spengler Date: Sun Jul 28 10:03:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8f693ade9b3e448f92706d34148b00a087637f70 Author: Brad Spengler Date: Sun Jul 28 10:02:16 2013 -0400 Update to pax-linux-3.10.3-test5.patch: - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) - fixed handling of faulting userland accesses for UDEREF/arm, from spender - updated the size overflow hash table, from Emese arch/arm/kernel/entry-armv.S | 3 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- 7 files changed, 513 insertions(+), 55 deletions(-) commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 Merge: 19e077b 8a8a0d0 Author: Brad Spengler Date: Thu Jul 25 21:05:18 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 Author: Brad Spengler Date: Thu Jul 25 21:04:09 2013 -0400 Update to pax-linux-3.10.3-test4.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 ++++ fs/buffer.c | 2 +- fs/dcache.c | 3 ++- include/linux/slab.h | 7 +++++++ include/linux/slab_def.h | 4 ++++ kernel/fork.c | 2 +- mm/rmap.c | 6 ++++-- mm/slab.c | 27 +++++++++++++++++++++++++++ mm/slab.h | 12 +++++++++++- mm/slab_common.c | 14 ++++++++++++++ mm/slob.c | 5 +++++ mm/slub.c | 11 +++++++++++ net/core/skbuff.c | 6 ++++-- security/Kconfig | 23 +++++++++++++++++------ 14 files changed, 112 insertions(+), 14 deletions(-) commit 19e077bfff54ca211d0142c07cb6dd88069a390c Merge: 960ec51 c8f7f51 Author: Brad Spengler Date: Thu Jul 25 19:53:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit c8f7f51591207b82530214300e86277028919286 Merge: d5142e3 81a4648 Author: Brad Spengler Date: Thu Jul 25 19:52:29 2013 -0400 Update to pax-linux-3.10.3-test3.patch: - fixed some compile issues reported by Michael Tremer and spender - fixed an i386 regression with the lower address space gap on i386, reported by cnu Merge branch 'linux-3.10.y' into pax-test Conflicts: kernel/time/tick-broadcast.c commit 960ec51ab2142544fbae563d4fd5744775408965 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 Merge: ab95b58 d5142e3 Author: Brad Spengler Date: Sun Jul 21 22:47:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit d5142e31785f8c32c7338c51fcc27313bdd4a84e Merge: f36ae8c 0f4a56e Author: Brad Spengler Date: Sun Jul 21 22:47:34 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit ab95b5842899d61ff5c30f4582e72029b3155be8 Author: Brad Spengler Date: Sun Jul 21 22:28:40 2013 -0400 compile fix with constification reported by Michael Tremer drivers/gpu/host1x/drm/dc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 817cd2d1e7a55720326599dd8f542578eef30927 Author: Hannes Frederic Sowa Date: Fri Jul 12 23:46:33 2013 +0200 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 ipv6: only static routes qualify for equal cost multipathing Static routes in this case are non-expiring routes which did not get configured by autoconf or by icmpv6 redirects. To make sure we actually get an ecmp route while searching for the first one in this fib6_node's leafs, also make sure it matches the ecmp route assumptions. v2: a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF already ensures that this route, even if added again without RTF_EXPIRES (in case of a RA announcement with infinite timeout), does not cause the rt6i_nsiblings logic to go wrong if a later RA updates the expiration time later. v3: a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, because an pmtu event could update the RTF_EXPIRES flag and we would not count this route, if another route joins this set. We now filter only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that don't get changed after rt6_info construction. Cc: Nicolas Dichtel Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_fib.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) commit 77db8196d51b043e2e2d124094da101b0f01bccb Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 926473317fd7953137ef97835edd36dabc584b01 Author: Brad Spengler Date: Wed Jul 17 21:29:02 2013 -0400 add missing asm/pgtable.h include, reported by Michael Tremer drivers/clk/socfpga/clk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c592ae0001b31932ef1491784dfa374058797c66 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 Merge: 9c96441 f36ae8c Author: Brad Spengler Date: Sun Jul 14 19:23:13 2013 -0400 Merge branch 'pax-test' into grsec-test commit f36ae8c741ae32b1caff10825be12c327792c925 Author: Brad Spengler Date: Sun Jul 14 19:22:15 2013 -0400 Update to pax-linux-3.10-test2.patch: - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer - spender fixed an madvise regression, reported by Peter Keel - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) - fixed a headers_install regression, reported by Mathias Krause - fixed a SLOB compile regression, reported by Mathias Krause arch/arm/include/asm/uaccess.h | 4 ++-- arch/arm/mm/mmu.c | 15 +++++++++++++-- drivers/clk/socfpga/clk.c | 6 ++++-- mm/madvise.c | 4 ++-- mm/slab.c | 4 ++-- mm/slob.c | 4 ++-- scripts/headers_install.sh | 2 +- 7 files changed, 26 insertions(+), 13 deletions(-) commit 9c9644156a49637050741d9165df79174e59b0ef Author: Brad Spengler Date: Sun Jul 14 19:19:54 2013 -0400 Fix sparc64 compilation, reported by Blake Self arch/sparc/kernel/sys_sparc_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error mm/madvise.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a10e377d0eddd37e8a3665b135e546ab03d9d171 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 08c5adca34d408772255b313f90d82c250c1d967 Author: Brad Spengler Date: Sun Jul 14 11:26:34 2013 -0400 don't make high vector mapping non-present on old ARM architectures, no point in emulating some vector entries when the processor doesn't even support XN arch/arm/mm/mmu.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 2b40781d4197a89a003616af584884e36361c5b2 Author: Brad Spengler Date: Sun Jul 14 09:51:58 2013 -0400 Temporary compile fix for code incorrectly modifying const data Wrap a cast version of the code with open/close Thanks to Michael Tremer for the report drivers/clk/socfpga/clk.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a8258c1b4098c396cd4ea719e20858182feac1c1 Author: Brad Spengler Date: Sun Jul 14 09:41:16 2013 -0400 Fix missing right parens in pipacs' "improvement" of my ARM code ;) Thanks to Michael Tremer for reporting arch/arm/include/asm/uaccess.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8542e1e973be7cc9a009d2ada8033576b2890e6f Merge: 86f446e 2577f8e Author: Brad Spengler Date: Sat Jul 13 20:46:58 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/memcontrol.c commit 2577f8e4ec41efb347706a59c6838de20f0c90da Merge: 75a36f0 cb5d8be Author: Brad Spengler Date: Sat Jul 13 20:43:42 2013 -0400 Merge branch 'linux-3.10.y' into pax-test Conflicts: crypto/algapi.c drivers/block/nbd.c commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 Author: Brad Spengler Date: Fri Jul 12 23:02:11 2013 -0400 we always want the vector page to be noaccess for userland therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY which turns into supervisor rwx, userland rx, we instead omit that entirely, leaving it as supervisor rwx only Fixes booting on ARMv5 and earlier, which need to write directly to the high vector mapping via set_tls when context switching Thanks to Michael Tremer for the bugreport arch/arm/mm/mmu.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 90cd0827eef656ec884f19c977873fefe2f2e47d Author: Cong Wang Date: Sat Jun 29 12:02:59 2013 +0800 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 gre: fix a regression in ioctl When testing GRE tunnel, I got: # ip tunnel show get tunnel gre0 failed: Invalid argument get tunnel gre1 failed: Invalid argument This is a regression introduced by commit c54419321455631079c7d ("GRE: Refactor GRE tunneling code.") because previously we only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the check is moved for all commands. So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. After this patch I got: # ip tunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit Cc: Pravin B Shelar Cc: "David S. Miller" Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 Author: Cong Wang Date: Sat Jun 29 13:00:57 2013 +0800 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 vti: remove duplicated code to fix a memory leak vti module allocates dev->tstats twice: in vti_fb_tunnel_init() and in vti_tunnel_init(), this lead to a memory leak of dev->tstats. Just remove the duplicated operations in vti_fb_tunnel_init(). (candidate for -stable) Cc: Stephen Hemminger Cc: Saurabh Mohan Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd Author: Michal Schmidt Date: Mon Jul 1 17:23:05 2013 +0200 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a bnx2x: remove zeroing of dump data buffer There is no need to initialize the dump data with zeros. data is allocated with vzalloc, so it's already zero-filled. More importantly, the memset is harmful, because dump->len (the length requested by userspace) can be bigger than the allocated buffer (whose size is determined by asking the driver's .get_dump_flag method). Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c771072b72c261f9bddd6734dca6979c1b96e7df Author: Michal Schmidt Date: Mon Jul 1 17:23:06 2013 +0200 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 bnx2x: fix dump flag handling bnx2x interprets the dump flag as an index of a register preset. It is important to validate the index to avoid out of bounds memory accesses. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ 2 files changed, 5 insertions(+), 0 deletions(-) commit aed315c8fad9b2044143b46b239574b1b72135ce Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit 5c57991e66216e386dcc875d34c33f0edd038569 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit cd83094a85d9bbd5a67332156407d53cf8835432 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c Author: Michael S. Tsirkin Date: Sun Jul 7 14:26:53 2013 +0300 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 vhost-net: fix use-after-free in vhost_net_flush vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 088806db74ac2f08c106202bc5498585a9ee529f Author: Michal Hocko Date: Mon Jul 8 16:00:29 2013 -0700 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b memcg, kmem: fix reference count handling on the error path mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. This is not correct because only memcg_propagate_kmem takes an additional reference while mem_cgroup_sockets_init is allowed to fail as well (although no current implementation fails) but it doesn't take any reference. This all suggests that it should be memcg_propagate_kmem that should clean up after itself so this patch moves mem_cgroup_put over there. Unfortunately this is not that easy (as pointed out by Li Zefan) because memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if memcg_propagate_kmem fails so the additional reference is dropped in that case in kmem_cgroup_destroy which means that the reference would be dropped two times. The easiest way then would be to simply remove mem_cgrroup_put from mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right thing. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.8] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 08bfb6e700d13886ed722c2236e1ec10f03a95df Author: Michal Hocko Date: Mon Jul 8 16:00:27 2013 -0700 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Revert "memcg: avoid dangling reference count in creation failure" This reverts commit e4715f01be697a. mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops an additional reference from all parents so the additional mem_cgrroup_put(parent) potentially causes use-after-free. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 3267ec559f48327a1836eccecd53215afc5810d0 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit cdfeb4049e7cb38702215b2c356ce0407974ac79 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08c87e049c8a50707908785d950fd48c334f4c09 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 Author: Brad Spengler Date: Fri Jul 12 20:38:45 2013 -0400 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums Unlike slub, slab can initally create two of the kmalloc_caches which will be used later for generic kmallocs of their particular aligned size (since the later loop in the unified allocator code skips any already-existing kmalloc_caches) mm/slab.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit e2d027c7e0f106be683c0c72482b8285daefcbe6 Author: Brad Spengler Date: Tue Jul 9 20:58:40 2013 -0400 commit successful merges Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 129 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 4 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/mwave/tp3780i.c | 1 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/resize.c | 17 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 234 ++- fs/namespace.c | 16 + fs/notify/fanotify/fanotify_user.c | 1 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 70 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 343 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 ++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 242 files changed, 4385 insertions(+), 2042 deletions(-) commit 043a378c0f72ed92cc30182c48abce39867ac93f Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 Author: Brad Spengler Date: Tue Jul 9 17:35:47 2013 -0400 Initial import of pax-linux-3.10-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 14 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 122 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 33 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 28 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 +- arch/x86/kernel/entry_64.S | 548 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 143 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 2 + arch/x86/kernel/setup.c | 21 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 13 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 98 +- arch/x86/mm/init_32.c | 113 +- arch/x86/mm/init_64.c | 38 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 11 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/algapi.c | 2 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/nbd.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 45 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 6 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/output.c | 2 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 607 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/lockd/svc.c | 2 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 10 +- fs/nfs/callback.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 40 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 65 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 42 +- include/linux/slab_def.h | 28 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 10 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 83 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 10 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 11 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 22 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 6 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 15 +- mm/mmap.c | 606 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 79 +- mm/slab.h | 5 +- mm/slab_common.c | 46 +- mm/slob.c | 201 +- mm/slub.c | 79 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_core.c | 8 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 6 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 676 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 +++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1607 files changed, 30734 insertions(+), 7318 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40d67e38a42d4e94b43b3d7400addc662b9857dc Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit a1fff2c95162314626dd96bec71d951a8c1c4708 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00131c458eea5200971c8fc326e90fdb6c2d0baa Merge: 37b97a9 47beb61 Author: Brad Spengler Date: Thu Jul 4 15:02:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 Author: Brad Spengler Date: Thu Jul 4 15:01:37 2013 -0400 Update to pax-linux-3.9.9-test13.patch: - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/entry-armv.S | 4 ++-- arch/arm/mm/Kconfig | 2 +- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/page.h | 1 + arch/x86/kernel/entry_32.S | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- arch/x86/kernel/head64.c | 12 ++++++------ arch/x86/kernel/head_64.S | 16 ++++++++++++---- arch/x86/mm/init.c | 8 ++++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ 15 files changed, 64 insertions(+), 44 deletions(-) commit 89085d2d0643813a62f23d1199a335dc1e129bc0 Merge: 963af7f 0adf2e7 Author: Brad Spengler Date: Thu Jul 4 14:55:44 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 Author: Brad Spengler Date: Thu Jul 4 13:29:51 2013 -0400 update log arguments grsecurity/grsec_sig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 3 +-- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit ef808866c070aa1901bd2224521baaf5d145a3a7 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 Author: Brad Spengler Date: Wed Jul 3 16:14:09 2013 -0400 fix renamed export of csum_partial_copy_from_user, as reported by fabled on the forums arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 318235973c2a548c3d25562645d6b69f66e85934 Author: Brad Spengler Date: Wed Jul 3 16:09:16 2013 -0400 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error reported on the forums by fabled arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b569a7f60fab7a522d8c142765c8b847bbce8a1e Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- 1 files changed, 27 insertions(+), 3 deletions(-) commit c22280b85088978bd8b45bd23096879459b48008 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 Author: Brad Spengler Date: Sat Jun 29 13:10:02 2013 -0400 on context switch, make sure we switch DACR when domain support and KERNEXEC is disabled but UDEREF is enabled arch/arm/kernel/entry-armv.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08d017fa51370921694ce087b28c96fec92993d4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be Author: Michael S. Tsirkin Date: Sun Jun 23 17:19:03 2013 +0300 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 tun: fix recovery from gup errors get user pages might fail partially in tun zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 Author: Balazs Peter Odor Date: Sat Jun 22 19:24:43 2013 +0200 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 netfilter: nf_nat_sip: fix mangling In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) there were some missing brackets around the logging information, thus always returning drop. Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 Signed-off-by: Balazs Peter Odor Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_sip.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b0471b6c1160858fc646d8e94628fd1299f61692 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Bluetooth: Fix invalid length check in l2cap_information_rsp() The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Cc: stable@vger.kernel.org Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan net/bluetooth/l2cap_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4184af98c360d825e638b268b1a9847232e8d299 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 1fe6f23c9acd14d832d056909ff326bde418e645 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 4d4464407611527ef6b6b5475cfcab6121b3da66 Merge: 59571a9 963af7f Author: Brad Spengler Date: Thu Jun 27 18:54:52 2013 -0400 Merge branch 'pax-test' into grsec-test commit 963af7f7f591759b731ce6325ceb583a72fcf423 Merge: c51e25a 55db48a Author: Brad Spengler Date: Thu Jun 27 18:54:42 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 59571a9db7485f530a1e865a13cacc4c991ec41f Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 Author: Brad Spengler Date: Wed Jun 26 18:33:06 2013 -0400 update rand_threadstack code to continue the search for a gap if the first choice doesn't have enough space, instead of returning ENOMEM mm/mmap.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 87020d4a4d83038d65ff1fd519938840f6888b9e Merge: 2682346 c51e25a Author: Brad Spengler Date: Wed Jun 26 18:25:32 2013 -0400 Merge branch 'pax-test' into grsec-test commit c51e25a23f30a1198076bd085f19b2073caf164d Author: Brad Spengler Date: Wed Jun 26 18:24:54 2013 -0400 Update to pax-linux-3.9.7-test12.patch: - fixed a regression on PARAVIRT/amd64 kernels - simplified the recent vm_unmapped_area_info based change arch/x86/kernel/entry_64.S | 8 ++++---- mm/mmap.c | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) commit 26823469a08e59cb67bea18d448d9e8c65f82e08 Author: Brad Spengler Date: Tue Jun 25 21:26:51 2013 -0400 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX vm_unmapped_area code is complete arch/x86/kernel/sys_i386_32.c | 5 +++++ grsecurity/Kconfig | 2 +- mm/mmap.c | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 Merge: e58fe8c c4e0704 Author: Brad Spengler Date: Tue Jun 25 19:08:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/sys_i386_32.c commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 Author: Brad Spengler Date: Tue Jun 25 19:05:39 2013 -0400 Update to pax-linux-3.9.7-test11.patch: - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure - fixed the recent nested nmi related fixes some more - fixed a regression in kernel memory initialization on relocatable i386 kernels - empty_zero_page can be read-only on amd64 as well arch/arm/mm/mmap.c | 6 -- arch/x86/kernel/entry_64.S | 8 +-- arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/setup.c | 2 +- arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- drivers/lguest/core.c | 2 +- include/linux/mm.h | 6 +- include/linux/vmalloc.h | 2 +- mm/mmap.c | 30 +++++++- 9 files changed, 83 insertions(+), 134 deletions(-) commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f Author: Brad Spengler Date: Sun Jun 23 14:36:35 2013 -0400 compile fix, reported by KDE on forums kernel/printk.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 1fc9a5e2e267205d28302e1e86ca0da434561111 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d x86/efi: Fix dummy variable buffer allocation 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Matt Fleming arch/x86/platform/efi/efi.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 Author: Dave Kleikamp Date: Tue Jun 18 09:05:36 2013 -0500 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 sparc: tsb must be flushed before tlb This fixes a race where a cpu may re-load a tlb from a stale tsb right after it has been flushed by a remote function call. I still see some instability when stressing the system with parallel kernel builds while creating memory pressure by writing to /proc/sys/vm/nr_hugepages, but this patch improves the stability significantly. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d93b62f6485db9aadda34322a6867868db07f56f Merge: 4ef62f5 71d83e9 Author: Brad Spengler Date: Fri Jun 21 16:52:55 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 71d83e97c936563913bcfb5a25c45b2021a331eb Author: Brad Spengler Date: Fri Jun 21 16:48:42 2013 -0400 Update to pax-linux-3.9.7-test10.patch: - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - fixed a locking issue with track_exec_limit reported by spender - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 2 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/iommu/irq_remapping.c | 2 +- drivers/video/output.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/nfs/callback.c | 4 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfscache.c | 3 +- init/initramfs.c | 2 +- kernel/rcutree.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mmap.c | 4 +- mm/slub.c | 2 +- mm/vmalloc.c | 15 +++---- net/bluetooth/hci_core.c | 8 ++-- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- 40 files changed, 116 insertions(+), 111 deletions(-) commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c Merge: 39efd8f 256eff7 Author: Brad Spengler Date: Fri Jun 21 16:45:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/printk.c commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 Merge: e6e3059 485f25f Author: Brad Spengler Date: Thu Jun 20 22:14:24 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d Author: Brad Spengler Date: Tue Jun 18 17:20:18 2013 -0400 add apparmor compat patch security/apparmor/Kconfig | 9 ++ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 0 deletions(-) commit 49bee3c5341687504669bf62becf4a419a226ba0 Author: Brad Spengler Date: Mon Jun 17 18:48:04 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) commit 5a450f1c46f0c84379518aee878993d3f4a331b6 Author: Theodore Ts'o Date: Thu Jun 6 11:14:31 2013 -0400 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 ext4: verify group number in verify_group_input() before using it Check the group number for sanity earilier, before calling routines such as ext4_bg_has_super() or ext4_group_overhead_blocks(). Reported-by: Jonathan Salwan Signed-off-by: "Theodore Ts'o" fs/ext4/resize.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e13515ad7a9c7634599a105b2527752e527a905d Author: Saurabh Mohan Date: Mon Jun 10 17:45:10 2013 -0700 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 net/ipv4: ip_vti clear skb cb before tunneling. If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af361b412e816e894fb42ddff7a0545b7def64c0 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1f43aca088c35dda35abf76e08544e534c71fed4 Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f Author: Andy Lutomirski Date: Wed Jun 5 19:38:26 2013 +0000 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab net: Unbreak compat_sys_{send,recv}msg I broke them in this commit: commit 1be374a0518a288147c6a7398792583200a67261 Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It also reverts some unnecessary checks in sys_socketcall. Apparently I was suffering from underscore blindness the first time around. Signed-off-by: Andy Lutomirski Tested-by: Eric Dumazet Signed-off-by: David S. Miller include/linux/socket.h | 3 ++ net/compat.c | 13 +++++++- net/socket.c | 72 ++++++++++++++++++++++-------------------------- 3 files changed, 47 insertions(+), 41 deletions(-) commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 Upstream commit: 1be374a0518a288147c6a7398792583200a67261 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. Miller" Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Cc: David S. Miller Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller net/socket.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb67a67049ace7b94ad7e2febfac69816d50d85 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 Author: Johan Hedberg Date: Tue May 28 13:46:30 2013 +0300 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 Bluetooth: Fix missing length checks for L2CAP signalling PDUs There has been code in place to check that the L2CAP length header matches the amount of data received, but many PDU handlers have not been checking that the data received actually matches that expected by the specific PDU. This patch adds passing the length header to the specific handler functions and ensures that those functions fail cleanly in the case of an incorrect amount of data. Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- 1 files changed, 52 insertions(+), 18 deletions(-) commit 628be2427afb241b5a1aa24bc5907d05287e1f25 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 066d9226bc6c569d5f420c978b758e0bddd23444 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 94e2a91600b07d39825e7059195f35eb611a39a2 Merge: 20cc761 e6e3059 Author: Brad Spengler Date: Thu Jun 13 16:23:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a Merge: c6aadb1 4b73feb Author: Brad Spengler Date: Thu Jun 13 16:23:39 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 20cc7613e38cde07adc73179a91d6c15292e8d43 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 386ba837978cc8a1111440bdcd8600f2df4634a4 Author: Brad Spengler Date: Wed Jun 12 20:37:48 2013 -0400 fix deadlock when booting i386 kernel without NX mm/mmap.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc43377e1e757cd37a06be0187884a42af718aab Merge: 3cdea63 c6aadb1 Author: Brad Spengler Date: Tue Jun 11 18:50:39 2013 -0400 Merge branch 'pax-test' into grsec-test commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 Author: Brad Spengler Date: Tue Jun 11 18:49:36 2013 -0400 Update to pax-linux-3.9.4-test9.patch: - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort arch/x86/kernel/setup.c | 2 +- mm/mlock.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 3cdea63e90607d8d55820b101854091623feedb8 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 373a2b5df78f82b9d3db72bd6577e29a71591323 Author: Brad Spengler Date: Mon Jun 10 21:16:46 2013 -0400 Backport infoleak fix by Dan Carpenter in cpqarray: https://lkml.org/lkml/2013/6/3/131 drivers/block/cpqarray.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 251e84b9b05e063981b20be154c9389862f94759 Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 383d89bf95818b05a485a6e8b118963b5bcbc83e Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1c590aa70c95ebd76ba9672aa23d800b81780615 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 Merge: 4e85539 117c3fa Author: Brad Spengler Date: Sun Jun 9 17:30:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit 117c3fa8d26c3806103123560f807d99071b60b6 Merge: ed9b427 5dd2e98 Author: Brad Spengler Date: Sun Jun 9 17:30:00 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5771263fe368cd384127dd17d7596a7e1a4e2eec Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c01c9af268cb066f240aec53454b8b74d8d01688 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 Author: Timo Teräs Date: Wed May 22 01:40:47 2013 +0000 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 xfrm: properly handle invalid states as an error The error exit path needs err explicitly set. Otherwise it returns success and the only caller, xfrm_output_resume(), would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is NULL. Bug introduced in commit bb65a9cb (xfrm: removes a superfluous check and add a statistic). Signed-off-by: Timo Teräs Cc: Li RongQing Cc: Steffen Klassert Signed-off-by: David S. Miller net/xfrm/xfrm_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit c18cef940310c06bdf86d64d8cb227e56e165300 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c47de62893a9f269be0a272c2840aac1e2a35c68 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce869e6f799f95fcac340420ba3612503df80dbf Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5dc65cd34d442783118a17c518e2daedb90a31d0 Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit 84619a3501fd38285a72d9e963f58d1827beedd6 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e Author: Brad Spengler Date: Sat Jun 1 13:43:26 2013 -0400 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" Applying upstream fix instead This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings drivers/usb/atm/cxacru.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 Author: Brad Spengler Date: Sat Jun 1 11:30:17 2013 -0400 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 8578566969d91678a3d7d5251b4eafc6d7775314 Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 Merge: 643b294 ed9b427 Author: Brad Spengler Date: Wed May 29 19:19:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit ed9b4276488528d0c3803df1dc0df804238241e0 Author: Brad Spengler Date: Wed May 29 19:18:45 2013 -0400 Updated to pax-linux-3.9.4-test8.patch: - fixed some fallout detected by the checker plugin arch/x86/kernel/crash_dump_64.c | 2 +- drivers/base/devtmpfs.c | 6 +++--- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/mem.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- drivers/i2c/i2c-dev.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 4 ++-- fs/compat_ioctl.c | 4 ++-- fs/exec.c | 2 +- fs/namespace.c | 8 ++++---- fs/proc/vmcore.c | 12 ++++++++---- fs/read_write.c | 2 +- include/linux/syscalls.h | 8 ++++---- init/do_mounts_initrd.c | 8 ++++---- init/main.c | 4 ++-- kernel/events/core.c | 2 +- kernel/events/internal.h | 10 +++++----- mm/page_io.c | 2 +- security/keys/internal.h | 2 +- tools/gcc/checker_plugin.c | 1 + 24 files changed, 63 insertions(+), 54 deletions(-) commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 Author: Brad Spengler Date: Wed May 29 18:51:31 2013 -0400 eliminate gcc warning fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 Author: Brad Spengler Date: Wed May 29 18:30:20 2013 -0400 use BUILD_BUG() instead of BUILD_BUG_ON(1) arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5343410354267368e5809f3ad8d9a264f141be18 Author: Brad Spengler Date: Wed May 29 17:57:41 2013 -0400 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON for unknown opcodes arch/x86/net/bpf_jit_comp.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- 1 files changed, 39 insertions(+), 40 deletions(-) commit 163a5539b36247865d39b2bcfa8efc03a62124a6 Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 3e54faf888d324d5f362dcba16173ea7bba61e8a Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 2d74639040ba6ce47f57ec010714ec06529c4b42 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 65d05c7ea468c23c175105526dd4f163302a92cf Merge: 1a98d0a 6ce3a135 Author: Brad Spengler Date: Sat May 25 07:48:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/vm86_32.c commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 Merge: 79bdd65 0bfd8ff Author: Brad Spengler Date: Sat May 25 07:46:55 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 Author: Brad Spengler Date: Thu May 23 18:42:23 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2b80ef8586061e32e986b31608717c25d1e7c54 Merge: cb45fbd 79bdd65 Author: Brad Spengler Date: Thu May 23 17:58:53 2013 -0400 Merge branch 'pax-test' into grsec-test commit 79bdd65dac68267bc1b201c6b4a99966a373c305 Author: Brad Spengler Date: Thu May 23 17:57:46 2013 -0400 Update to pax-linux-3.9.3-test7.patch: - fixed some size overflow related warnings (hash table, attributes) - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/page_64.h | 2 +- arch/x86/kernel/head64.c | 2 +- tools/gcc/constify_plugin.c | 48 ++- tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ 4 files changed, 651 insertions(+), 592 deletions(-) commit cb45fbda4967b1b544a754fbdc92d73283379522 Merge: 62588fa 57c11b8 Author: Brad Spengler Date: Mon May 20 17:32:17 2013 -0400 Merge branch 'pax-test' into grsec-test commit 57c11b85acd841a088aa4df8e60be337880df8cd Merge: 0598b37 4bb0869 Author: Brad Spengler Date: Mon May 20 17:32:08 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 Merge: e261c7b 0598b37 Author: Brad Spengler Date: Fri May 17 22:57:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 Author: Brad Spengler Date: Fri May 17 22:57:07 2013 -0400 Update to pax-linux-3.9.2-test6.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado arch/x86/include/asm/pgtable.h | 9 +++++++-- tools/gcc/structleak_plugin.c | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit e261c7bc611e9127bbb7bd95cddd51524bf255ae Author: Brad Spengler Date: Thu May 16 22:54:12 2013 -0400 add offset to topdown check, fixes compilation arch/x86/kernel/sys_x86_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 Author: Brad Spengler Date: Thu May 16 20:57:41 2013 -0400 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, reported by lulzh3ad on irc security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d4593e84707cdf6deb6b925c18c676a476b1613 Merge: 43cd0c0 39a877f Author: Brad Spengler Date: Thu May 16 20:39:11 2013 -0400 Merge branch 'pax-test' into grsec-test commit 39a877f192ed305d88edac10a14a9e8e1e161f3f Author: Brad Spengler Date: Thu May 16 20:37:35 2013 -0400 Update to pax-linux-3.9.2-test105.patch: - fixed !EFI boot problem, reported by spender - fixed a few compile warnings - fixed some more compile errors due to constification - fixed some arm fallout, reported by Michael Tremer arch/arm/include/asm/psci.h | 2 +- arch/arm/kernel/psci.c | 2 +- arch/x86/kernel/sys_x86_64.c | 3 +-- arch/x86/realmode/init.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- drivers/irqchip/irq-gic.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- drivers/platform/x86/chromeos_laptop.c | 2 +- fs/jfs/super.c | 4 ++-- include/linux/irqchip/arm-gic.h | 2 ++ include/sound/compress_driver.h | 2 +- net/mac80211/cfg.c | 4 ++-- sound/soc/fsl/fsl_ssi.c | 2 +- 14 files changed, 31 insertions(+), 22 deletions(-) commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 Author: Brad Spengler Date: Thu May 16 20:35:22 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 56a166129d817f6634c8c230e6ec497669bdfaca Author: Amerigo Wang Date: Thu May 9 21:56:37 2013 +0000 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f ipv6,gre: do not leak info to user-space There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d6f50dae2653ad912952da40417a8ccbd59c7699 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 01322c6951bed4eedefbd2178dbd99292b365d99 Author: Brad Spengler Date: Mon May 13 17:19:57 2013 -0400 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its existing stack-heap gap code for the new unified vm_unmapped_area grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 Author: Brad Spengler Date: Mon May 13 15:40:32 2013 -0400 fix NX fault on early boot arch/x86/realmode/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 Author: Brad Spengler Date: Mon May 13 10:48:13 2013 -0400 compile fix, we weren't using %pa anyway and it's now being used by upstream for physical address printing lib/vsprintf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d Author: Brad Spengler Date: Mon May 13 10:39:52 2013 -0400 compile fix grsecurity/grsec_chroot.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b Author: Brad Spengler Date: Mon May 13 10:35:36 2013 -0400 compile fixes grsecurity/grsec_chroot.c | 2 +- include/linux/grinternal.h | 8 ++++---- include/linux/grsecurity.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 Author: Brad Spengler Date: Mon May 13 10:27:18 2013 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 Author: Brad Spengler Date: Mon May 13 10:23:17 2013 -0400 Initial port of grsecurity for 3.9.2 Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 6 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 181 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 241 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1031 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 387 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 187 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 + include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 242 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 68 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/net/secure_seq.h | 1 + include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 13 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 64 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/8021q/vlan.c | 7 + net/core/dev_ioctl.c | 4 + net/core/net-procfs.c | 5 + net/core/secure_seq.c | 4 +- net/core/sock_diag.c | 7 + net/ipv4/af_inet.c | 5 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 2 +- net/sctp/probe.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/tipc/link.c | 11 +- net/unix/af_unix.c | 31 +- security/Kconfig | 342 ++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 291 files changed, 15221 insertions(+), 2052 deletions(-) commit 88854c350c899bceca4a94598c42bed44d0dc91b Author: Brad Spengler Date: Mon May 13 07:37:47 2013 -0400 Initial import of pax-linux-3.9.2-test2.patch Documentation/dontdiff | 45 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 6 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 15 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/kernel/us3_cpufreq.c | 69 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 21 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 6 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page_64.h | 2 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 113 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 530 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 1 - arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 120 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 19 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 248 + arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 57 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 +- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 90 +- arch/x86/mm/init_32.c | 119 +- arch/x86/mm/init_64.c | 44 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 2 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 10 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 605 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/super.c | 2 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 6 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compat.h | 6 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 110 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 2 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 68 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 8 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 6 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 576 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 105 +- mm/slab.h | 5 +- mm/slab_common.c | 11 +- mm/slob.c | 201 +- mm/slub.c | 99 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 14 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 6 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.pl | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 675 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 518 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 ++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 276 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1555 files changed, 30474 insertions(+), 7126 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 Merge: 814820a 3a59a59 Author: Brad Spengler Date: Sun May 12 21:51:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f Author: Brad Spengler Date: Sun May 12 21:50:07 2013 -0400 Update to pax-linux-3.8.13-test24.patch: - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/arm/kernel/vmlinux.lds.S | 4 ++-- arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes-opt.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- kernel/trace/trace.h | 2 +- net/socket.c | 2 +- security/Kconfig | 2 +- 22 files changed, 67 insertions(+), 34 deletions(-) commit 814820abfe5b9a34401d838b2510431a4cd92be9 Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ed0428c4ef6c5498870772f212ac651216eb8d0c Merge: 2452d8d dbf932a Author: Brad Spengler Date: Sun May 12 21:18:25 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/cpu/perf_event_intel_uncore.c arch/x86/mm/init.c commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 Author: Brad Spengler Date: Sun May 12 20:24:01 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit c75e4664fe4d20da1639f70d9def097c4f20856b Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04638852588cf243f865f5a73aa9dab94fab53b7 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff Merge: 539fff0 2452d8d Author: Brad Spengler Date: Wed May 8 18:13:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a Merge: 6c850d8 9c9ab76 Author: Brad Spengler Date: Wed May 8 18:13:31 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/irq.c kernel/trace/trace_stack.c commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a Author: Brad Spengler Date: Tue May 7 21:43:00 2013 -0400 turn counter into a flag grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 418102925c0cfb0de51b0a021abaa575e28fafa6 Author: Peter Zijlstra Date: Fri May 3 14:11:25 2013 +0200 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL We should always have proper privileges when requesting kernel data. Signed-off-by: Peter Zijlstra Cc: Cc: Andi Kleen Cc: eranian@google.com Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] Signed-off-by: Ingo Molnar Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f Author: Brad Spengler Date: Wed May 1 18:30:48 2013 -0400 remove references to CONFIG_X86_WP_WORKS_OK arch/um/defconfig | 1 - security/Kconfig | 2 +- 2 files changed, 1 insertions(+), 2 deletions(-) commit 408da6791f93ffe00d26bfe919f1b2218fe0804d Merge: a8dbe8e 6c850d8 Author: Brad Spengler Date: Wed May 1 18:28:44 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/mm/ultra.S drivers/tty/tty_io.c commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf Merge: cdbcbef 9fa1d01 Author: Brad Spengler Date: Wed May 1 18:25:18 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 55eba82aca97aa56378e000840c48965557721e8 Author: Brad Spengler Date: Mon Apr 29 18:43:03 2013 -0400 compilation fix kernel/trace/trace.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3bf912b54af6df7fbebc68b5999554562056c5c Merge: 5b72e37 cdbcbef Author: Brad Spengler Date: Mon Apr 29 18:34:42 2013 -0400 Merge branch 'pax-test' into grsec-test commit cdbcbef45c4f003cbee11e10668a35d424c17c60 Author: Brad Spengler Date: Mon Apr 29 18:33:35 2013 -0400 Update to pax-linux-3.8.10-test21.patch: - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) - reverted the nested NMI fix in search for a real one - simplified the arm_delay_ops constification arch/arm/include/asm/delay.h | 8 ++++---- arch/arm/lib/delay.c | 17 +++++------------ arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 11 files changed, 34 insertions(+), 26 deletions(-) commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 5344a24e2320d61dbdb88aae04922f0799deefd0 Author: Zhao Hongjiang Date: Fri Apr 26 11:03:53 2013 +0800 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad aio: fix possible invalid memory access when DEBUG is enabled dprintk() shouldn't access @ring after it's unmapped. Signed-off-by: Zhao Hongjiang Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 Merge: ba54c97 4d05084 Author: Brad Spengler Date: Fri Apr 26 18:17:20 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kvm/x86.c include/linux/capability.h commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 Merge: c664779 bb8dd67 Author: Brad Spengler Date: Fri Apr 26 18:15:45 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 Author: David S. Miller Date: Wed Apr 24 16:52:18 2013 -0700 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. Reported-by: Meelis Roos Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 Author: David S. Miller Date: Fri Apr 19 17:26:26 2013 -0400 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 sparc64: Fix race in TLB batch processing. As reported by Dave Kleikamp, when we emit cross calls to do batched TLB flush processing we have a race because we do not synchronize on the sibling cpus completing the cross call. So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) and either flushes are missed or flushes will flush the wrong addresses. Fix this by using generic infrastructure to synchonize on the completion of the cross call. This first required getting the flush_tlb_pending() call out from switch_to() which operates with locks held and interrupts disabled. The problem is that smp_call_function_many() cannot be invoked with IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). We get the batch processing outside of locked IRQ disabled sections by using some ideas from the powerpc port. Namely, we only batch inside of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a region, we flush TLBs synchronously. 1) Get rid of xcall_flush_tlb_pending and per-cpu type implementations. 2) Do TLB batch cross calls instead via: smp_call_function_many() tlb_pending_func() __flush_tlb_pending() 3) Batch only in lazy mmu sequences: a) Add 'active' member to struct tlb_batch b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE c) Set 'active' in arch_enter_lazy_mmu_mode() d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() e) Check 'active' in tlb_batch_add_one() and do a synchronous flush if it's clear. 4) Add infrastructure for synchronous TLB page flushes. a) Implement __flush_tlb_page and per-cpu variants, patch as needed. b) Likewise for xcall_flush_tlb_page. c) Implement smp_flush_tlb_page() to invoke the cross-call. d) Wire up global_flush_tlb_page() to the right routine based upon CONFIG_SMP 5) It turns out that singleton batches are very common, 2 out of every 3 batch flushes have only a single entry in them. The batch flush waiting is very expensive, both because of the poll on sibling cpu completeion, as well as because passing the tlb batch pointer to the sibling cpus invokes a shared memory dereference. Therefore, in flush_tlb_pending(), if there is only one entry in the batch perform a completely asynchronous global_flush_tlb_page() instead. Reported-by: Dave Kleikamp Signed-off-by: David S. Miller Acked-by: Dave Kleikamp arch/sparc/include/asm/pgtable_64.h | 1 + arch/sparc/include/asm/switch_to_64.h | 3 +- arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- arch/sparc/kernel/smp_64.c | 41 ++++++++++- arch/sparc/mm/tlb.c | 38 +++++++++- arch/sparc/mm/tsb.c | 57 ++++++++++++---- arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- 7 files changed, 241 insertions(+), 55 deletions(-) commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 Author: Linus Torvalds Date: Fri Apr 19 15:32:32 2013 +0000 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 net: fix incorrect credentials passing Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/net/scm.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98ad6adbc48759e4f9eae435d3e51ba487155685 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3600395e8fef3ae712e72f9b68c3609639616df8 Author: Thomas Graf Date: Thu Apr 11 10:57:18 2013 +0000 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 tcp: Reallocate headroom if it would overflow csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. Verify if the acking and collapsing resulted in a headroom exceeding what csum_start can cover and reallocate the headroom if so. A big thank you to Jim Foraker and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker Signed-off-by: Thomas Graf Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 Author: Ivan Vecera Date: Fri Apr 12 16:49:24 2013 +0200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f be2net: take care of __vlan_put_tag return value The driver should use return value of __vlan_put_tag with appropriate NULL-check instead of old skb pointer. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 Author: Wei Yongjun Date: Fri Apr 12 03:17:12 2013 +0000 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 tuntap: fix error return code in tun_set_iff() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. [ Bug added in linux-3.8 , commit 4008e97f866db665 ("tuntap: fix ambigious multiqueue API") ] Signed-off-by: Wei Yongjun Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2b45b5f52c2a8930f80c62de392a62516c83e225 Author: Bjørn Mork Date: Tue Apr 16 00:17:07 2013 +0000 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 net: cdc_mbim: remove bogus sizeof() The intention was to test against the constant, not the size of the constant. Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 17d7408795519037a5a1272c7888238e20830bfe Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text fs/exec.c | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) commit 3cb37d0c0c77dc3928ff8417f982139f95366eba Merge: e87c19f c664779 Author: Brad Spengler Date: Wed Apr 17 20:06:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit c664779987cb0c27a242029f0e0db812e3236203 Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e87c19f8312355b8658e5138c16bfa6043a379c8 Merge: 802d119 d0c636c Author: Brad Spengler Date: Wed Apr 17 16:57:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit d0c636ceaaf406e606898ce3e770e32fb043ea8a Merge: bc88628 2396403 Author: Brad Spengler Date: Wed Apr 17 16:57:01 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/paravirt.c commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b Author: Brad Spengler Date: Sun Apr 14 21:39:51 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1a860d7d67051559ab2e6d10f9888649c92904e6 Author: Brad Spengler Date: Sun Apr 14 21:34:46 2013 -0400 A denied setfsuid by the RBAC system would result in an abort_creds() being called with an uninitalized pointer, introduced by a bad forward-port kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 Merge: c38d142 bc88628 Author: Brad Spengler Date: Sun Apr 14 21:28:33 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit bc88628a6a8fcccaabb90908640809b0540df225 Author: Brad Spengler Date: Sun Apr 14 21:26:41 2013 -0400 Update to pax-linux-3.8.7-test20.patch: - fixed KERNEXEC and NMI nesting problem reported by stef&hunger - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- security/Kconfig | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) commit c38d142744489fc4d9be80188b6435a278438fd9 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93019624b80ba59798393942798d7f6ed0c1dbc6 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 5277b052b5fab36729e1255fb3b12f47a4b12867 Author: Dave Hansen Date: Fri Apr 12 16:23:54 2013 -0700 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables This patch attempts to fix: https://bugzilla.kernel.org/show_bug.cgi?id=56461 The symptom is a crash and messages like this: chrome: Corrupted page table at address 34a03000 *pdpt = 0000000000000000 *pde = 0000000000000000 Bad pagetable: 000f [#1] PREEMPT SMP Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: enable tlb flush range support for x86") since that code started to free unused pagetables. On x86-32 PAE kernels, that new code has the potential to free an entire PMD page and will clear one of the four page-directory-pointer-table (aka pgd_t entries). The hardware aggressively "caches" these top-level entries and invlpg does not actually affect the CPU's copy. If we clear one we *HAVE* to do a full TLB flush, otherwise we might continue using a freed pmd page. (note, we do this properly on the population side in pud_populate()). This patch tracks whenever we clear one of these entries in the 'struct mmu_gather', and ensures that we follow up with a full tlb flush. BTW, I disassembled and checked that: if (tlb->fullmm == 0) and if (!tlb->fullmm && !tlb->need_flush_all) generate essentially the same code, so there should be zero impact there to the !PAE case. Signed-off-by: Dave Hansen Cc: Peter Anvin Cc: Ingo Molnar Cc: Artem S Tashkinov Signed-off-by: Linus Torvalds arch/x86/include/asm/tlb.h | 2 +- arch/x86/mm/pgtable.c | 7 +++++++ include/asm-generic/tlb.h | 7 ++++++- mm/memory.c | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) commit 521e573fc77d1783c1d4636dfbb4617a922f043d Merge: 032f626 f807619 Author: Brad Spengler Date: Fri Apr 12 19:29:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit f80761993b85df96fc142dfc3a317cadc0f8eae5 Author: Brad Spengler Date: Fri Apr 12 19:28:21 2013 -0400 Update to pax-linux-3.8.7-test19.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) - fixed the structleak plugin to compile for gcc 4.5-4.6 as well Makefile | 2 +- arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 Merge: a3a770e 89886f5 Author: Brad Spengler Date: Fri Apr 12 18:38:40 2013 -0400 Merge branch 'pax-test' into grsec-test commit 89886f561cc0d1c42a99624ec8c3704711088155 Merge: 9123489 531ec28 Author: Brad Spengler Date: Fri Apr 12 18:38:30 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a3a770e18578841e4fbe2aa0831a22811b4812cf Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 Author: Konrad Rzeszutek Wilk Date: Fri Mar 29 10:20:56 2013 -0400 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/mmu.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb Author: Neil Horman Date: Tue Apr 9 23:19:00 2013 +0000 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 e100: Add dma mapping error check e100 uses pci_map_single, but fails to check for a dma mapping error after its use, resulting in a stack trace: [ 46.656594] ------------[ cut here ]------------ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() [ 46.657004] Hardware name: To Be Filled By O.E.M. [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] [ 46.657004] Modules linked in: [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core sata_promise crc_itu_t [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 [ 46.657004] Call Trace: [ 46.657004] [] warn_slowpath_common+0x70/0xa0 [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 [ 46.657004] [] check_unmap+0x47b/0x950 [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] [ 46.657004] [] ? net_rx_action+0xa1/0x370 [ 46.657004] [] net_rx_action+0x172/0x370 [ 46.657004] [] __do_softirq+0xef/0x3d0 [ 46.657004] [] call_softirq+0x1c/0x30 [ 46.657004] [] do_softirq+0x85/0xc0 [ 46.657004] [] irq_exit+0xd5/0xe0 [ 46.657004] [] do_IRQ+0x56/0xc0 [ 46.657004] [] common_interrupt+0x72/0x72 [ 46.657004] [] ? _raw_spin_unlock_irqrestore+0x3b/0x70 [ 46.657004] [] __slab_free+0x58/0x38b [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 [ 46.657004] [] ? kmem_cache_free+0x97/0x320 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] kmem_cache_free+0x312/0x320 [ 46.657004] [] sock_destroy_inode+0x34/0x40 [ 46.657004] [] destroy_inode+0x38/0x60 [ 46.657004] [] evict+0x10e/0x1a0 [ 46.657004] [] iput+0xf5/0x180 [ 46.657004] [] dput+0x248/0x310 [ 46.657004] [] __fput+0x171/0x240 [ 46.657004] [] ____fput+0xe/0x10 [ 46.657004] [] task_work_run+0xac/0xe0 [ 46.657004] [] do_exit+0x26d/0xc30 [ 46.657004] [] ? finish_task_switch+0x7c/0x120 [ 46.657004] [] ? retint_swapgs+0x13/0x1b [ 46.657004] [] do_group_exit+0x49/0xc0 [ 46.657004] [] sys_exit_group+0x14/0x20 [ 46.657004] [] system_call_fastpath+0x16/0x1b [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- [ 46.657004] Mapped at: [ 46.657004] [] debug_dma_map_page+0x91/0x140 [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the dma_mapping_error check in the obvious place This was reported previously here: http://article.gmane.org/gmane.linux.network/257893 But nobody stepped up and fixed it. CC: Josh Boyer CC: e1000-devel@lists.sourceforge.net Signed-off-by: Neil Horman Reported-by: Michal Jaegermann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- 1 files changed, 25 insertions(+), 11 deletions(-) commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 Author: Trond Myklebust Date: Wed Apr 10 12:44:18 2013 -0400 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Make sure that we set the status to 0 on success. Missed in testing because it never appears when doing multiple mounts to _different_ servers. Signed-off-by: Trond Myklebust Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list fs/nfs/nfs4client.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea Author: Yuval Mintz Date: Wed Apr 10 13:34:39 2013 +0300 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b bnx2x: Prevent null pointer dereference in AFEX mode The cnic module is responsible for initializing various bnx2x structs via callbacks provided by the bnx2x module. One such struct is the queue object for the FCoE queue. If a device is working in AFEX mode and its configuration allows FCoE yet the cnic module is not loaded, it's very likely a null pointer dereference will occur, as the bnx2x will erroneously access the FCoE's queue object. Prevent said access until cnic properly registers itself. Signed-off-by: Yuval Mintz Signed-off-by: Ariel Elior Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2908830232725db624aaa052f7ad38d1f98bf541 Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit d40b572e845a5fb561e3c4a80cc306cd38888a4e Author: Christoph Paasch Date: Sun Apr 7 04:53:15 2013 +0000 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd ipv6/tcp: Stop processing ICMPv6 redirect messages Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske Signed-off-by: Christoph Paasch Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c7d5c2524456ef3ea9194840e7a9a75069a46824 Author: Brad Spengler Date: Wed Apr 10 20:32:54 2013 -0400 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit acac2380fd97acee4367d2aa24c74322dcf1d22b Author: Trond Myklebust Date: Fri Apr 5 16:11:11 2013 -0400 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list It is unsafe to use list_for_each_entry_safe() here, because when we drop the nn->nfs_client_lock, we pin the _current_ list entry and ensure that it stays in the list, but we don't do the same for the _next_ list entry. Use of list_for_each_entry() is therefore the correct thing to do. Also fix the refcounting in nfs41_walk_client_list(). Finally, ensure that the nfs_client has finished being initialised and, in the case of NFSv4.1, that the session is set up. Signed-off-by: Trond Myklebust Cc: Chuck Lever Cc: Bryan Schumaker Cc: stable@vger.kernel.org [>= 3.7] fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) commit a6cf5f387b882ac0ce655b75f623f86c075517be Author: Chuck Lever Date: Fri Mar 22 12:52:59 2013 -0400 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e SUNRPC: Remove extra xprt_put() While testing error cases where rpc_new_client() fails, I saw some oopses. If rpc_new_client() fails, it already invokes xprt_put(). Thus __rpc_clone_client() does not need to invoke it again. Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" Fri Sep 14, 2012. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org [>=3.7] Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9529169b8c405874fd543b785f53c74fa0501c2a Author: Christopher Harvey Date: Fri Apr 5 10:51:15 2013 -0400 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. This change properly enables the "requester" in G200ER cards that is responsible for getting pixels out of memory and clocking them out to the screen. Signed-off-by: Christopher Harvey Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- 1 files changed, 3 insertions(+), 10 deletions(-) commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a Author: Al Viro Date: Thu Mar 28 13:30:23 2013 -0400 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee ecryptfs: close rmmod race Signed-off-by: Al Viro fs/ecryptfs/miscdev.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83280e384ae3ceadad30369ced111dc7d4b46085 Author: Andrey Vagin Date: Tue Apr 9 17:33:29 2013 +0400 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 mnt: release locks on error path in do_loopback do_loopback calls lock_mount(path) and forget to unlock_mount if clone_mnt or copy_mnt fails. [ 77.661566] ================================================ [ 77.662939] [ BUG: lock held when returning to user space! ] [ 77.664104] 3.9.0-rc5+ #17 Not tainted [ 77.664982] ------------------------------------------------ [ 77.666488] mount/514 is leaving the kernel with locks still held! [ 77.668027] 2 locks held by mount/514: [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 Signed-off-by: Andrey Vagin Signed-off-by: Al Viro fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 679e536b9d9536d804f049fe942367a596253e6d Author: Alex Williamson Date: Tue Mar 26 11:33:16 2013 -0600 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson drivers/vfio/pci/vfio_pci.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5261a6384ee42499b29495aaae40b271e77d394 Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 Merge: 97bca88 9123489 Author: Brad Spengler Date: Tue Apr 9 17:18:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9123489428c58668a89f316db6619739cbdd2c2a Author: Brad Spengler Date: Tue Apr 9 17:17:46 2013 -0400 Update to pax-linux-3.8.6-test18.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 97bca8889e0f1e853f16b7026c39c6729a8587ab Merge: 675a41e e9d6073 Author: Brad Spengler Date: Mon Apr 8 21:32:59 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/us3_cpufreq.c commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef Author: Brad Spengler Date: Mon Apr 8 21:19:03 2013 -0400 Update to pax-linux-3.8.6-test17.patch: - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/sparc/include/asm/uaccess.h | 7 ---- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- tools/gcc/structleak_plugin.c | 15 ++++---- 6 files changed, 28 insertions(+), 69 deletions(-) commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5a216624a06429488f24ce47db093da042f90e48 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit e476ca18d21788898cd3acd1b57049971a2fb70f Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 Author: Johannes Berg Date: Tue Mar 19 20:26:57 2013 +0100 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d cfg80211: fix wdev tracing crash Arend reported a crash in tracing if the driver returns an ERR_PTR() value from the add_virtual_intf() callback. This is due to the tracing then still attempting to dereference the "pointer", fix this by using IS_ERR_OR_NULL(). Reported-by: Arend van Spriel Tested-by: Arend van Spriel Signed-off-by: Johannes Berg net/wireless/trace.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd Author: Johannes Berg Date: Mon Mar 25 11:51:14 2013 +0100 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b mac80211: fix remain-on-channel cancel crash If a ROC item is canceled just as it expires, the work struct may be scheduled while it is running (and waiting for the mutex). This results in it being run after being freed, which obviously crashes. To fix this don't free it when aborting is requested but instead mark it as "to be freed", which makes the work a no-op and allows freeing it outside. Cc: stable@vger.kernel.org [3.6+] Reported-by: Jouni Malinen Tested-by: Jouni Malinen Signed-off-by: Johannes Berg net/mac80211/cfg.c | 6 ++++-- net/mac80211/ieee80211_i.h | 3 ++- net/mac80211/offchannel.c | 23 +++++++++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 Author: Stone Piao Date: Fri Mar 29 19:21:21 2013 -0700 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f mwifiex: limit channel number not to overflow memory Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: # 3.5+ Signed-off-by: Stone Piao Signed-off-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 207c411512bdaf0e4271f93ecac6ca26588da36f Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f Author: Wei Yongjun Date: Fri Mar 22 01:28:18 2013 +0000 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_queue_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a79feb7d3251eca577d83d7f69eee2b961ab2924 Author: Pablo Neira Ayuso Date: Sat Mar 23 16:57:59 2013 +0100 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 netfilter: nfnetlink_acct: return -EINVAL if object name is empty If user-space tries to create accounting object with an empty name, then return -EINVAL. Reported-by: Michael Zintakis Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 Author: Matthias Schiffer Date: Sat Mar 30 10:23:12 2013 +0000 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: Matthias Schiffer Signed-off-by: Pablo Neira Ayuso net/ipv6/netfilter/ip6t_NPT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d12cae44a9d12441d81c489178803237219d403d Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f Author: Cong Wang Date: Fri Mar 22 19:14:07 2013 +0000 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb 8021q: fix a potential use-after-free vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/8021q/vlan.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit fff29c277024a39845d4b535083c8dafc21b45d9 Author: Hong zhi guo Date: Sat Mar 23 02:27:50 2013 +0000 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 bridge: fix crash when set mac address of br interface When I tried to set mac address of a bridge interface to a mac address which already learned on this bridge, I got system hang. The cause is straight forward: function br_fdb_change_mac_address calls fdb_insert with NULL source nbp. Then an fdb lookup is performed. If an fdb entry is found and it's local, it's OK. But if it's not local, source is dereferenced for printk without NULL check. Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller net/bridge/br_fdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 Author: Kumar Amit Mehta Date: Sat Mar 23 20:10:25 2013 +0000 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a bnx2x: fix assignment of signed expression to unsigned variable fix for incorrect assignment of signed expression to unsigned variable. Signed-off-by: Kumar Amit Mehta Acked-by: Dmitry Kravkov Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b964e1e61f0f0ccaa380be3342f956c604054bdc Author: Eric W. Biederman Date: Thu Mar 21 02:30:41 2013 -0700 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 yama: Better permission check for ptraceme Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" security/yama/yama_lsm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit b94e71c7b6abe75989edff18aca2781233fa143b Author: Stanislav Kinsbursky Date: Mon Apr 1 11:40:51 2013 +0400 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d ipc: set msg back to -EAGAIN if copy wasn't performed Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Linus Torvalds ipc/msg.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f07957378e0f55abb81da8e23b124a608fbe1cc Author: Paul Bolle Date: Wed Apr 3 12:24:45 2013 +0100 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 ARM: 7690/1: mm: fix CONFIG_LPAE typos CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix up the two typos under arch/arm/. The fix to head.S is slightly scary, but this is just for setting up an early io-mapping for the serial port when running on a big-endian, LPAE system. Since these systems don't exist in the wild (at least, I have no access to one outside of kvmtool, which doesn't provide a serial port suitable for earlyprintk), then we can revisit the code later if it causes any problems. Signed-off-by: Paul Bolle Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/kernel/head.S | 2 +- arch/arm/kernel/setup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 984ba346b2d8f158473e9723ba145031368431ed Author: Catalin Marinas Date: Tue Mar 26 23:35:04 2013 +0100 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down all use of the old entries. This patch implements the erratum workaround which consists of: 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. 2. Send IPI to the CPUs that are running the same mm (and ASID) as the one being invalidated (or all the online CPUs for global pages). 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception return code already). Signed-off-by: Catalin Marinas Signed-off-by: Russell King Conflicts: arch/arm/include/asm/tlbflush.h arch/arm/kernel/smp_tlb.c arch/arm/mm/context.c arch/arm/Kconfig | 10 +++++ arch/arm/include/asm/highmem.h | 7 ++++ arch/arm/include/asm/mmu_context.h | 2 + arch/arm/include/asm/tlbflush.h | 15 ++++++++ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ arch/arm/mm/context.c | 6 ++- 6 files changed, 104 insertions(+), 2 deletions(-) commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 53f5096daa14967938bc154e6c41f9119863fb36 Merge: e988d7c 0a45285 Author: Brad Spengler Date: Fri Apr 5 17:32:31 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 0a452855444d02502df6eb21ef3083cf303f71e1 Merge: 0277fa1 00cfbb8 Author: Brad Spengler Date: Fri Apr 5 17:31:15 2013 -0400 Update to pax-linux-3.8.6-test16.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/intel_display.c commit e988d7c8d946c816a2cb97f0d38048a1584966b8 Merge: baec40e 0277fa1 Author: Brad Spengler Date: Wed Apr 3 22:05:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0277fa123b486cf11420967e4568d7653e225fd3 Author: Brad Spengler Date: Wed Apr 3 22:04:48 2013 -0400 Update to pax-linux-3.8.5-test15.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) drivers/media/pci/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) commit baec40e6708fd5ae2000cad6c70c5980c998b91c Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 Merge: 6b69c35 0db9d15 Author: Brad Spengler Date: Tue Apr 2 17:47:27 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0db9d156826bdd50510086fde837648a3dfd370e Author: Brad Spengler Date: Tue Apr 2 17:46:05 2013 -0400 Update to pax-linux-3.8.5-test14.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/moduleloader.h | 4 +- tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 47 deletions(-) commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 01e1d503fd2220adaaec0b92ea19441bdff73555 Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit cd5ff114d958470f471c63775278e8c05e774630 Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 295ba16cc53df2375261accbedd6575ea327770a Merge: 18340f1 278a989 Author: Brad Spengler Date: Fri Mar 29 17:36:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/exec.c include/linux/thread_info.h commit 278a989c831d62193c7b3d119fe2302babd45d12 Author: Brad Spengler Date: Fri Mar 29 17:34:34 2013 -0400 Resync with pax-linux-3.8.5-test13.patch arch/arm/include/asm/pgtable.h | 3 ++- arch/arm/lib/delay.c | 1 + fs/exec.c | 8 ++++---- include/linux/compiler.h | 1 + include/linux/proc_fs.h | 2 +- include/linux/thread_info.h | 6 +++--- include/linux/zlib.h | 3 ++- init/main.c | 4 ++-- kernel/user_namespace.c | 2 +- lib/list_debug.c | 4 ++-- mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 1 + net/core/sysctl_net_core.c | 3 +-- tools/gcc/constify_plugin.c | 1 + 15 files changed, 24 insertions(+), 17 deletions(-) commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 Merge: 05f01ae e8cfeae Author: Brad Spengler Date: Fri Mar 29 17:30:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 Merge: b461cb7 aa4cfde Author: Brad Spengler Date: Fri Mar 29 17:30:44 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/nfsd/vfs.c commit 05f01ae4c3479541586a2387f916a6620889c479 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eea6ade59490784e83e08ec67322288fcf14cb31 Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e Merge: c3dc9a6 b461cb7 Author: Brad Spengler Date: Thu Mar 28 20:54:24 2013 -0400 Merge branch 'pax-test' into grsec-test commit b461cb7b1d85490430ef7896c247794af72c3749 Author: Brad Spengler Date: Thu Mar 28 20:54:11 2013 -0400 Add structleak plugin tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 270 insertions(+), 0 deletions(-) commit c3dc9a6ef10782894bb11fd088fd712db44d8062 Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e Merge: d8503a3 74bec16 Author: Brad Spengler Date: Thu Mar 28 20:47:10 2013 -0400 Merge branch 'pax-test' into grsec-test commit 74bec16b657147a5575b1f14f4423a717ba317a6 Author: Brad Spengler Date: Thu Mar 28 20:46:13 2013 -0400 Update to pax-linux-3.8.4-test13.patch: - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Makefile | 5 +++- arch/x86/include/asm/compat.h | 2 +- arch/x86/mm/fault.c | 3 +- fs/binfmt_elf.c | 2 +- include/linux/compiler.h | 42 ++++++++++++++-------------------------- security/Kconfig | 16 +++++++++++++++ tools/gcc/Makefile | 2 + tools/gcc/constify_plugin.c | 7 +++++- 8 files changed, 47 insertions(+), 32 deletions(-) commit d8503a3a35d68b9ba1615d29335aef3f70d51465 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 0b1c6223105a05d5a84e39a5e951868e37610e1c Merge: 93ff726 0deb54c Author: Brad Spengler Date: Mon Mar 25 18:35:15 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 Author: Brad Spengler Date: Mon Mar 25 18:35:05 2013 -0400 fix typo arch/x86/mm/ioremap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 Merge: be9f8b8 f95e53a Author: Brad Spengler Date: Mon Mar 25 18:30:06 2013 -0400 Merge branch 'pax-test' into grsec-test commit f95e53abadb6e4665866e4502ff9f518514193e1 Author: Brad Spengler Date: Mon Mar 25 18:29:25 2013 -0400 Update to pax-linux-3.8.4-test12.patch: - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by mcp - last fix for aslr gap accounting, promise (thanks to spender) arch/x86/mm/ioremap.c | 3 +++ fs/binfmt_elf.c | 5 ++--- mm/mmap.c | 2 +- net/sctp/socket.c | 19 +++++++++++++++---- tools/perf/util/include/linux/compiler.h | 8 ++++++++ 5 files changed, 29 insertions(+), 8 deletions(-) commit be9f8b82b0d8a21d7515fb6e44a907623381c5df Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee Author: Linus Torvalds Date: Fri Mar 22 11:44:04 2013 -0700 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 vfs,proc: guarantee unique inodes in /proc Dave Jones found another /proc issue with his Trinity tool: thanks to the namespace model, we can have multiple /proc dentries that point to the same inode, aliasing directories in /proc//net/ for example. This ends up being a total disaster, because it acts like hardlinked directories, and causes locking problems. We rely on the topological sort of the inodes pointed to by dentries, and if we have aliased directories, that odering becomes unreliable. In short: don't do this. Multiple dentries with the same (directory) inode is just a bad idea, and the namespace code should never have exposed things this way. But we're kind of stuck with it. This solves things by just always allocating a new inode during /proc dentry lookup, instead of using "iget_locked()" to look up existing inodes by superblock and number. That actually simplies the code a bit, at the cost of potentially doing more inode [de]allocations. That said, the inode lookup wasn't free either (and did a lot of locking of inodes), so it is probably not that noticeable. We could easily keep the old lookup model for non-directory entries, but rather than try to be excessively clever this just implements the minimal and simplest workaround for the problem. Reported-and-tested-by: Dave Jones Analyzed-by: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/proc/inode.c fs/proc/inode.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb Author: Vladimir Davydov Date: Fri Mar 22 15:04:51 2013 -0700 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only mnt_drop_write() must be called only if mnt_want_write() succeeded, otherwise the mnt_writers counter will diverge. mnt_writers counters are used to check if remounting FS as read-only is OK, so after an extra mnt_drop_write() call, it would be impossible to remount mqueue FS as read-only. Besides, on umount a warning would be printed like this one: ===================================== [ BUG: bad unlock balance detected! ] 3.9.0-rc3 #5 Not tainted ------------------------------------- a.out/12486 is trying to release lock (sb_writers) at: mnt_drop_write+0x1f/0x30 but there are no more locks to release! Signed-off-by: Vladimir Davydov Cc: Doug Ledford Cc: KOSAKI Motohiro Cc: "Eric W. Biederman" Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e Author: Brad Spengler Date: Sat Mar 23 13:02:32 2013 -0400 Don't use constify plugin if not enabled in config, reported by Alexey Vlasov Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afb82e020593249ac394e9859397c3e0ef5341c Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 Author: Brad Spengler Date: Sat Mar 23 12:13:12 2013 -0400 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak drivers/gpu/drm/i915/i915_debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44cb11a9470f72157601d0ad4d572d111f90f504 Author: Brad Spengler Date: Fri Mar 22 18:11:42 2013 -0400 use VM_DONTDUMP fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fd5f0d92b0fbec02029dad124501a9c80e527a32 Author: Brad Spengler Date: Fri Mar 22 17:08:48 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit b49ab1c73edb6442eec609b26bba4d850b3111b6 Merge: 5e9a707 783ade9 Author: Brad Spengler Date: Thu Mar 21 21:56:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 Author: Brad Spengler Date: Thu Mar 21 21:55:31 2013 -0400 Update to pax-linux-3.8.3-test11.patch: - rewrote the ASLR gap accounting code once again - fixed ptrace compat bug found by the size overflow plugin fs/binfmt_elf.c | 25 ++++++++++++------------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 5 +++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 32 insertions(+), 26 deletions(-) commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a Author: Brad Spengler Date: Thu Mar 21 19:37:33 2013 -0400 Make the constify plugin usage actually depend on the introduced config option (it was still forced on) tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1974b4f58d9d729c80ac1987785446115304a54c Author: Brad Spengler Date: Thu Mar 21 16:12:38 2013 -0400 fix failed merge arch/arm/mm/fault.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit 675a8ab4a8fe8315df348735a37a302a7535224c Author: Brad Spengler Date: Wed Mar 20 23:36:14 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 Author: Andy Honig Date: Wed Feb 20 14:48:10 2013 -0800 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- 2 files changed, 22 insertions(+), 29 deletions(-) commit 0bcac31b57c381001feb69fd6ec8069e61e03432 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695c59887e4ec10b0b695ab4f645d1226c433be0 Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e Merge: aec3cd4 c522e3a Author: Brad Spengler Date: Wed Mar 20 19:38:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 Merge: c57d855 405acc3 Author: Brad Spengler Date: Wed Mar 20 19:38:11 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 Author: Brad Spengler Date: Tue Mar 19 19:56:04 2013 -0400 include linux/compiler.h include/linux/zlib.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit dd65c05cd24faf8946d4941434a553ee285c35a3 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit e297b4f150b769efdc4c547d3caf1e3c0f24735f Author: Brad Spengler Date: Tue Mar 19 18:33:45 2013 -0400 Fix size_overflow false positive reported by slashbeast include/linux/zlib.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be Author: Brad Spengler Date: Tue Mar 19 17:35:36 2013 -0400 fix up failed merge arch/arm/mm/fault.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f00195c633f91cfbd8c1f530d2c371b713026e20 Author: Brad Spengler Date: Mon Mar 18 22:27:33 2013 -0400 Fix compile error reported by KDE on the forums kernel/user_namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 Merge: 0949569 c57d855 Author: Brad Spengler Date: Mon Mar 18 22:20:46 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 Author: Brad Spengler Date: Mon Mar 18 21:22:03 2013 -0400 Update to pax-linux-3.8.2-test9.patch: arm changes from spender - removed userland access to the vectors page - removed obsolete sigreturn trampoline handling - added emulation for __kuser_get_tls - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) - fixed recent sysfs/power_supply attr breakage reported by Steven Allen - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. arch/arm/kernel/process.c | 5 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/traps.c | 7 - arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 23 +- arch/arm/mm/mmu.c | 2 +- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/mm/fault.c | 4 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/power/power_supply_core.c | 1 + drivers/usb/core/message.c | 2 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 5 +- fs/exec.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/linux/compat.h | 4 +- include/linux/completion.h | 6 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/err.h | 4 +- include/linux/math64.h | 6 +- include/linux/sched.h | 2 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/uapi/linux/byteorder/little_endian.h | 4 +- include/uapi/linux/swab.h | 6 +- kernel/sched/core.c | 6 +- kernel/signal.c | 3 + kernel/time.c | 2 +- kernel/timer.c | 2 +- lib/div64.c | 4 +- mm/page-writeback.c | 2 +- net/socket.c | 2 + scripts/package/builddeb | 1 + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- tools/gcc/size_overflow_plugin.c | 1072 ++-- 53 files changed, 6227 insertions(+), 3951 deletions(-) commit 09495691bb31f11ec14d9127429f9a0f3f716f22 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deb85b00d0f9f886e264e116313f298401ec5c59 Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2126421f123513f604ceef2b23ba9ed516de7e58 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 Author: Brad Spengler Date: Sat Mar 16 16:43:45 2013 -0400 add user_arg_ptr back to exec.c fs/exec.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 3 +++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 16 insertions(+), 15 deletions(-) commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1cd623d11a462d151ea8a5cace4521e1724911a3 Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc Merge: 9cdf9bc db4cb92 Author: Brad Spengler Date: Thu Mar 14 20:23:14 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/keys/compat.c commit db4cb924546e3fec3a59f78d056f48176eaf7100 Author: Brad Spengler Date: Thu Mar 14 20:22:24 2013 -0400 Update to pax-linux-3.8.2-test8.patch arch/arm/include/asm/cache.h | 2 ++ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- arch/arm/mach-omap2/omap_device.c | 4 ++-- arch/arm/mach-omap2/omap_device.h | 4 ++-- arch/arm/plat-orion/include/plat/addr-map.h | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae Merge: 3c865f9 1a45c31 Author: Brad Spengler Date: Thu Mar 14 20:20:54 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/arm/include/asm/delay.h arch/arm/include/asm/pgtable.h arch/arm/lib/delay.c security/keys/compat.c commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 79b130c4b11c7940daf2b33d653a17666331c634 Merge: 6480ce9 3c865f9 Author: Brad Spengler Date: Sun Mar 10 20:04:03 2013 -0400 Merge branch 'pax-test' into grsec-test commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d Author: Brad Spengler Date: Sun Mar 10 20:03:12 2013 -0400 Update to pax-linux-3.8.2-test7.patch: - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) fs/binfmt_elf.c | 3 ++- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- init/main.c | 4 ++-- mm/mmap.c | 2 +- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 7 files changed, 18 insertions(+), 11 deletions(-) commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 Merge: 4a5305e 25b3569 Author: Brad Spengler Date: Sun Mar 10 10:41:16 2013 -0400 Merge branch 'pax-test' into grsec-test commit 25b356980568bed9958315bb5a551fdc610055ed Author: Brad Spengler Date: Sun Mar 10 10:40:48 2013 -0400 Update to pax-linux-3.8.2-test6.patch: - fixed a KERNEXEC false positive on arm reported by Gu1 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - added fix from spender for some namespace breakage reported by zakalwe - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot Documentation/kernel-parameters.txt | 5 +++++ arch/arm/kernel/patch.c | 2 ++ arch/x86/kernel/sys_i386_32.c | 5 +++-- drivers/acpi/blacklist.c | 2 +- drivers/video/aty/mach64_cursor.c | 1 + init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ net/ipv4/ip_fragment.c | 2 +- security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 10 files changed, 50 insertions(+), 10 deletions(-) commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause net/bridge/br_mdb.c | 4 ++++ net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 8 ++++++++ 3 files changed, 13 insertions(+), 0 deletions(-) commit 601dd446f896e3a362f706943df18a68d50420a1 Author: Brad Spengler Date: Sat Mar 9 09:35:25 2013 -0500 add open/close wrappers in __patch_text() as reported by Gu1 on IRC arch/arm/kernel/patch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ae39966fd85a493e9079b357e3faa62245a41222 Author: Peter Hurley Date: Fri Mar 8 12:43:27 2013 -0800 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 ipc: don't allocate a copy larger than max When MSG_COPY is set, a duplicate message must be allocated for the copy before locking the queue. However, the copy could not be larger than was sent which is limited to msg_ctlmax. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msg.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 61240e99650ea3e540a03a3e994349c5086f166b Author: Peter Hurley Date: Fri Mar 8 12:43:26 2013 -0800 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 ipc: fix potential oops when src msg > 4k w/ MSG_COPY If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msgutil.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 51727f602a267f34fb2e0dc9557f1714028d51a2 Author: Brad Spengler Date: Fri Mar 8 22:14:06 2013 -0500 add missing 'else' in recent constify fixups net/ipv4/ip_fragment.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a38c1a640729b3d8e584d1ab98e908c221bc12cf Merge: 1580bb3 47c3f47 Author: Brad Spengler Date: Fri Mar 8 18:18:37 2013 -0500 Merge branch 'pax-test' into grsec-test commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe Author: Brad Spengler Date: Fri Mar 8 18:17:22 2013 -0500 Update to pax-linux-3.8.2-test5.patch: - fixed some fallout after the last round of constification changes, reported by several people arch/arm/common/gic.c | 4 ++-- arch/arm/include/asm/hardware/gic.h | 3 ++- arch/x86/include/asm/nmi.h | 2 +- arch/x86/kernel/nmi.c | 2 +- arch/x86/pci/irq.c | 2 +- drivers/base/power/domain.c | 4 ++-- drivers/cpufreq/cpufreq_governor.c | 4 ++-- drivers/mfd/twl4030-irq.c | 1 + drivers/video/vesafb.c | 7 +++++-- include/linux/irq.h | 1 + include/linux/pm_domain.h | 2 +- kernel/sched/core.c | 4 ++++ lib/Kconfig.debug | 4 ++-- net/core/sysctl_net_core.c | 2 +- net/decnet/af_decnet.c | 1 + net/ipv4/devinet.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/route.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- scripts/sortextable.h | 6 +++--- 22 files changed, 36 insertions(+), 25 deletions(-) commit 1580bb38b4db0bf2a46316599815e8b234edad81 Author: Brad Spengler Date: Thu Mar 7 22:02:59 2013 -0500 add an additional open/close wrapper kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 21622672d28d58e0d93a805cd1f9650a894a752a Author: Brad Spengler Date: Thu Mar 7 21:58:24 2013 -0500 fix oops at shutdown with new constify code kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec Author: Brad Spengler Date: Thu Mar 7 21:18:44 2013 -0500 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally it currently conflicts with some lock debugging options, so made as an option to allow for debugging when necessary Makefile | 2 -- lib/Kconfig.debug | 6 +++--- security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) commit 0885b00b8373a1597b69c38032a0c9eee279303b Author: Brad Spengler Date: Thu Mar 7 20:55:19 2013 -0500 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8a2617165e7127a54f293cbf57d22d50dd83abd Author: Brad Spengler Date: Thu Mar 7 20:30:41 2013 -0500 Fix error: drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object with cast and proper kernexec accessors drivers/video/vesafb.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 Author: Brad Spengler Date: Thu Mar 7 20:20:28 2013 -0500 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 Author: Brad Spengler Date: Thu Mar 7 20:12:17 2013 -0500 fix compilation error -- no reason for task_pid_nr to not take a const task ptr include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ac6014ded57101e3e608941555ff507e20c1ece3 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 98a9a5f981f5deda4059a255c1196886f2f27e2f Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 4295a024e812f903fc580c81de5e81cc149503fa Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33edd486a9899a145a15586d7134636b0300aaee Merge: 4eeeaf3 a2a2094 Author: Brad Spengler Date: Thu Mar 7 17:53:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/include/asm/domain.h commit a2a20947f5e1332e474160a39af520738b3c8c19 Author: Brad Spengler Date: Thu Mar 7 17:51:04 2013 -0500 Update to pax-linux-3.8.2-test4.patch: fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) Documentation/dontdiff | 2 + arch/arm/include/asm/domain.h | 1 + arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/nmi.h | 4 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 10 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/base/bus.c | 4 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 ++- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 26 ++- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/iommu/iommu.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/mfd/twl4030-irq.c | 8 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/vxlan.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 6 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 4 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 ++- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- fs/exec.c | 6 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drmP.h | 12 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/iommu.h | 2 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/rculist.h | 16 ++ include/linux/sched.h | 2 +- include/linux/sock_diag.h | 2 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/xattr.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/pid_namespace.c | 2 +- kernel/rcutree_plugin.h | 2 +- kernel/sched/core.c | 39 ++-- kernel/smpboot.c | 4 +- kernel/softirq.c | 2 +- kernel/sysctl.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 2 +- lib/kobject.c | 4 +- lib/list_debug.c | 57 ++++- lib/swiotlb.c | 2 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/slab_common.c | 2 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 15 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 12 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 9 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipip.c | 4 +- net/ipv4/route.c | 14 +- net/ipv4/sysctl_net_ipv4.c | 43 ++-- net/ipv6/addrconf.c | 4 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 6 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/reassembly.c | 11 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/sysctl.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 ++- net/xfrm/xfrm_sysctl.c | 2 +- security/apparmor/lsm.c | 2 +- security/keys/key.c | 18 +- security/yama/yama_lsm.c | 22 +- tools/gcc/Makefile | 4 +- tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ tools/gcc/size_overflow_plugin.c | 7 +- 248 files changed, 994 insertions(+), 668 deletions(-) commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b Author: Brad Spengler Date: Wed Mar 6 12:58:21 2013 -0500 Make slab_state __read_only, it's only written to during init mm/slab_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a Author: Brad Spengler Date: Wed Mar 6 12:31:35 2013 -0500 Make two new helper functions: gr_is_global_root() and gr_is_global_nonroot() grsecurity/gracl.c | 10 +++++----- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_link.c | 4 ++-- grsecurity/grsec_sig.c | 10 +++++----- grsecurity/grsec_tpe.c | 6 +++--- include/linux/uidgid.h | 2 ++ 6 files changed, 18 insertions(+), 16 deletions(-) commit d45d88eddd4998b280b1e5b5384289ee11ca7088 Author: Brad Spengler Date: Wed Mar 6 12:14:41 2013 -0500 convert remaining task->pid to task_pid_nr(task) grsecurity/gracl.c | 22 +++++++++++----------- grsecurity/gracl_shm.c | 2 +- grsecurity/grsec_chroot.c | 4 ++-- grsecurity/grsec_sig.c | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) commit c877f2ece03ee2232dd281c1977ae59507297124 Author: Brad Spengler Date: Tue Mar 5 17:29:54 2013 -0500 compat-log is only used anymore by vm86-on-64bit and allows unlimited spamming of the kernel log buffer (and since it includes the changable process name, can avoid syslog log deduplication) Turn it off by default fs/compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c1964c4b7276889d7967bee70e46918cdca1b14 Author: Brad Spengler Date: Mon Mar 4 17:19:10 2013 -0500 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP is enabled, introduced with recent userns support init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 Author: Brad Spengler Date: Sun Mar 3 18:46:12 2013 -0500 Prevent TOMOYO from auto-loading modules by unprivileged users (Only reachable if TOMOYO is actually used) security/tomoyo/mount.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 79e142f9455b398759ff9d93d4963a21b98dddda Author: Brad Spengler Date: Sun Mar 3 18:28:45 2013 -0500 For now, don't permit any special access to /proc in a user namespace Later we can go back and allow a userns-uid0 special access to a /proc with a non-global pid namespace fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b91fb393049ce5f3c0a86f62247409853fd9700 Merge: d931eb8 603ef05 Author: Brad Spengler Date: Sun Mar 3 17:42:09 2013 -0500 Merge branch 'pax-test' into grsec-test commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b Author: Brad Spengler Date: Sun Mar 3 17:41:31 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/mach-omap2/wd_timer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b4c9ce81fdd7839a150c97873c710c479e788280 Author: Brad Spengler Date: Sun Mar 3 17:39:53 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d931eb81ab3da46896268fd61373a6aa7bbea930 Merge: bfa7f44 5948f93 Author: Brad Spengler Date: Sun Mar 3 17:34:36 2013 -0500 Merge branch 'pax-test' into grsec-test commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 Merge: ab30472 19b00d2 Author: Brad Spengler Date: Sun Mar 3 17:34:08 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. fs/exec.c | 6 +- fs/proc/base.c | 2 +- fs/proc/proc_net.c | 4 +- grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- grsecurity/gracl_cap.c | 4 +- grsecurity/gracl_ip.c | 16 +++--- grsecurity/gracl_segv.c | 12 +++- grsecurity/gracl_shm.c | 4 +- grsecurity/grsec_disabled.c | 10 ++-- grsecurity/grsec_fifo.c | 6 +- grsecurity/grsec_init.c | 24 ++++---- grsecurity/grsec_log.c | 3 - grsecurity/grsec_tpe.c | 6 +- include/linux/grinternal.h | 12 ++-- include/linux/grsecurity.h | 12 ++-- include/linux/uidgid.h | 3 + init/Kconfig | 2 - ipc/shm.c | 2 +- kernel/cred.c | 5 +- kernel/kallsyms.c | 2 +- kernel/kmod.c | 6 +- kernel/sys.c | 12 ++-- 22 files changed, 166 insertions(+), 115 deletions(-) commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit 5596211af754867ca825f58e6e0300a8439950fe Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7ca96db0817416fd40761e7437d1939fc0731380 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 idr: fix a subtle bug in idr_get_next() The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/idr.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 745362f28034f54242ba2e64eaa7374ab9869613 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit b53b3b14330920c6f7cfb74c8508a3026e1be620 Author: Brad Spengler Date: Thu Feb 28 18:29:26 2013 -0500 Fix bad git merge fs/namespace.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede Merge: 1cce1dd ab30472 Author: Brad Spengler Date: Thu Feb 28 17:45:14 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/core/sock_diag.c commit ab3047280e1dfb43f1b301a296123757b4ac4f6e Merge: 4b61d21 4c91a0e Author: Brad Spengler Date: Thu Feb 28 17:43:56 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 Author: Brad Spengler Date: Wed Feb 27 17:52:31 2013 -0500 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel kernel/printk.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 Author: Brad Spengler Date: Wed Feb 27 17:23:46 2013 -0500 Fix upstream vulnerability from addition of a /dev/kmsg device while neglecting to add the same set of existing permission checks from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. A temporary workaround without this patch would be to chmod 0600 /dev/kmsg (and is likely a good idea anyway). Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek Initially reported to Redhat bugzilla by Christian Kujau: https://bugzilla.redhat.com/show_bug.cgi?id=903192 kernel/printk.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 66c04806f5660988c3cb4855e60de294e77e3d0e Author: David Howells Date: Thu Feb 21 12:00:25 2013 +0000 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f KEYS: Revert one application of "Fix unreachable code" patch A patch to fix some unreachable code in search_my_process_keyrings() got applied twice by two different routes upstream as commits e67eab39bee2 and b010520ab3d2 (both "fix unreachable code"). Unfortunately, the second application removed something it shouldn't have and this wasn't detected by GIT. This is due to the patch not having sufficient lines of context to distinguish the two places of application. The effect of this is relatively minor: inside the kernel, the keyring search routines may search multiple keyrings and then prioritise the errors if no keys or negative keys are found in any of them. With the extra deletion, the presence of a negative key in the thread keyring (causing ENOKEY) is incorrectly overridden by an error searching the process keyring. So revert the second application of the patch. Signed-off-by: David Howells Cc: Jiri Kosina Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds security/keys/process_keys.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 954b0c8a95b08c09c3d15ec38106ce403bf714da Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 Author: Nicolas Pitre Date: Sun Feb 24 20:06:09 2013 -0500 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 tty vt: fix character insertion overflow Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") broke insert_char() in multiple ways. Then commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") partially fixed it. However, the buffer being moved is still too large and overflowing beyond the end of the current line, corrupting existing characters on the next line. Example test case: echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" Expected result: ab c de Current result: ab c e Needless to say that this is very annoying when inserting words in the middle of paragraphs with certain text editors. Signed-off-by: Nicolas Pitre Cc: Jean-François Moine Cc: Greg Kroah-Hartman Cc: Signed-off-by: Linus Torvalds drivers/tty/vt/vt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6cda35071669b4aabde081bd039e0ffea36f997a Author: Robin Holt Date: Fri Feb 22 16:35:34 2013 -0800 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. Additionally, the list traversal in __mmu_notifier_release() is not protected by the by the mmu_notifier_mm->hlist_lock which can result in callouts to the ->release() notifier from both mmu_notifier_unregister() and __mmu_notifier_release(). -stable suggestions: The stable trees prior to 3.7.y need commits 21a92735f660 and 70400303ce0c cherry-picked in that order prior to cherry-picking this commit. The 3.7.y tree already has those two commits. Signed-off-by: Robin Holt Cc: Andrea Arcangeli Cc: Wanpeng Li Cc: Xiao Guangrong Cc: Avi Kivity Cc: Hugh Dickins Cc: Marcelo Tosatti Cc: Sagi Grimberg Cc: Haggai Eran Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- 1 files changed, 42 insertions(+), 40 deletions(-) commit bf5167ed78ba6131c6874887f714bda50c2cab83 Author: Mike Galbraith Date: Mon Jan 28 12:19:25 2013 +0100 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 sched: Fix select_idle_sibling() bouncing cow syndrome If the previous CPU is cache affine and idle, select it. The current implementation simply traverses the sd_llc domain, taking the first idle CPU encountered, which walks buddy pairs hand in hand over the package, inflicting excruciating pain. 1 tbench pair (worst case) in a 10 core + SMT package: pre 15.22 MB/sec 1 procs post 252.01 MB/sec 1 procs Signed-off-by: Mike Galbraith Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 21 +++++++-------------- 1 files changed, 7 insertions(+), 14 deletions(-) commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c Author: Eric W. Biederman Date: Fri Dec 28 18:58:39 2012 -0800 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f userns: Avoid recursion in put_user_ns When freeing a deeply nested user namespace free_user_ns calls put_user_ns on it's parent which may in turn call free_user_ns again. When -fno-optimize-sibling-calls is passed to gcc one stack frame per user namespace is left on the stack, potentially overflowing the kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls so we can't count on gcc to optimize this code. Remove struct kref and use a plain atomic_t. Making the code more flexible and easier to comprehend. Make the loop in free_user_ns explict to guarantee that the stack does not overflow with CONFIG_FRAME_POINTER enabled. I have tested this fix with a simple program that uses unshare to create a deeply nested user namespace structure and then calls exit. With 1000 nesteuser namespaces before this change running my test program causes the kernel to die a horrible death. With 10,000,000 nested user namespaces after this change my test program runs to completion and causes no harm. Acked-by: Serge Hallyn Pointed-out-by: Vasily Kulikov Signed-off-by: "Eric W. Biederman" include/linux/user_namespace.h | 10 +++++----- kernel/user.c | 4 +--- kernel/user_namespace.c | 17 +++++++++-------- 3 files changed, 15 insertions(+), 16 deletions(-) commit 81501c7106ccc186c94806f4db954626295b5ebe Author: Brad Spengler Date: Tue Feb 26 17:12:30 2013 -0500 Pass the same flags to kern_path_create as the original function fs/namei.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a677c8eee35afe48868f92c7d6745bfe809cd481 Author: Al Viro Date: Fri Feb 22 22:45:42 2013 -0500 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 get rid of unprotected dereferencing of mnt->mnt_ns It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namespace.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 89298124d0c96dc34a60377e7a1308f8f532ff75 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 Author: Brad Spengler Date: Sat Feb 23 11:08:05 2013 -0500 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause net/core/sock_diag.c | 27 ++++++++++----------------- 1 files changed, 10 insertions(+), 17 deletions(-) commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 Author: Brad Spengler Date: Sat Feb 23 10:58:52 2013 -0500 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined arch/arm/include/asm/domain.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7b729586eb81f344fdedf0942fab0acc738a6725 Author: Brad Spengler Date: Fri Feb 22 19:02:51 2013 -0500 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. kernel/fork.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit fadc560d0c486af88da83177735f5515e88acdcc Author: Brad Spengler Date: Thu Feb 21 23:06:48 2013 -0500 put is_hugetlbfs_mnt inside ifdefs grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8252176922d405484f986eb2cc350b7cd3ae586e Author: Brad Spengler Date: Thu Feb 21 23:02:07 2013 -0500 remove unused label kernel/module.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dad4a980f0b625059e215d13da728aa7fd02a374 Author: Brad Spengler Date: Thu Feb 21 23:00:52 2013 -0500 compile fix fs/open.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 Author: Brad Spengler Date: Thu Feb 21 22:57:49 2013 -0500 remove kmalloc_array_error for the same reasons as kcalloc_error include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a Author: Brad Spengler Date: Thu Feb 21 22:49:35 2013 -0500 Initial port of grsecurity for Linux 3.8 Documentation/kernel-parameters.txt | 4 + Makefile | 10 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 14 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 27 +- arch/arm/mm/mmap.c | 6 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 3 +- arch/ia64/mm/hugetlbpage.c | 3 +- arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 3 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 19 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 6 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 3 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 3 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- crypto/ablkcipher.c | 12 +- crypto/aead.c | 9 +- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +- crypto/crypto_user.c | 38 +- crypto/pcompress.c | 3 +- crypto/rng.c | 2 +- crypto/shash.c | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 155 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 5 + fs/fs_struct.c | 26 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 269 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1021 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4017 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 384 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 357 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 174 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 329 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 ++ include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 257 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 66 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/vermagic.h | 9 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 5 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 109 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 80 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 38 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 62 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev.c | 9 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 19 + security/Kconfig | 320 ++- security/apparmor/lsm.c | 2 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/yama/Kconfig | 2 +- tools/gcc/Makefile | 2 +- 286 files changed, 15083 insertions(+), 2067 deletions(-) commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 Author: Brad Spengler Date: Wed Feb 20 21:00:42 2013 -0500 Initial import of pax-linux-3.8-test3.patch Documentation/dontdiff | 43 +- Documentation/kernel-parameters.txt | 7 + Makefile | 97 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 +++- arch/arm/include/asm/cache.h | 3 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/delay.h | 8 +- arch/arm/include/asm/domain.h | 32 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 10 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 20 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 14 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/fault.c | 78 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 186 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 28 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/uaccess.h | 142 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 +++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 12 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 ++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 65 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/io.h | 13 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 6 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 29 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 512 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/head_32.S | 237 ++- arch/x86/kernel/head_64.S | 158 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes-opt.c | 12 +- arch/x86/kernel/kprobes.c | 30 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 247 ++ arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 47 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 68 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 ++- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 555 +++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 92 +- arch/x86/mm/init_32.c | 122 +- arch/x86/mm/init_64.c | 48 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 12 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 18 +- drivers/block/loop.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 8 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_generic.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 6 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 9 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/ramster/tmem.c | 54 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 39 +- drivers/video/vesafb.c | 51 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 604 ++++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/relocation.c | 2 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 356 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 ++ include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 72 +- include/linux/cpu.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 3 + include/linux/mm.h | 91 +- include/linux/mm_types.h | 22 +- include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 55 +- include/linux/moduleloader.h | 18 +- include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/random.h | 5 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 64 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysrq.h | 2 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/gro_cells.h | 6 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 6 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/structs.h | 4 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 4 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 24 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/module.c | 333 ++- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 72 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 2 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/softirq.c | 16 +- kernel/srcu.c | 6 +- kernel/stop_machine.c | 2 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 +- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/list_debug.c | 89 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 54 + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 18 +- mm/memory.c | 404 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 573 +++- mm/mprotect.c | 138 +- mm/mremap.c | 44 +- mm/nommu.c | 11 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 104 +- mm/slab.h | 5 +- mm/slab_common.c | 9 +- mm/slob.c | 200 +- mm/slub.c | 98 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/sctp/socket.c | 2 + net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 4 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 654 ++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 43 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 359 +++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 +++ tools/gcc/latent_entropy_plugin.c | 321 ++ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 32 +- 1311 files changed, 26668 insertions(+), 6394 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c Merge: c3ccfb2 777e08c Author: Brad Spengler Date: Sun Sep 8 19:49:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 Author: Brad Spengler Date: Sun Sep 8 19:47:32 2013 -0400 Update to pax-linux-3.10.11-test26.patch: - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 14 +- tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- 3 files changed, 247 insertions(+), 194 deletions(-) commit 5c3161364270c842d901789faac731f79a9f9cd6 Merge: cf9c476 85cdabb Author: Brad Spengler Date: Sun Sep 8 19:24:25 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c3ccfb29794a03413095422100ce90d40ef7df0f Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit d260badf708d6aa16c44f56f54727532dcae826e Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 Author: Dan Carpenter Date: Thu Aug 29 11:47:00 2013 +0300 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 mISDN: return -EINVAL on error in dsp_control_req() If skb->len is too short then we should return an error. Otherwise we read beyond the end of skb->data for several bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/mISDN/dsp_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit da68dbcd96c617923a0aedb177d36b2701f9c858 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit ce0e893adc830ee110f97071cc17e661fb35ae3d Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd Merge: 7ee3899 cf9c476 Author: Brad Spengler Date: Sun Sep 1 13:56:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit cf9c47690fa0f3da590de766ea8c6a543984ee3c Author: Brad Spengler Date: Sun Sep 1 13:56:16 2013 -0400 Update to pax-linux-3.10.10-test25.patch: - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop block/blk-cgroup.c | 4 ++-- drivers/video/hyperv_fb.c | 4 ++-- fs/namespace.c | 4 ++-- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/output_core.c | 15 ++++++--------- net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- 7 files changed, 21 insertions(+), 27 deletions(-) commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa Merge: fd0338c 2bdeae7 Author: Brad Spengler Date: Sat Aug 31 22:07:38 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 Author: Brad Spengler Date: Sat Aug 31 22:06:55 2013 -0400 Update to pax-linux-3.10.10-test24.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users drivers/acpi/apei/ghes.c | 4 ++-- drivers/ata/libata-core.c | 4 ++-- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/block/drbd/drbd_nl.c | 4 ++-- drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/hv/hv_balloon.c | 18 +++++++++--------- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/input/misc/ims-pcu.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/v4l2-core/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/pci/hotplug/pciehp_hpc.c | 4 +--- drivers/regulator/core.c | 4 ++-- drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ drivers/staging/android/timed_output.c | 6 +++--- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/target/sbp/sbp_target.c | 4 ++-- drivers/tty/hvc/hvsi.c | 12 ++++++------ drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/btrfs/delayed-inode.c | 6 +++--- fs/btrfs/delayed-inode.h | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- net/ceph/messenger.c | 4 ++-- net/core/netpoll.c | 4 ++-- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 43 files changed, 93 insertions(+), 95 deletions(-) commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 Merge: 1bdf7ec 85099d2 Author: Brad Spengler Date: Sat Aug 31 21:07:29 2013 -0400 Merge branch 'pax-test' into grsec-test commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed Author: Brad Spengler Date: Sat Aug 31 21:06:55 2013 -0400 Update to pax-linux-3.10.10-test23.patch: - added the necessary atomic_unchecked_t conversion for mips - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/arm/kvm/arm.c | 8 ++++---- arch/arm/mm/context.c | 10 +++++----- arch/mips/kernel/irq.c | 6 +++--- arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- 8 files changed, 45 insertions(+), 45 deletions(-) commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 Merge: 995a168 38ee86c Author: Brad Spengler Date: Fri Aug 30 19:23:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 38ee86c05df0f8db582df8776b9f23f317d42bbb Author: Brad Spengler Date: Fri Aug 30 19:23:11 2013 -0400 Update to pax-linux-3.10.10-test22.patch: - fixed !REFCOUNT/mips compilation, by Corey Minyard - fixed a few more format strings arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- drivers/md/bcache/super.c | 2 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- drivers/pci/hotplug/pciehp_hpc.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- drivers/vfio/vfio.c | 4 ++-- fs/ntfs/super.c | 6 +++--- include/linux/workqueue.h | 6 +++--- net/mac80211/main.c | 2 +- sound/pci/hda/hda_codec.c | 8 ++------ 11 files changed, 32 insertions(+), 25 deletions(-) commit 995a16841e2097c3a9dfc652e856469679c4a0ba Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 Merge: be2497c 1052971 Author: Brad Spengler Date: Thu Aug 29 20:44:29 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/sched.h commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 Merge: e902dad 8bf3379 Author: Brad Spengler Date: Thu Aug 29 20:39:50 2013 -0400 Update to pax-linux-3.10.10-test21.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 Merge: 081c22b e902dad Author: Brad Spengler Date: Wed Aug 28 20:52:44 2013 -0400 Merge branch 'pax-test' into grsec-test commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 Author: Brad Spengler Date: Wed Aug 28 20:51:21 2013 -0400 Update to pax-linux-3.10.9-test21.patch: - removed unnecessary type cast in do_PrefetchAbort, noticed by spender - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov - fixed a REFCOUNT false positive in UHID - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network arch/arm/mm/fault.c | 2 +- arch/mips/kernel/traps.c | 2 -- drivers/hid/uhid.c | 6 +++--- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/usb/dwc3/gadget.c | 2 -- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- 10 files changed, 14 insertions(+), 16 deletions(-) commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 8044382257ec75a03f3d784ce048ef14e94b90ca Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 270ba9096ddecdc3cf6c4d76e6892184820116be Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 60115e8108e508060815bce5ef9504233c81898c Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38627769bb2b9a550e251b2caf1babda7566fb4a Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 813f51e0881e4ea6d221da828b1cced02ad9694d Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 95e3cfb5a995dabe45b98cafb77e59d074de151f Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 96a55ce1b2f3af376c400a02059174e79ce4399c Author: Brad Spengler Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit eb1106eef5f17bfda833ca3cf89e315919173257 Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 Author: Brad Spengler Date: Wed Aug 28 17:01:21 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 Author: Andy Lutomirski Date: Thu Aug 22 11:39:15 2013 -0700 Upstream commit: d661684cf6820331feae71146c35da83d794467e net: Check the correct namespace when spoofing pid over SCM_RIGHTS This is a security bug. The follow-up will fix nsproxy to discourage this type of issue from happening again. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/core/scm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 8333e0981469a226a47d0142ff31090a48db95a4 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 xen/events: initialize local per-cpu mask for all possible events The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk CC: stable@vger.kernel.org drivers/xen/events.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2a9a83768433937a2b7a97001ba1627156c0efed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit e6fe57dee152671afd618d6bc8cbf23155be6c34 Merge: cdc8f7d f2095a4 Author: Brad Spengler Date: Tue Aug 27 18:13:35 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c security/Kconfig commit f2095a4787f7d332e5919f0bd00f8de6021ad612 Author: Brad Spengler Date: Tue Aug 27 18:08:23 2013 -0400 Update to pax-linux-3.10.9-test20.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - added REFCOUNT support for mips, by Corey Minyard - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) arch/arm/mm/fault.c | 11 +- arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- arch/mips/kernel/traps.c | 14 +- arch/x86/include/asm/tlbflush.h | 4 + arch/x86/include/asm/uaccess_64.h | 2 +- fs/ntfs/file.c | 2 +- kernel/events/internal.h | 4 +- kernel/events/uprobes.c | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 +- security/Kconfig | 2 +- tools/gcc/kernexec_plugin.c | 18 +- tools/gcc/latent_entropy_plugin.c | 26 +- tools/gcc/size_overflow_plugin.c | 3 +- 14 files changed, 750 insertions(+), 70 deletions(-) commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 Merge: 5a9ae57 745975e Author: Brad Spengler Date: Mon Aug 26 20:27:33 2013 -0400 Merge branch 'pax-test' into grsec-test commit 745975e3b3b74b64e00e85778f9a22714d1274f2 Author: Brad Spengler Date: Mon Aug 26 20:26:33 2013 -0400 Fix compilation when UDEREF is enabled and KERNEXEC is disabled, as reported by fabled on the forums: http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 arch/arm/include/asm/pgtable.h | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 Merge: 486ec00 f68df21 Author: Brad Spengler Date: Tue Aug 20 20:15:20 2013 -0400 Merge branch 'pax-test' into grsec-test commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 Author: Brad Spengler Date: Tue Aug 20 20:14:50 2013 -0400 Update to pax-linux-3.10.9-test18.patch: - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) - forward port to 3.10.9 arch/x86/kernel/entry_64.S | 18 +++++++++--------- arch/x86/kernel/i386_ksyms_32.c | 4 ++++ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f Merge: f47a293 d8fed0e Author: Brad Spengler Date: Tue Aug 20 20:12:47 2013 -0400 Merge branch 'pax-test' into grsec-test commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 Merge: f6ace8e 0a4b6d4 Author: Brad Spengler Date: Tue Aug 20 20:12:33 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit f47a293a1440da2a3e2c239d43d636e37ca74f10 Merge: f1e8ec7 f6ace8e Author: Brad Spengler Date: Tue Aug 20 18:20:05 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/kernel/perf_event.c include/linux/sched.h commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 Merge: b4fa847 6f54059 Author: Brad Spengler Date: Tue Aug 20 18:18:02 2013 -0400 Update to pax-linux-3.10.8-test18.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca Merge: 6f88011 b4fa847 Author: Brad Spengler Date: Tue Aug 20 18:05:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 Author: Brad Spengler Date: Tue Aug 20 18:04:14 2013 -0400 Update to pax-linux-3.10.7-test18.patch: - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) - fixed a UDEREF resume regression due to the constification of clone_pgd_mask - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause arch/arm/kernel/process.c | 2 +- arch/x86/include/asm/processor.h | 25 ++----------------------- arch/x86/kernel/cpu/common.c | 4 ++++ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/staging/zcache/tmem.c | 4 ++-- drivers/staging/zcache/tmem.h | 6 ++---- 6 files changed, 47 insertions(+), 30 deletions(-) commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 Merge: 6eba999 5de93c8 Author: Brad Spengler Date: Sun Aug 18 22:03:19 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db Author: Brad Spengler Date: Sun Aug 18 22:02:47 2013 -0400 Update to pax-linux-3.10.7-test15.patch: - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) - fixed some new REFCOUNT false positives, caught by inspection arch/x86/kernel/cpu/common.c | 5 +++-- arch/x86/kernel/entry_64.S | 11 +++++++---- fs/ceph/super.c | 4 ++-- mm/backing-dev.c | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) commit 94c119587c76723c1072237b98fff9886ccb7689 Author: Brad Spengler Date: Sun Aug 18 20:49:39 2013 -0400 fix pipacs' DEMORGAN typo arch/x86/include/asm/tlbflush.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 Merge: df347f6 64a293e Author: Brad Spengler Date: Sun Aug 18 18:13:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 Author: Brad Spengler Date: Sun Aug 18 18:12:37 2013 -0400 Update to pax-linux-3.10.7-test14.patch: - fixed compile error introduced by the previous PCID change - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) arch/x86/include/asm/tlbflush.h | 2 +- kernel/posix-timers.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 Merge: d8efbc5 e11b314 Author: Brad Spengler Date: Sun Aug 18 08:15:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit e11b314734c5b7317f5468be75305ad812e78c2b Author: Brad Spengler Date: Sun Aug 18 08:14:26 2013 -0400 Update to pax-linux-3.10.7-test13.patch: - always enable the use of PCID and INVPCID when available in the CPU - kvm guest kernels can use these features even if the host kernel lacks UDEREF arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- 2 files changed, 70 insertions(+), 47 deletions(-) commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c8feffa95ce2db280160015027b52bb41a344c8 Merge: dbf6930 0bb1c2b Author: Brad Spengler Date: Sat Aug 17 11:57:50 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 Author: Brad Spengler Date: Sat Aug 17 11:56:43 2013 -0400 Update to pax-linux-3.10.7-test12.patch: - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause - fixed some arm compile problems arch/x86/include/asm/tlbflush.h | 2 +- drivers/clocksource/bcm_kona_timer.c | 2 +- kernel/signal.c | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) commit dbf69305ad4f8a037aae95af90f9201f556dcb48 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 Merge: 68bd16f f562e3e Author: Brad Spengler Date: Sat Aug 17 10:35:02 2013 -0400 Merge branch 'pax-test' into grsec-test commit f562e3ef7737ea8d80431a722479b36a12504ace Author: Brad Spengler Date: Sat Aug 17 10:34:51 2013 -0400 add uderef_64.c arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ 1 files changed, 37 insertions(+), 0 deletions(-) commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 Author: Asbjoern Sloth Toennesen Date: Mon Aug 12 16:30:09 2013 +0000 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by: Asbjoern Sloth Toennesen Reviewed-by: Vlad Yasevich Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c7bc5bafddddff55ed4687203a977e96f72540a Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb Author: Daniel Borkmann Date: Fri Aug 9 16:25:21 2013 +0200 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/transport.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3925eab5483946fd746575a46f97bee9d566bb77 Author: Stephane Grosjean Date: Fri Aug 9 11:44:06 2013 +0200 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e can: pcan_usb: fix wrong memcpy() bytes length Fix possibly wrong memcpy() bytes length since some CAN records received from PCAN-USB could define a DLC field in range [9..15]. In that case, the real DLC value MUST be used to move forward the record pointer but, only 8 bytes max. MUST be copied into the data field of the struct can_frame object of the skb given to the network core. Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c1ac6642baae4a400d1f87115024d1bb1ef53598 Author: Linus Lüssing Date: Tue Aug 6 20:21:15 2013 +0200 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 batman-adv: fix potential kernel paging errors for unicast transmissions There are several functions which might reallocate skb data. Currently some places keep reusing their old ethhdr pointer regardless of whether they became invalid after such a reallocation or not. This potentially leads to kernel paging errors. This patch fixes these by refetching the ethdr pointer after the potential reallocations. Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli net/batman-adv/bridge_loop_avoidance.c | 2 ++ net/batman-adv/gateway_client.c | 13 ++++++++++++- net/batman-adv/gateway_client.h | 3 +-- net/batman-adv/soft-interface.c | 9 ++++++++- net/batman-adv/unicast.c | 13 ++++++++++--- 5 files changed, 33 insertions(+), 7 deletions(-) commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue_core.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f Author: Pablo Neira Ayuso Date: Thu Jul 25 10:46:46 2013 +0200 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 netfilter: xt_TCPOPTSTRIP: fix possible off by one access Fix a possible off by one access since optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen that stores the TCP header length, to save some cycles. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 4634def261cf5f635bc60afe8a6ad436b3ec151e Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 Author: Dave Jones Date: Fri Aug 9 11:16:34 2013 -0700 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e 8139cp: Fix skb leak in rx_status_loop failure path. Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 ("8139cp: Add dma_mapping_error checking") Signed-off-by: Dave Jones Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 227b279491a0bbcc70ca3654f34903282c378600 Author: Timo Teräs Date: Tue Aug 6 13:45:43 2013 +0300 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b ip_gre: fix ipgre_header to return correct offset Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar Signed-off-by: Timo Teräs Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit f02bce292d1c2fe610be509c96593e70b3de387b Author: Julia Lawall Date: Mon Aug 5 16:47:38 2013 +0200 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 net/vmw_vsock/af_vsock.c: drop unneeded semicolon Drop the semicolon at the end of the list_for_each_entry loop header. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 Author: Tiger Yang Date: Tue Aug 13 16:00:58 2013 -0700 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as the struct file pointer, it finally result in a null pointer dereference in ocfs2_duplicate_clusters_by_page. This patch replace file pointer with inode pointer in cow_duplicate_clusters to fix this issue. [jeff.liu@oracle.com: rebased patch against linux-next tree] Signed-off-by: Tiger Yang Signed-off-by: Jie Liu Cc: Joel Becker Cc: Mark Fasheh Acked-by: Tao Ma Tested-by: David Weber Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 2 +- fs/ocfs2/file.c | 6 ++-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- fs/ocfs2/refcounttree.h | 6 ++-- 5 files changed, 16 insertions(+), 53 deletions(-) commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 Author: Dan Carpenter Date: Thu Aug 15 15:52:57 2013 +0300 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 26ad267ddda451919357965a0cf271ca24d1bcf2 Author: Weiping Pan Date: Tue Aug 13 21:46:56 2013 +0800 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 tun: compare with 0 instead of total_len Since we set "len = total_len" in the beginning of tun_get_user(), so we should compare the new len with 0, instead of total_len, or the if statement always returns false. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller drivers/net/tun.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 Author: Guenter Roeck Date: Fri Aug 16 20:50:55 2013 -0700 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 s390: Fix broken build Fix this build error: In file included from fs/exec.c:61:0: arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range invalidation corner cases"). Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] Signed-off-by: Linus Torvalds arch/s390/include/asm/tlb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4e57312c2de2a25ddb181d129dafbc0251062c33 Author: Linus Torvalds Date: Thu Aug 15 11:42:25 2013 -0700 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce Fix TLB gather virtual address range invalidation corner cases Ben Tebulin reported: "Since v3.7.2 on two independent machines a very specific Git repository fails in 9/10 cases on git-fsck due to an SHA1/memory failures. This only occurs on a very specific repository and can be reproduced stably on two independent laptops. Git mailing list ran out of ideas and for me this looks like some very exotic kernel issue" and bisected the failure to the backport of commit 53a59fc67f97 ("mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). That commit itself is not actually buggy, but what it does is to make it much more likely to hit the partial TLB invalidation case, since it introduces a new case in tlb_next_batch() that previously only ever happened when running out of memory. The real bug is that the TLB gather virtual memory range setup is subtly buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: enable tlb flush range in generic mmu_gather"), and the range handling was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots"), but that fix was not complete. The problem with the TLB gather virtual address range is that it isn't set up by the initial tlb_gather_mmu() initialization (which didn't get the TLB range information), but it is set up ad-hoc later by the functions that actually flush the TLB. And so any such case that forgot to update the TLB range entries would potentially miss TLB invalidates. Rather than try to figure out exactly which particular ad-hoc range setup was missing (I personally suspect it's the hugetlb case in zap_huge_pmd(), which didn't have the same logic as zap_pte_range() did), this patch just gets rid of the problem at the source: make the TLB range information available to tlb_gather_mmu(), and initialize it when initializing all the other tlb gather fields. This makes the patch larger, but conceptually much simpler. And the end result is much more understandable; even if you want to play games with partial ranges when invalidating the TLB contents in chunks, now the range information is always there, and anybody who doesn't want to bother with it won't introduce subtle bugs. Ben verified that this fixes his problem. Reported-bisected-and-tested-by: Ben Tebulin Build-testing-by: Stephen Rothwell Build-testing-by: Richard Weinberger Reviewed-by: Michal Hocko Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/arm/include/asm/tlb.h | 7 +++++-- arch/arm64/include/asm/tlb.h | 7 +++++-- arch/ia64/include/asm/tlb.h | 9 ++++++--- arch/s390/include/asm/tlb.h | 8 ++++++-- arch/sh/include/asm/tlb.h | 6 ++++-- arch/um/include/asm/tlb.h | 6 ++++-- fs/exec.c | 4 ++-- include/asm-generic/tlb.h | 2 +- mm/hugetlb.c | 2 +- mm/memory.c | 36 +++++++++++++++++++++--------------- mm/mmap.c | 4 ++-- 11 files changed, 57 insertions(+), 34 deletions(-) commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 Merge: 5568c80 ffceabf Author: Brad Spengler Date: Sat Aug 17 09:11:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit ffceabfcc65c60109ba5fca694d78d4dc7047809 Author: Brad Spengler Date: Sat Aug 17 09:10:44 2013 -0400 Update to pax-linux-3.10.7-test11.patch: - simplified some arm code - disabled preemption when calling show_regs, reported by Corey Minyard - added PCID based support for UDEREF on amd64 (blog will have more details) - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc - nopcid turns it off - by default a strong form of UDEREF is used under PCID - pax_weakuderef switches to the older, less secure UDEREF - fixed several bugs that would also have manifested under SMAP - INVPCID is used when available (Haswell) - added a few more return insn instrumentation in new amd64 crypto code Documentation/kernel-parameters.txt | 7 + arch/arm/include/asm/uaccess.h | 3 + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ arch/x86/ia32/ia32_signal.c | 2 +- arch/x86/ia32/ia32entry.S | 24 ++++- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/fpu-internal.h | 2 + arch/x86/include/asm/futex.h | 4 + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- arch/x86/include/asm/pgtable.h | 10 +- arch/x86/include/asm/processor.h | 15 +++- arch/x86/include/asm/segment.h | 5 +- arch/x86/include/asm/smap.h | 64 +++++++++++- arch/x86/include/asm/tlbflush.h | 63 +++++++++-- arch/x86/include/asm/uaccess.h | 18 +++- arch/x86/include/asm/xsave.h | 4 + arch/x86/kernel/cpu/common.c | 38 +++++++ arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- arch/x86/kernel/head_32.S | 2 +- arch/x86/kernel/head_64.S | 8 +- arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/setup.c | 8 +- arch/x86/kernel/signal.c | 4 +- arch/x86/kernel/smpboot.c | 15 ++- arch/x86/lib/copy_user_64.S | 50 +-------- arch/x86/lib/copy_user_nocache_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 11 ++- arch/x86/lib/memcpy_64.S | 4 +- arch/x86/lib/memmove_64.S | 2 +- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/usercopy_64.c | 5 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/fault.c | 29 ++++-- arch/x86/mm/init.c | 7 +- arch/x86/mm/init_64.c | 9 ++- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 3 + arch/x86/platform/efi/efi_32.c | 2 +- arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/realmode/rm/trampoline_64.S | 1 + fs/exec.c | 2 + include/asm-generic/uaccess.h | 8 ++ include/linux/compat.h | 1 + include/linux/preempt.h | 19 +++ include/linux/signal.h | 1 + include/linux/smp.h | 2 + init/main.c | 14 ++- kernel/signal.c | 16 +++ security/Kconfig | 5 + tools/lib/lk/Makefile | 2 +- tools/perf/Makefile | 2 +- 64 files changed, 673 insertions(+), 136 deletions(-) commit 5568c8059e78d6d002815409df4e90c83b3b08a8 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 Author: Brad Spengler Date: Fri Aug 16 22:55:24 2013 -0400 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b arch/arm/kernel/perf_event.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3637bc893b57a227b01852fe34685ab237285b10 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 11802e1f961a088c39af58d1c1b14d861eedfb35 Author: Brad Spengler Date: Fri Aug 16 22:53:30 2013 -0400 More ARM backports arch/arm/kernel/entry-armv.S | 3 ++- arch/arm/kernel/fiq.c | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0a3dac834746de241c10d4978bf61b4f146ba89d Merge: dc19474 e12de30 Author: Brad Spengler Date: Fri Aug 16 17:39:01 2013 -0400 Merge branch 'pax-test' into grsec-test commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 Author: Brad Spengler Date: Fri Aug 16 17:34:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch: - Emese fixed a size overflow false positive reported by Sven Vermeulen - fixed some arm compile problems reported by spender - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard eventually we'll have full REFCOUNT support on mips arch/arm/kernel/process.c | 5 ++- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 3 ++ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ mm/internal.h | 2 +- 5 files changed, 65 insertions(+), 4 deletions(-) commit dc19474d0ea6ea3c939544ae5f906067b1784a10 Merge: 51b78c0 82266f9 Author: Brad Spengler Date: Thu Aug 15 21:47:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 82266f90a3f87ab5017329fb539aebf94c42253a Author: Brad Spengler Date: Thu Aug 15 21:14:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch arch/arm/kernel/process.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 51b78c06d1f41614f593cd36456b4af559e9d7fa Merge: e32d904 cb77ead Author: Brad Spengler Date: Thu Aug 15 20:53:45 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit cb77ead0eccb5abb75f7e437a3725d0254558ccd Merge: 13675b8 519be45 Author: Brad Spengler Date: Thu Aug 15 20:50:47 2013 -0400 Update to pax-linux-3.10.7-test8.patch Merge branch 'linux-3.10.y' into pax-test commit e32d904b87292288e74e2637b900fd1115687b8e Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c Author: Oleg Nesterov Date: Thu Aug 8 18:55:32 2013 +0200 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 another local DoS found in reaction to the one I reported, we don't allow unpriv user ns use so this doesn't matter much to us userns: limit the maximum depth of user_namespace->parent chain Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/user_namespace.h | 1 + kernel/user_namespace.c | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) commit 223ac007ef18bf3a5095ba0a56675c1f16200149 Merge: 1c92de4 13675b8 Author: Brad Spengler Date: Thu Aug 8 20:45:24 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 13675b848cf02bffd26924b2b84d927095bc253d Author: Brad Spengler Date: Thu Aug 8 20:43:52 2013 -0400 Update to pax-linux-3.10.5-test8.patch: - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard arch/arm/include/asm/pgtable-2level.h | 4 +++- arch/arm/mm/proc-v7-2level.S | 3 --- arch/mips/mm/fault.c | 8 ++++++++ arch/x86/include/asm/processor.h | 3 ++- include/linux/math64.h | 2 +- security/Kconfig | 2 -- 6 files changed, 14 insertions(+), 8 deletions(-) commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 Merge: e65aa3d 1660f49 Author: Brad Spengler Date: Mon Aug 5 18:50:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 1660f496848b8400d263f7920989dae15e72185a Merge: 7f91ba1 dc51cd2 Author: Brad Spengler Date: Mon Aug 5 18:50:12 2013 -0400 Update to pax-linux-3.10.5-test7.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/head_64.S mm/mempolicy.c commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 50d20ebce56b6e0b9622685930e007e46c7c04bb Author: Daniel Borkmann Date: Fri Aug 2 11:32:43 2013 +0200 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by: Daniel Borkmann Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/devinet.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 Author: Himanshu Madhani Date: Fri Aug 2 23:15:56 2013 -0400 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 qlcnic: Free up memory in error path. Signed-off-by: Himanshu Madhani Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a Author: Shahed Shaikh Date: Fri Aug 2 23:15:54 2013 -0400 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f qlcnic: Fix MAC address filter issue on 82xx adapter Driver was passing the address of a pointer instead of the pointer itself. Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 24 ++++++++++++++++++++++-- 2 files changed, 22 insertions(+), 19 deletions(-) commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b8966a5d577e9220fbc63306eee978f819f24e2e Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1704c23fdc55b68f512dc9927940e72237f3f43e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit faf81c100c8565524e21c9af780a0ad2ce3fd925 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c Merge: 65019c9 7f91ba1 Author: Brad Spengler Date: Wed Jul 31 17:47:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 65019c9bd05f860437071cbf00e2027fd2d68615 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 Author: Brad Spengler Date: Wed Jul 31 17:46:00 2013 -0400 Update to pax-linux-3.10.4-test7.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - fixed a UDEREF/i386 regression, __get_user_8 would always fail arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/lib/getuser.S | 4 +- arch/x86/xen/smp.c | 2 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- fs/exec.c | 50 +++++++++++++-------------- include/linux/sched.h | 2 + 14 files changed, 88 insertions(+), 47 deletions(-) commit 043130da54cb7cc8dc44e0ce889d426e889a0532 Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ed0a195abd4e41c2449a020a53a19c74dc866d78 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit e75b3f504692b97960a7530ad0855d91441d79c0 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e5abbaf95313066a724e1a843d4fc902a9a6450e Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 877d6c2f8b3518ff39601084560bb33c58d35a1f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 23278a1ee1c7738dd1e7005241394d32b82196e4 Author: Brad Spengler Date: Tue Jul 30 19:48:58 2013 -0400 revert recent PaX change that causes boot failures with 32bit userland arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit ec27f71a813656fea8ab37faecb2b485fe99d08e Merge: 3a11bcf 05f0a61 Author: Brad Spengler Date: Tue Jul 30 19:42:21 2013 -0400 Merge branch 'pax-test' into grsec-test commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 Author: Brad Spengler Date: Tue Jul 30 19:41:44 2013 -0400 Update to pax-linux-3.10.4-test6.patch: - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender include/linux/syscalls.h | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8b744005f8bae565e24c1fd88af77e6e619b9434 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b93b829afcc98b6108b18d99ff63c53642d0b951 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit ac695a081d1124fb28bec46814535d34c5e40611 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 82631f451cc7432b6c5578cf8d24155473feb25c Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 84c4a433dfb096e4a1162ee5e68025122c70b421 Merge: c9d3ed3 9fe5897 Author: Brad Spengler Date: Mon Jul 29 17:08:56 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9fe58978938e357642885866ca48090a7753d403 Merge: 8f693ad 6f7bb6b Author: Brad Spengler Date: Mon Jul 29 17:08:43 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 Merge: d5e5bfd 8f693ad Author: Brad Spengler Date: Sun Jul 28 10:03:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8f693ade9b3e448f92706d34148b00a087637f70 Author: Brad Spengler Date: Sun Jul 28 10:02:16 2013 -0400 Update to pax-linux-3.10.3-test5.patch: - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) - fixed handling of faulting userland accesses for UDEREF/arm, from spender - updated the size overflow hash table, from Emese arch/arm/kernel/entry-armv.S | 3 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- 7 files changed, 513 insertions(+), 55 deletions(-) commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 Merge: 19e077b 8a8a0d0 Author: Brad Spengler Date: Thu Jul 25 21:05:18 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 Author: Brad Spengler Date: Thu Jul 25 21:04:09 2013 -0400 Update to pax-linux-3.10.3-test4.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 ++++ fs/buffer.c | 2 +- fs/dcache.c | 3 ++- include/linux/slab.h | 7 +++++++ include/linux/slab_def.h | 4 ++++ kernel/fork.c | 2 +- mm/rmap.c | 6 ++++-- mm/slab.c | 27 +++++++++++++++++++++++++++ mm/slab.h | 12 +++++++++++- mm/slab_common.c | 14 ++++++++++++++ mm/slob.c | 5 +++++ mm/slub.c | 11 +++++++++++ net/core/skbuff.c | 6 ++++-- security/Kconfig | 23 +++++++++++++++++------ 14 files changed, 112 insertions(+), 14 deletions(-) commit 19e077bfff54ca211d0142c07cb6dd88069a390c Merge: 960ec51 c8f7f51 Author: Brad Spengler Date: Thu Jul 25 19:53:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit c8f7f51591207b82530214300e86277028919286 Merge: d5142e3 81a4648 Author: Brad Spengler Date: Thu Jul 25 19:52:29 2013 -0400 Update to pax-linux-3.10.3-test3.patch: - fixed some compile issues reported by Michael Tremer and spender - fixed an i386 regression with the lower address space gap on i386, reported by cnu Merge branch 'linux-3.10.y' into pax-test Conflicts: kernel/time/tick-broadcast.c commit 960ec51ab2142544fbae563d4fd5744775408965 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 Merge: ab95b58 d5142e3 Author: Brad Spengler Date: Sun Jul 21 22:47:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit d5142e31785f8c32c7338c51fcc27313bdd4a84e Merge: f36ae8c 0f4a56e Author: Brad Spengler Date: Sun Jul 21 22:47:34 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit ab95b5842899d61ff5c30f4582e72029b3155be8 Author: Brad Spengler Date: Sun Jul 21 22:28:40 2013 -0400 compile fix with constification reported by Michael Tremer drivers/gpu/host1x/drm/dc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 817cd2d1e7a55720326599dd8f542578eef30927 Author: Hannes Frederic Sowa Date: Fri Jul 12 23:46:33 2013 +0200 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 ipv6: only static routes qualify for equal cost multipathing Static routes in this case are non-expiring routes which did not get configured by autoconf or by icmpv6 redirects. To make sure we actually get an ecmp route while searching for the first one in this fib6_node's leafs, also make sure it matches the ecmp route assumptions. v2: a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF already ensures that this route, even if added again without RTF_EXPIRES (in case of a RA announcement with infinite timeout), does not cause the rt6i_nsiblings logic to go wrong if a later RA updates the expiration time later. v3: a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, because an pmtu event could update the RTF_EXPIRES flag and we would not count this route, if another route joins this set. We now filter only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that don't get changed after rt6_info construction. Cc: Nicolas Dichtel Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_fib.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) commit 77db8196d51b043e2e2d124094da101b0f01bccb Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 926473317fd7953137ef97835edd36dabc584b01 Author: Brad Spengler Date: Wed Jul 17 21:29:02 2013 -0400 add missing asm/pgtable.h include, reported by Michael Tremer drivers/clk/socfpga/clk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c592ae0001b31932ef1491784dfa374058797c66 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 Merge: 9c96441 f36ae8c Author: Brad Spengler Date: Sun Jul 14 19:23:13 2013 -0400 Merge branch 'pax-test' into grsec-test commit f36ae8c741ae32b1caff10825be12c327792c925 Author: Brad Spengler Date: Sun Jul 14 19:22:15 2013 -0400 Update to pax-linux-3.10-test2.patch: - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer - spender fixed an madvise regression, reported by Peter Keel - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) - fixed a headers_install regression, reported by Mathias Krause - fixed a SLOB compile regression, reported by Mathias Krause arch/arm/include/asm/uaccess.h | 4 ++-- arch/arm/mm/mmu.c | 15 +++++++++++++-- drivers/clk/socfpga/clk.c | 6 ++++-- mm/madvise.c | 4 ++-- mm/slab.c | 4 ++-- mm/slob.c | 4 ++-- scripts/headers_install.sh | 2 +- 7 files changed, 26 insertions(+), 13 deletions(-) commit 9c9644156a49637050741d9165df79174e59b0ef Author: Brad Spengler Date: Sun Jul 14 19:19:54 2013 -0400 Fix sparc64 compilation, reported by Blake Self arch/sparc/kernel/sys_sparc_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error mm/madvise.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a10e377d0eddd37e8a3665b135e546ab03d9d171 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 08c5adca34d408772255b313f90d82c250c1d967 Author: Brad Spengler Date: Sun Jul 14 11:26:34 2013 -0400 don't make high vector mapping non-present on old ARM architectures, no point in emulating some vector entries when the processor doesn't even support XN arch/arm/mm/mmu.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 2b40781d4197a89a003616af584884e36361c5b2 Author: Brad Spengler Date: Sun Jul 14 09:51:58 2013 -0400 Temporary compile fix for code incorrectly modifying const data Wrap a cast version of the code with open/close Thanks to Michael Tremer for the report drivers/clk/socfpga/clk.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a8258c1b4098c396cd4ea719e20858182feac1c1 Author: Brad Spengler Date: Sun Jul 14 09:41:16 2013 -0400 Fix missing right parens in pipacs' "improvement" of my ARM code ;) Thanks to Michael Tremer for reporting arch/arm/include/asm/uaccess.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8542e1e973be7cc9a009d2ada8033576b2890e6f Merge: 86f446e 2577f8e Author: Brad Spengler Date: Sat Jul 13 20:46:58 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/memcontrol.c commit 2577f8e4ec41efb347706a59c6838de20f0c90da Merge: 75a36f0 cb5d8be Author: Brad Spengler Date: Sat Jul 13 20:43:42 2013 -0400 Merge branch 'linux-3.10.y' into pax-test Conflicts: crypto/algapi.c drivers/block/nbd.c commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 Author: Brad Spengler Date: Fri Jul 12 23:02:11 2013 -0400 we always want the vector page to be noaccess for userland therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY which turns into supervisor rwx, userland rx, we instead omit that entirely, leaving it as supervisor rwx only Fixes booting on ARMv5 and earlier, which need to write directly to the high vector mapping via set_tls when context switching Thanks to Michael Tremer for the bugreport arch/arm/mm/mmu.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 90cd0827eef656ec884f19c977873fefe2f2e47d Author: Cong Wang Date: Sat Jun 29 12:02:59 2013 +0800 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 gre: fix a regression in ioctl When testing GRE tunnel, I got: # ip tunnel show get tunnel gre0 failed: Invalid argument get tunnel gre1 failed: Invalid argument This is a regression introduced by commit c54419321455631079c7d ("GRE: Refactor GRE tunneling code.") because previously we only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the check is moved for all commands. So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. After this patch I got: # ip tunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit Cc: Pravin B Shelar Cc: "David S. Miller" Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 Author: Cong Wang Date: Sat Jun 29 13:00:57 2013 +0800 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 vti: remove duplicated code to fix a memory leak vti module allocates dev->tstats twice: in vti_fb_tunnel_init() and in vti_tunnel_init(), this lead to a memory leak of dev->tstats. Just remove the duplicated operations in vti_fb_tunnel_init(). (candidate for -stable) Cc: Stephen Hemminger Cc: Saurabh Mohan Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd Author: Michal Schmidt Date: Mon Jul 1 17:23:05 2013 +0200 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a bnx2x: remove zeroing of dump data buffer There is no need to initialize the dump data with zeros. data is allocated with vzalloc, so it's already zero-filled. More importantly, the memset is harmful, because dump->len (the length requested by userspace) can be bigger than the allocated buffer (whose size is determined by asking the driver's .get_dump_flag method). Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c771072b72c261f9bddd6734dca6979c1b96e7df Author: Michal Schmidt Date: Mon Jul 1 17:23:06 2013 +0200 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 bnx2x: fix dump flag handling bnx2x interprets the dump flag as an index of a register preset. It is important to validate the index to avoid out of bounds memory accesses. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ 2 files changed, 5 insertions(+), 0 deletions(-) commit aed315c8fad9b2044143b46b239574b1b72135ce Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit 5c57991e66216e386dcc875d34c33f0edd038569 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit cd83094a85d9bbd5a67332156407d53cf8835432 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c Author: Michael S. Tsirkin Date: Sun Jul 7 14:26:53 2013 +0300 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 vhost-net: fix use-after-free in vhost_net_flush vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 088806db74ac2f08c106202bc5498585a9ee529f Author: Michal Hocko Date: Mon Jul 8 16:00:29 2013 -0700 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b memcg, kmem: fix reference count handling on the error path mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. This is not correct because only memcg_propagate_kmem takes an additional reference while mem_cgroup_sockets_init is allowed to fail as well (although no current implementation fails) but it doesn't take any reference. This all suggests that it should be memcg_propagate_kmem that should clean up after itself so this patch moves mem_cgroup_put over there. Unfortunately this is not that easy (as pointed out by Li Zefan) because memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if memcg_propagate_kmem fails so the additional reference is dropped in that case in kmem_cgroup_destroy which means that the reference would be dropped two times. The easiest way then would be to simply remove mem_cgrroup_put from mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right thing. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.8] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 08bfb6e700d13886ed722c2236e1ec10f03a95df Author: Michal Hocko Date: Mon Jul 8 16:00:27 2013 -0700 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Revert "memcg: avoid dangling reference count in creation failure" This reverts commit e4715f01be697a. mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops an additional reference from all parents so the additional mem_cgrroup_put(parent) potentially causes use-after-free. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 3267ec559f48327a1836eccecd53215afc5810d0 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit cdfeb4049e7cb38702215b2c356ce0407974ac79 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08c87e049c8a50707908785d950fd48c334f4c09 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 Author: Brad Spengler Date: Fri Jul 12 20:38:45 2013 -0400 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums Unlike slub, slab can initally create two of the kmalloc_caches which will be used later for generic kmallocs of their particular aligned size (since the later loop in the unified allocator code skips any already-existing kmalloc_caches) mm/slab.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit e2d027c7e0f106be683c0c72482b8285daefcbe6 Author: Brad Spengler Date: Tue Jul 9 20:58:40 2013 -0400 commit successful merges Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 129 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 4 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/mwave/tp3780i.c | 1 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/resize.c | 17 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 234 ++- fs/namespace.c | 16 + fs/notify/fanotify/fanotify_user.c | 1 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 70 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 343 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 ++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 242 files changed, 4385 insertions(+), 2042 deletions(-) commit 043a378c0f72ed92cc30182c48abce39867ac93f Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 Author: Brad Spengler Date: Tue Jul 9 17:35:47 2013 -0400 Initial import of pax-linux-3.10-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 14 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 122 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 33 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 28 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 +- arch/x86/kernel/entry_64.S | 548 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 143 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 2 + arch/x86/kernel/setup.c | 21 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 13 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 98 +- arch/x86/mm/init_32.c | 113 +- arch/x86/mm/init_64.c | 38 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 11 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/algapi.c | 2 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/nbd.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 45 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 6 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/output.c | 2 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 607 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/lockd/svc.c | 2 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 10 +- fs/nfs/callback.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 40 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 65 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 42 +- include/linux/slab_def.h | 28 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 10 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 83 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 10 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 11 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 22 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 6 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 15 +- mm/mmap.c | 606 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 79 +- mm/slab.h | 5 +- mm/slab_common.c | 46 +- mm/slob.c | 201 +- mm/slub.c | 79 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_core.c | 8 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 6 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 676 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 +++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1607 files changed, 30734 insertions(+), 7318 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40d67e38a42d4e94b43b3d7400addc662b9857dc Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit a1fff2c95162314626dd96bec71d951a8c1c4708 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00131c458eea5200971c8fc326e90fdb6c2d0baa Merge: 37b97a9 47beb61 Author: Brad Spengler Date: Thu Jul 4 15:02:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 Author: Brad Spengler Date: Thu Jul 4 15:01:37 2013 -0400 Update to pax-linux-3.9.9-test13.patch: - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/entry-armv.S | 4 ++-- arch/arm/mm/Kconfig | 2 +- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/page.h | 1 + arch/x86/kernel/entry_32.S | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- arch/x86/kernel/head64.c | 12 ++++++------ arch/x86/kernel/head_64.S | 16 ++++++++++++---- arch/x86/mm/init.c | 8 ++++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ 15 files changed, 64 insertions(+), 44 deletions(-) commit 89085d2d0643813a62f23d1199a335dc1e129bc0 Merge: 963af7f 0adf2e7 Author: Brad Spengler Date: Thu Jul 4 14:55:44 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 Author: Brad Spengler Date: Thu Jul 4 13:29:51 2013 -0400 update log arguments grsecurity/grsec_sig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 3 +-- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit ef808866c070aa1901bd2224521baaf5d145a3a7 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 Author: Brad Spengler Date: Wed Jul 3 16:14:09 2013 -0400 fix renamed export of csum_partial_copy_from_user, as reported by fabled on the forums arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 318235973c2a548c3d25562645d6b69f66e85934 Author: Brad Spengler Date: Wed Jul 3 16:09:16 2013 -0400 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error reported on the forums by fabled arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b569a7f60fab7a522d8c142765c8b847bbce8a1e Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- 1 files changed, 27 insertions(+), 3 deletions(-) commit c22280b85088978bd8b45bd23096879459b48008 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 Author: Brad Spengler Date: Sat Jun 29 13:10:02 2013 -0400 on context switch, make sure we switch DACR when domain support and KERNEXEC is disabled but UDEREF is enabled arch/arm/kernel/entry-armv.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08d017fa51370921694ce087b28c96fec92993d4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be Author: Michael S. Tsirkin Date: Sun Jun 23 17:19:03 2013 +0300 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 tun: fix recovery from gup errors get user pages might fail partially in tun zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 Author: Balazs Peter Odor Date: Sat Jun 22 19:24:43 2013 +0200 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 netfilter: nf_nat_sip: fix mangling In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) there were some missing brackets around the logging information, thus always returning drop. Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 Signed-off-by: Balazs Peter Odor Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_sip.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b0471b6c1160858fc646d8e94628fd1299f61692 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Bluetooth: Fix invalid length check in l2cap_information_rsp() The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Cc: stable@vger.kernel.org Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan net/bluetooth/l2cap_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4184af98c360d825e638b268b1a9847232e8d299 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 1fe6f23c9acd14d832d056909ff326bde418e645 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 4d4464407611527ef6b6b5475cfcab6121b3da66 Merge: 59571a9 963af7f Author: Brad Spengler Date: Thu Jun 27 18:54:52 2013 -0400 Merge branch 'pax-test' into grsec-test commit 963af7f7f591759b731ce6325ceb583a72fcf423 Merge: c51e25a 55db48a Author: Brad Spengler Date: Thu Jun 27 18:54:42 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 59571a9db7485f530a1e865a13cacc4c991ec41f Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 Author: Brad Spengler Date: Wed Jun 26 18:33:06 2013 -0400 update rand_threadstack code to continue the search for a gap if the first choice doesn't have enough space, instead of returning ENOMEM mm/mmap.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 87020d4a4d83038d65ff1fd519938840f6888b9e Merge: 2682346 c51e25a Author: Brad Spengler Date: Wed Jun 26 18:25:32 2013 -0400 Merge branch 'pax-test' into grsec-test commit c51e25a23f30a1198076bd085f19b2073caf164d Author: Brad Spengler Date: Wed Jun 26 18:24:54 2013 -0400 Update to pax-linux-3.9.7-test12.patch: - fixed a regression on PARAVIRT/amd64 kernels - simplified the recent vm_unmapped_area_info based change arch/x86/kernel/entry_64.S | 8 ++++---- mm/mmap.c | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) commit 26823469a08e59cb67bea18d448d9e8c65f82e08 Author: Brad Spengler Date: Tue Jun 25 21:26:51 2013 -0400 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX vm_unmapped_area code is complete arch/x86/kernel/sys_i386_32.c | 5 +++++ grsecurity/Kconfig | 2 +- mm/mmap.c | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 Merge: e58fe8c c4e0704 Author: Brad Spengler Date: Tue Jun 25 19:08:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/sys_i386_32.c commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 Author: Brad Spengler Date: Tue Jun 25 19:05:39 2013 -0400 Update to pax-linux-3.9.7-test11.patch: - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure - fixed the recent nested nmi related fixes some more - fixed a regression in kernel memory initialization on relocatable i386 kernels - empty_zero_page can be read-only on amd64 as well arch/arm/mm/mmap.c | 6 -- arch/x86/kernel/entry_64.S | 8 +-- arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/setup.c | 2 +- arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- drivers/lguest/core.c | 2 +- include/linux/mm.h | 6 +- include/linux/vmalloc.h | 2 +- mm/mmap.c | 30 +++++++- 9 files changed, 83 insertions(+), 134 deletions(-) commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f Author: Brad Spengler Date: Sun Jun 23 14:36:35 2013 -0400 compile fix, reported by KDE on forums kernel/printk.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 1fc9a5e2e267205d28302e1e86ca0da434561111 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d x86/efi: Fix dummy variable buffer allocation 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Matt Fleming arch/x86/platform/efi/efi.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 Author: Dave Kleikamp Date: Tue Jun 18 09:05:36 2013 -0500 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 sparc: tsb must be flushed before tlb This fixes a race where a cpu may re-load a tlb from a stale tsb right after it has been flushed by a remote function call. I still see some instability when stressing the system with parallel kernel builds while creating memory pressure by writing to /proc/sys/vm/nr_hugepages, but this patch improves the stability significantly. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d93b62f6485db9aadda34322a6867868db07f56f Merge: 4ef62f5 71d83e9 Author: Brad Spengler Date: Fri Jun 21 16:52:55 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 71d83e97c936563913bcfb5a25c45b2021a331eb Author: Brad Spengler Date: Fri Jun 21 16:48:42 2013 -0400 Update to pax-linux-3.9.7-test10.patch: - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - fixed a locking issue with track_exec_limit reported by spender - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 2 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/iommu/irq_remapping.c | 2 +- drivers/video/output.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/nfs/callback.c | 4 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfscache.c | 3 +- init/initramfs.c | 2 +- kernel/rcutree.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mmap.c | 4 +- mm/slub.c | 2 +- mm/vmalloc.c | 15 +++---- net/bluetooth/hci_core.c | 8 ++-- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- 40 files changed, 116 insertions(+), 111 deletions(-) commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c Merge: 39efd8f 256eff7 Author: Brad Spengler Date: Fri Jun 21 16:45:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/printk.c commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 Merge: e6e3059 485f25f Author: Brad Spengler Date: Thu Jun 20 22:14:24 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d Author: Brad Spengler Date: Tue Jun 18 17:20:18 2013 -0400 add apparmor compat patch security/apparmor/Kconfig | 9 ++ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 0 deletions(-) commit 49bee3c5341687504669bf62becf4a419a226ba0 Author: Brad Spengler Date: Mon Jun 17 18:48:04 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) commit 5a450f1c46f0c84379518aee878993d3f4a331b6 Author: Theodore Ts'o Date: Thu Jun 6 11:14:31 2013 -0400 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 ext4: verify group number in verify_group_input() before using it Check the group number for sanity earilier, before calling routines such as ext4_bg_has_super() or ext4_group_overhead_blocks(). Reported-by: Jonathan Salwan Signed-off-by: "Theodore Ts'o" fs/ext4/resize.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e13515ad7a9c7634599a105b2527752e527a905d Author: Saurabh Mohan Date: Mon Jun 10 17:45:10 2013 -0700 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 net/ipv4: ip_vti clear skb cb before tunneling. If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af361b412e816e894fb42ddff7a0545b7def64c0 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1f43aca088c35dda35abf76e08544e534c71fed4 Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f Author: Andy Lutomirski Date: Wed Jun 5 19:38:26 2013 +0000 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab net: Unbreak compat_sys_{send,recv}msg I broke them in this commit: commit 1be374a0518a288147c6a7398792583200a67261 Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It also reverts some unnecessary checks in sys_socketcall. Apparently I was suffering from underscore blindness the first time around. Signed-off-by: Andy Lutomirski Tested-by: Eric Dumazet Signed-off-by: David S. Miller include/linux/socket.h | 3 ++ net/compat.c | 13 +++++++- net/socket.c | 72 ++++++++++++++++++++++-------------------------- 3 files changed, 47 insertions(+), 41 deletions(-) commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 Upstream commit: 1be374a0518a288147c6a7398792583200a67261 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. Miller" Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Cc: David S. Miller Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller net/socket.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb67a67049ace7b94ad7e2febfac69816d50d85 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 Author: Johan Hedberg Date: Tue May 28 13:46:30 2013 +0300 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 Bluetooth: Fix missing length checks for L2CAP signalling PDUs There has been code in place to check that the L2CAP length header matches the amount of data received, but many PDU handlers have not been checking that the data received actually matches that expected by the specific PDU. This patch adds passing the length header to the specific handler functions and ensures that those functions fail cleanly in the case of an incorrect amount of data. Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- 1 files changed, 52 insertions(+), 18 deletions(-) commit 628be2427afb241b5a1aa24bc5907d05287e1f25 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 066d9226bc6c569d5f420c978b758e0bddd23444 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 94e2a91600b07d39825e7059195f35eb611a39a2 Merge: 20cc761 e6e3059 Author: Brad Spengler Date: Thu Jun 13 16:23:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a Merge: c6aadb1 4b73feb Author: Brad Spengler Date: Thu Jun 13 16:23:39 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 20cc7613e38cde07adc73179a91d6c15292e8d43 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 386ba837978cc8a1111440bdcd8600f2df4634a4 Author: Brad Spengler Date: Wed Jun 12 20:37:48 2013 -0400 fix deadlock when booting i386 kernel without NX mm/mmap.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc43377e1e757cd37a06be0187884a42af718aab Merge: 3cdea63 c6aadb1 Author: Brad Spengler Date: Tue Jun 11 18:50:39 2013 -0400 Merge branch 'pax-test' into grsec-test commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 Author: Brad Spengler Date: Tue Jun 11 18:49:36 2013 -0400 Update to pax-linux-3.9.4-test9.patch: - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort arch/x86/kernel/setup.c | 2 +- mm/mlock.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 3cdea63e90607d8d55820b101854091623feedb8 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 373a2b5df78f82b9d3db72bd6577e29a71591323 Author: Brad Spengler Date: Mon Jun 10 21:16:46 2013 -0400 Backport infoleak fix by Dan Carpenter in cpqarray: https://lkml.org/lkml/2013/6/3/131 drivers/block/cpqarray.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 251e84b9b05e063981b20be154c9389862f94759 Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 383d89bf95818b05a485a6e8b118963b5bcbc83e Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1c590aa70c95ebd76ba9672aa23d800b81780615 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 Merge: 4e85539 117c3fa Author: Brad Spengler Date: Sun Jun 9 17:30:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit 117c3fa8d26c3806103123560f807d99071b60b6 Merge: ed9b427 5dd2e98 Author: Brad Spengler Date: Sun Jun 9 17:30:00 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5771263fe368cd384127dd17d7596a7e1a4e2eec Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c01c9af268cb066f240aec53454b8b74d8d01688 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 Author: Timo Teräs Date: Wed May 22 01:40:47 2013 +0000 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 xfrm: properly handle invalid states as an error The error exit path needs err explicitly set. Otherwise it returns success and the only caller, xfrm_output_resume(), would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is NULL. Bug introduced in commit bb65a9cb (xfrm: removes a superfluous check and add a statistic). Signed-off-by: Timo Teräs Cc: Li RongQing Cc: Steffen Klassert Signed-off-by: David S. Miller net/xfrm/xfrm_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit c18cef940310c06bdf86d64d8cb227e56e165300 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c47de62893a9f269be0a272c2840aac1e2a35c68 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce869e6f799f95fcac340420ba3612503df80dbf Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5dc65cd34d442783118a17c518e2daedb90a31d0 Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit 84619a3501fd38285a72d9e963f58d1827beedd6 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e Author: Brad Spengler Date: Sat Jun 1 13:43:26 2013 -0400 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" Applying upstream fix instead This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings drivers/usb/atm/cxacru.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 Author: Brad Spengler Date: Sat Jun 1 11:30:17 2013 -0400 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 8578566969d91678a3d7d5251b4eafc6d7775314 Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 Merge: 643b294 ed9b427 Author: Brad Spengler Date: Wed May 29 19:19:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit ed9b4276488528d0c3803df1dc0df804238241e0 Author: Brad Spengler Date: Wed May 29 19:18:45 2013 -0400 Updated to pax-linux-3.9.4-test8.patch: - fixed some fallout detected by the checker plugin arch/x86/kernel/crash_dump_64.c | 2 +- drivers/base/devtmpfs.c | 6 +++--- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/mem.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- drivers/i2c/i2c-dev.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 4 ++-- fs/compat_ioctl.c | 4 ++-- fs/exec.c | 2 +- fs/namespace.c | 8 ++++---- fs/proc/vmcore.c | 12 ++++++++---- fs/read_write.c | 2 +- include/linux/syscalls.h | 8 ++++---- init/do_mounts_initrd.c | 8 ++++---- init/main.c | 4 ++-- kernel/events/core.c | 2 +- kernel/events/internal.h | 10 +++++----- mm/page_io.c | 2 +- security/keys/internal.h | 2 +- tools/gcc/checker_plugin.c | 1 + 24 files changed, 63 insertions(+), 54 deletions(-) commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 Author: Brad Spengler Date: Wed May 29 18:51:31 2013 -0400 eliminate gcc warning fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 Author: Brad Spengler Date: Wed May 29 18:30:20 2013 -0400 use BUILD_BUG() instead of BUILD_BUG_ON(1) arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5343410354267368e5809f3ad8d9a264f141be18 Author: Brad Spengler Date: Wed May 29 17:57:41 2013 -0400 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON for unknown opcodes arch/x86/net/bpf_jit_comp.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- 1 files changed, 39 insertions(+), 40 deletions(-) commit 163a5539b36247865d39b2bcfa8efc03a62124a6 Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 3e54faf888d324d5f362dcba16173ea7bba61e8a Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 2d74639040ba6ce47f57ec010714ec06529c4b42 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 65d05c7ea468c23c175105526dd4f163302a92cf Merge: 1a98d0a 6ce3a135 Author: Brad Spengler Date: Sat May 25 07:48:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/vm86_32.c commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 Merge: 79bdd65 0bfd8ff Author: Brad Spengler Date: Sat May 25 07:46:55 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 Author: Brad Spengler Date: Thu May 23 18:42:23 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2b80ef8586061e32e986b31608717c25d1e7c54 Merge: cb45fbd 79bdd65 Author: Brad Spengler Date: Thu May 23 17:58:53 2013 -0400 Merge branch 'pax-test' into grsec-test commit 79bdd65dac68267bc1b201c6b4a99966a373c305 Author: Brad Spengler Date: Thu May 23 17:57:46 2013 -0400 Update to pax-linux-3.9.3-test7.patch: - fixed some size overflow related warnings (hash table, attributes) - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/page_64.h | 2 +- arch/x86/kernel/head64.c | 2 +- tools/gcc/constify_plugin.c | 48 ++- tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ 4 files changed, 651 insertions(+), 592 deletions(-) commit cb45fbda4967b1b544a754fbdc92d73283379522 Merge: 62588fa 57c11b8 Author: Brad Spengler Date: Mon May 20 17:32:17 2013 -0400 Merge branch 'pax-test' into grsec-test commit 57c11b85acd841a088aa4df8e60be337880df8cd Merge: 0598b37 4bb0869 Author: Brad Spengler Date: Mon May 20 17:32:08 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 Merge: e261c7b 0598b37 Author: Brad Spengler Date: Fri May 17 22:57:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 Author: Brad Spengler Date: Fri May 17 22:57:07 2013 -0400 Update to pax-linux-3.9.2-test6.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado arch/x86/include/asm/pgtable.h | 9 +++++++-- tools/gcc/structleak_plugin.c | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit e261c7bc611e9127bbb7bd95cddd51524bf255ae Author: Brad Spengler Date: Thu May 16 22:54:12 2013 -0400 add offset to topdown check, fixes compilation arch/x86/kernel/sys_x86_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 Author: Brad Spengler Date: Thu May 16 20:57:41 2013 -0400 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, reported by lulzh3ad on irc security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d4593e84707cdf6deb6b925c18c676a476b1613 Merge: 43cd0c0 39a877f Author: Brad Spengler Date: Thu May 16 20:39:11 2013 -0400 Merge branch 'pax-test' into grsec-test commit 39a877f192ed305d88edac10a14a9e8e1e161f3f Author: Brad Spengler Date: Thu May 16 20:37:35 2013 -0400 Update to pax-linux-3.9.2-test105.patch: - fixed !EFI boot problem, reported by spender - fixed a few compile warnings - fixed some more compile errors due to constification - fixed some arm fallout, reported by Michael Tremer arch/arm/include/asm/psci.h | 2 +- arch/arm/kernel/psci.c | 2 +- arch/x86/kernel/sys_x86_64.c | 3 +-- arch/x86/realmode/init.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- drivers/irqchip/irq-gic.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- drivers/platform/x86/chromeos_laptop.c | 2 +- fs/jfs/super.c | 4 ++-- include/linux/irqchip/arm-gic.h | 2 ++ include/sound/compress_driver.h | 2 +- net/mac80211/cfg.c | 4 ++-- sound/soc/fsl/fsl_ssi.c | 2 +- 14 files changed, 31 insertions(+), 22 deletions(-) commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 Author: Brad Spengler Date: Thu May 16 20:35:22 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 56a166129d817f6634c8c230e6ec497669bdfaca Author: Amerigo Wang Date: Thu May 9 21:56:37 2013 +0000 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f ipv6,gre: do not leak info to user-space There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d6f50dae2653ad912952da40417a8ccbd59c7699 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 01322c6951bed4eedefbd2178dbd99292b365d99 Author: Brad Spengler Date: Mon May 13 17:19:57 2013 -0400 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its existing stack-heap gap code for the new unified vm_unmapped_area grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 Author: Brad Spengler Date: Mon May 13 15:40:32 2013 -0400 fix NX fault on early boot arch/x86/realmode/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 Author: Brad Spengler Date: Mon May 13 10:48:13 2013 -0400 compile fix, we weren't using %pa anyway and it's now being used by upstream for physical address printing lib/vsprintf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d Author: Brad Spengler Date: Mon May 13 10:39:52 2013 -0400 compile fix grsecurity/grsec_chroot.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b Author: Brad Spengler Date: Mon May 13 10:35:36 2013 -0400 compile fixes grsecurity/grsec_chroot.c | 2 +- include/linux/grinternal.h | 8 ++++---- include/linux/grsecurity.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 Author: Brad Spengler Date: Mon May 13 10:27:18 2013 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 Author: Brad Spengler Date: Mon May 13 10:23:17 2013 -0400 Initial port of grsecurity for 3.9.2 Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 6 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 181 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 241 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1031 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 387 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 187 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 + include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 242 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 68 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/net/secure_seq.h | 1 + include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 13 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 64 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/8021q/vlan.c | 7 + net/core/dev_ioctl.c | 4 + net/core/net-procfs.c | 5 + net/core/secure_seq.c | 4 +- net/core/sock_diag.c | 7 + net/ipv4/af_inet.c | 5 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 2 +- net/sctp/probe.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/tipc/link.c | 11 +- net/unix/af_unix.c | 31 +- security/Kconfig | 342 ++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 291 files changed, 15221 insertions(+), 2052 deletions(-) commit 88854c350c899bceca4a94598c42bed44d0dc91b Author: Brad Spengler Date: Mon May 13 07:37:47 2013 -0400 Initial import of pax-linux-3.9.2-test2.patch Documentation/dontdiff | 45 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 6 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 15 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/kernel/us3_cpufreq.c | 69 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 21 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 6 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page_64.h | 2 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 113 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 530 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 1 - arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 120 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 19 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 248 + arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 57 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 +- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 90 +- arch/x86/mm/init_32.c | 119 +- arch/x86/mm/init_64.c | 44 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 2 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 10 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 605 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/super.c | 2 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 6 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compat.h | 6 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 110 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 2 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 68 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 8 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 6 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 576 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 105 +- mm/slab.h | 5 +- mm/slab_common.c | 11 +- mm/slob.c | 201 +- mm/slub.c | 99 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 14 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 6 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.pl | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 675 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 518 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 ++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 276 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1555 files changed, 30474 insertions(+), 7126 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 Merge: 814820a 3a59a59 Author: Brad Spengler Date: Sun May 12 21:51:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f Author: Brad Spengler Date: Sun May 12 21:50:07 2013 -0400 Update to pax-linux-3.8.13-test24.patch: - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/arm/kernel/vmlinux.lds.S | 4 ++-- arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes-opt.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- kernel/trace/trace.h | 2 +- net/socket.c | 2 +- security/Kconfig | 2 +- 22 files changed, 67 insertions(+), 34 deletions(-) commit 814820abfe5b9a34401d838b2510431a4cd92be9 Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ed0428c4ef6c5498870772f212ac651216eb8d0c Merge: 2452d8d dbf932a Author: Brad Spengler Date: Sun May 12 21:18:25 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/cpu/perf_event_intel_uncore.c arch/x86/mm/init.c commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 Author: Brad Spengler Date: Sun May 12 20:24:01 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit c75e4664fe4d20da1639f70d9def097c4f20856b Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04638852588cf243f865f5a73aa9dab94fab53b7 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff Merge: 539fff0 2452d8d Author: Brad Spengler Date: Wed May 8 18:13:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a Merge: 6c850d8 9c9ab76 Author: Brad Spengler Date: Wed May 8 18:13:31 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/irq.c kernel/trace/trace_stack.c commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a Author: Brad Spengler Date: Tue May 7 21:43:00 2013 -0400 turn counter into a flag grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 418102925c0cfb0de51b0a021abaa575e28fafa6 Author: Peter Zijlstra Date: Fri May 3 14:11:25 2013 +0200 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL We should always have proper privileges when requesting kernel data. Signed-off-by: Peter Zijlstra Cc: Cc: Andi Kleen Cc: eranian@google.com Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] Signed-off-by: Ingo Molnar Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f Author: Brad Spengler Date: Wed May 1 18:30:48 2013 -0400 remove references to CONFIG_X86_WP_WORKS_OK arch/um/defconfig | 1 - security/Kconfig | 2 +- 2 files changed, 1 insertions(+), 2 deletions(-) commit 408da6791f93ffe00d26bfe919f1b2218fe0804d Merge: a8dbe8e 6c850d8 Author: Brad Spengler Date: Wed May 1 18:28:44 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/mm/ultra.S drivers/tty/tty_io.c commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf Merge: cdbcbef 9fa1d01 Author: Brad Spengler Date: Wed May 1 18:25:18 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 55eba82aca97aa56378e000840c48965557721e8 Author: Brad Spengler Date: Mon Apr 29 18:43:03 2013 -0400 compilation fix kernel/trace/trace.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3bf912b54af6df7fbebc68b5999554562056c5c Merge: 5b72e37 cdbcbef Author: Brad Spengler Date: Mon Apr 29 18:34:42 2013 -0400 Merge branch 'pax-test' into grsec-test commit cdbcbef45c4f003cbee11e10668a35d424c17c60 Author: Brad Spengler Date: Mon Apr 29 18:33:35 2013 -0400 Update to pax-linux-3.8.10-test21.patch: - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) - reverted the nested NMI fix in search for a real one - simplified the arm_delay_ops constification arch/arm/include/asm/delay.h | 8 ++++---- arch/arm/lib/delay.c | 17 +++++------------ arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 11 files changed, 34 insertions(+), 26 deletions(-) commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 5344a24e2320d61dbdb88aae04922f0799deefd0 Author: Zhao Hongjiang Date: Fri Apr 26 11:03:53 2013 +0800 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad aio: fix possible invalid memory access when DEBUG is enabled dprintk() shouldn't access @ring after it's unmapped. Signed-off-by: Zhao Hongjiang Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 Merge: ba54c97 4d05084 Author: Brad Spengler Date: Fri Apr 26 18:17:20 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kvm/x86.c include/linux/capability.h commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 Merge: c664779 bb8dd67 Author: Brad Spengler Date: Fri Apr 26 18:15:45 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 Author: David S. Miller Date: Wed Apr 24 16:52:18 2013 -0700 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. Reported-by: Meelis Roos Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 Author: David S. Miller Date: Fri Apr 19 17:26:26 2013 -0400 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 sparc64: Fix race in TLB batch processing. As reported by Dave Kleikamp, when we emit cross calls to do batched TLB flush processing we have a race because we do not synchronize on the sibling cpus completing the cross call. So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) and either flushes are missed or flushes will flush the wrong addresses. Fix this by using generic infrastructure to synchonize on the completion of the cross call. This first required getting the flush_tlb_pending() call out from switch_to() which operates with locks held and interrupts disabled. The problem is that smp_call_function_many() cannot be invoked with IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). We get the batch processing outside of locked IRQ disabled sections by using some ideas from the powerpc port. Namely, we only batch inside of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a region, we flush TLBs synchronously. 1) Get rid of xcall_flush_tlb_pending and per-cpu type implementations. 2) Do TLB batch cross calls instead via: smp_call_function_many() tlb_pending_func() __flush_tlb_pending() 3) Batch only in lazy mmu sequences: a) Add 'active' member to struct tlb_batch b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE c) Set 'active' in arch_enter_lazy_mmu_mode() d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() e) Check 'active' in tlb_batch_add_one() and do a synchronous flush if it's clear. 4) Add infrastructure for synchronous TLB page flushes. a) Implement __flush_tlb_page and per-cpu variants, patch as needed. b) Likewise for xcall_flush_tlb_page. c) Implement smp_flush_tlb_page() to invoke the cross-call. d) Wire up global_flush_tlb_page() to the right routine based upon CONFIG_SMP 5) It turns out that singleton batches are very common, 2 out of every 3 batch flushes have only a single entry in them. The batch flush waiting is very expensive, both because of the poll on sibling cpu completeion, as well as because passing the tlb batch pointer to the sibling cpus invokes a shared memory dereference. Therefore, in flush_tlb_pending(), if there is only one entry in the batch perform a completely asynchronous global_flush_tlb_page() instead. Reported-by: Dave Kleikamp Signed-off-by: David S. Miller Acked-by: Dave Kleikamp arch/sparc/include/asm/pgtable_64.h | 1 + arch/sparc/include/asm/switch_to_64.h | 3 +- arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- arch/sparc/kernel/smp_64.c | 41 ++++++++++- arch/sparc/mm/tlb.c | 38 +++++++++- arch/sparc/mm/tsb.c | 57 ++++++++++++---- arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- 7 files changed, 241 insertions(+), 55 deletions(-) commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 Author: Linus Torvalds Date: Fri Apr 19 15:32:32 2013 +0000 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 net: fix incorrect credentials passing Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/net/scm.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98ad6adbc48759e4f9eae435d3e51ba487155685 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3600395e8fef3ae712e72f9b68c3609639616df8 Author: Thomas Graf Date: Thu Apr 11 10:57:18 2013 +0000 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 tcp: Reallocate headroom if it would overflow csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. Verify if the acking and collapsing resulted in a headroom exceeding what csum_start can cover and reallocate the headroom if so. A big thank you to Jim Foraker and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker Signed-off-by: Thomas Graf Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 Author: Ivan Vecera Date: Fri Apr 12 16:49:24 2013 +0200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f be2net: take care of __vlan_put_tag return value The driver should use return value of __vlan_put_tag with appropriate NULL-check instead of old skb pointer. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 Author: Wei Yongjun Date: Fri Apr 12 03:17:12 2013 +0000 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 tuntap: fix error return code in tun_set_iff() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. [ Bug added in linux-3.8 , commit 4008e97f866db665 ("tuntap: fix ambigious multiqueue API") ] Signed-off-by: Wei Yongjun Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2b45b5f52c2a8930f80c62de392a62516c83e225 Author: Bjørn Mork Date: Tue Apr 16 00:17:07 2013 +0000 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 net: cdc_mbim: remove bogus sizeof() The intention was to test against the constant, not the size of the constant. Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 17d7408795519037a5a1272c7888238e20830bfe Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text fs/exec.c | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) commit 3cb37d0c0c77dc3928ff8417f982139f95366eba Merge: e87c19f c664779 Author: Brad Spengler Date: Wed Apr 17 20:06:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit c664779987cb0c27a242029f0e0db812e3236203 Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e87c19f8312355b8658e5138c16bfa6043a379c8 Merge: 802d119 d0c636c Author: Brad Spengler Date: Wed Apr 17 16:57:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit d0c636ceaaf406e606898ce3e770e32fb043ea8a Merge: bc88628 2396403 Author: Brad Spengler Date: Wed Apr 17 16:57:01 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/paravirt.c commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b Author: Brad Spengler Date: Sun Apr 14 21:39:51 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1a860d7d67051559ab2e6d10f9888649c92904e6 Author: Brad Spengler Date: Sun Apr 14 21:34:46 2013 -0400 A denied setfsuid by the RBAC system would result in an abort_creds() being called with an uninitalized pointer, introduced by a bad forward-port kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 Merge: c38d142 bc88628 Author: Brad Spengler Date: Sun Apr 14 21:28:33 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit bc88628a6a8fcccaabb90908640809b0540df225 Author: Brad Spengler Date: Sun Apr 14 21:26:41 2013 -0400 Update to pax-linux-3.8.7-test20.patch: - fixed KERNEXEC and NMI nesting problem reported by stef&hunger - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- security/Kconfig | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) commit c38d142744489fc4d9be80188b6435a278438fd9 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93019624b80ba59798393942798d7f6ed0c1dbc6 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 5277b052b5fab36729e1255fb3b12f47a4b12867 Author: Dave Hansen Date: Fri Apr 12 16:23:54 2013 -0700 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables This patch attempts to fix: https://bugzilla.kernel.org/show_bug.cgi?id=56461 The symptom is a crash and messages like this: chrome: Corrupted page table at address 34a03000 *pdpt = 0000000000000000 *pde = 0000000000000000 Bad pagetable: 000f [#1] PREEMPT SMP Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: enable tlb flush range support for x86") since that code started to free unused pagetables. On x86-32 PAE kernels, that new code has the potential to free an entire PMD page and will clear one of the four page-directory-pointer-table (aka pgd_t entries). The hardware aggressively "caches" these top-level entries and invlpg does not actually affect the CPU's copy. If we clear one we *HAVE* to do a full TLB flush, otherwise we might continue using a freed pmd page. (note, we do this properly on the population side in pud_populate()). This patch tracks whenever we clear one of these entries in the 'struct mmu_gather', and ensures that we follow up with a full tlb flush. BTW, I disassembled and checked that: if (tlb->fullmm == 0) and if (!tlb->fullmm && !tlb->need_flush_all) generate essentially the same code, so there should be zero impact there to the !PAE case. Signed-off-by: Dave Hansen Cc: Peter Anvin Cc: Ingo Molnar Cc: Artem S Tashkinov Signed-off-by: Linus Torvalds arch/x86/include/asm/tlb.h | 2 +- arch/x86/mm/pgtable.c | 7 +++++++ include/asm-generic/tlb.h | 7 ++++++- mm/memory.c | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) commit 521e573fc77d1783c1d4636dfbb4617a922f043d Merge: 032f626 f807619 Author: Brad Spengler Date: Fri Apr 12 19:29:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit f80761993b85df96fc142dfc3a317cadc0f8eae5 Author: Brad Spengler Date: Fri Apr 12 19:28:21 2013 -0400 Update to pax-linux-3.8.7-test19.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) - fixed the structleak plugin to compile for gcc 4.5-4.6 as well Makefile | 2 +- arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 Merge: a3a770e 89886f5 Author: Brad Spengler Date: Fri Apr 12 18:38:40 2013 -0400 Merge branch 'pax-test' into grsec-test commit 89886f561cc0d1c42a99624ec8c3704711088155 Merge: 9123489 531ec28 Author: Brad Spengler Date: Fri Apr 12 18:38:30 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a3a770e18578841e4fbe2aa0831a22811b4812cf Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 Author: Konrad Rzeszutek Wilk Date: Fri Mar 29 10:20:56 2013 -0400 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/mmu.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb Author: Neil Horman Date: Tue Apr 9 23:19:00 2013 +0000 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 e100: Add dma mapping error check e100 uses pci_map_single, but fails to check for a dma mapping error after its use, resulting in a stack trace: [ 46.656594] ------------[ cut here ]------------ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() [ 46.657004] Hardware name: To Be Filled By O.E.M. [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] [ 46.657004] Modules linked in: [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core sata_promise crc_itu_t [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 [ 46.657004] Call Trace: [ 46.657004] [] warn_slowpath_common+0x70/0xa0 [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 [ 46.657004] [] check_unmap+0x47b/0x950 [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] [ 46.657004] [] ? net_rx_action+0xa1/0x370 [ 46.657004] [] net_rx_action+0x172/0x370 [ 46.657004] [] __do_softirq+0xef/0x3d0 [ 46.657004] [] call_softirq+0x1c/0x30 [ 46.657004] [] do_softirq+0x85/0xc0 [ 46.657004] [] irq_exit+0xd5/0xe0 [ 46.657004] [] do_IRQ+0x56/0xc0 [ 46.657004] [] common_interrupt+0x72/0x72 [ 46.657004] [] ? _raw_spin_unlock_irqrestore+0x3b/0x70 [ 46.657004] [] __slab_free+0x58/0x38b [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 [ 46.657004] [] ? kmem_cache_free+0x97/0x320 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] kmem_cache_free+0x312/0x320 [ 46.657004] [] sock_destroy_inode+0x34/0x40 [ 46.657004] [] destroy_inode+0x38/0x60 [ 46.657004] [] evict+0x10e/0x1a0 [ 46.657004] [] iput+0xf5/0x180 [ 46.657004] [] dput+0x248/0x310 [ 46.657004] [] __fput+0x171/0x240 [ 46.657004] [] ____fput+0xe/0x10 [ 46.657004] [] task_work_run+0xac/0xe0 [ 46.657004] [] do_exit+0x26d/0xc30 [ 46.657004] [] ? finish_task_switch+0x7c/0x120 [ 46.657004] [] ? retint_swapgs+0x13/0x1b [ 46.657004] [] do_group_exit+0x49/0xc0 [ 46.657004] [] sys_exit_group+0x14/0x20 [ 46.657004] [] system_call_fastpath+0x16/0x1b [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- [ 46.657004] Mapped at: [ 46.657004] [] debug_dma_map_page+0x91/0x140 [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the dma_mapping_error check in the obvious place This was reported previously here: http://article.gmane.org/gmane.linux.network/257893 But nobody stepped up and fixed it. CC: Josh Boyer CC: e1000-devel@lists.sourceforge.net Signed-off-by: Neil Horman Reported-by: Michal Jaegermann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- 1 files changed, 25 insertions(+), 11 deletions(-) commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 Author: Trond Myklebust Date: Wed Apr 10 12:44:18 2013 -0400 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Make sure that we set the status to 0 on success. Missed in testing because it never appears when doing multiple mounts to _different_ servers. Signed-off-by: Trond Myklebust Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list fs/nfs/nfs4client.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea Author: Yuval Mintz Date: Wed Apr 10 13:34:39 2013 +0300 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b bnx2x: Prevent null pointer dereference in AFEX mode The cnic module is responsible for initializing various bnx2x structs via callbacks provided by the bnx2x module. One such struct is the queue object for the FCoE queue. If a device is working in AFEX mode and its configuration allows FCoE yet the cnic module is not loaded, it's very likely a null pointer dereference will occur, as the bnx2x will erroneously access the FCoE's queue object. Prevent said access until cnic properly registers itself. Signed-off-by: Yuval Mintz Signed-off-by: Ariel Elior Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2908830232725db624aaa052f7ad38d1f98bf541 Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit d40b572e845a5fb561e3c4a80cc306cd38888a4e Author: Christoph Paasch Date: Sun Apr 7 04:53:15 2013 +0000 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd ipv6/tcp: Stop processing ICMPv6 redirect messages Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske Signed-off-by: Christoph Paasch Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c7d5c2524456ef3ea9194840e7a9a75069a46824 Author: Brad Spengler Date: Wed Apr 10 20:32:54 2013 -0400 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit acac2380fd97acee4367d2aa24c74322dcf1d22b Author: Trond Myklebust Date: Fri Apr 5 16:11:11 2013 -0400 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list It is unsafe to use list_for_each_entry_safe() here, because when we drop the nn->nfs_client_lock, we pin the _current_ list entry and ensure that it stays in the list, but we don't do the same for the _next_ list entry. Use of list_for_each_entry() is therefore the correct thing to do. Also fix the refcounting in nfs41_walk_client_list(). Finally, ensure that the nfs_client has finished being initialised and, in the case of NFSv4.1, that the session is set up. Signed-off-by: Trond Myklebust Cc: Chuck Lever Cc: Bryan Schumaker Cc: stable@vger.kernel.org [>= 3.7] fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) commit a6cf5f387b882ac0ce655b75f623f86c075517be Author: Chuck Lever Date: Fri Mar 22 12:52:59 2013 -0400 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e SUNRPC: Remove extra xprt_put() While testing error cases where rpc_new_client() fails, I saw some oopses. If rpc_new_client() fails, it already invokes xprt_put(). Thus __rpc_clone_client() does not need to invoke it again. Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" Fri Sep 14, 2012. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org [>=3.7] Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9529169b8c405874fd543b785f53c74fa0501c2a Author: Christopher Harvey Date: Fri Apr 5 10:51:15 2013 -0400 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. This change properly enables the "requester" in G200ER cards that is responsible for getting pixels out of memory and clocking them out to the screen. Signed-off-by: Christopher Harvey Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- 1 files changed, 3 insertions(+), 10 deletions(-) commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a Author: Al Viro Date: Thu Mar 28 13:30:23 2013 -0400 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee ecryptfs: close rmmod race Signed-off-by: Al Viro fs/ecryptfs/miscdev.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83280e384ae3ceadad30369ced111dc7d4b46085 Author: Andrey Vagin Date: Tue Apr 9 17:33:29 2013 +0400 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 mnt: release locks on error path in do_loopback do_loopback calls lock_mount(path) and forget to unlock_mount if clone_mnt or copy_mnt fails. [ 77.661566] ================================================ [ 77.662939] [ BUG: lock held when returning to user space! ] [ 77.664104] 3.9.0-rc5+ #17 Not tainted [ 77.664982] ------------------------------------------------ [ 77.666488] mount/514 is leaving the kernel with locks still held! [ 77.668027] 2 locks held by mount/514: [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 Signed-off-by: Andrey Vagin Signed-off-by: Al Viro fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 679e536b9d9536d804f049fe942367a596253e6d Author: Alex Williamson Date: Tue Mar 26 11:33:16 2013 -0600 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson drivers/vfio/pci/vfio_pci.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5261a6384ee42499b29495aaae40b271e77d394 Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 Merge: 97bca88 9123489 Author: Brad Spengler Date: Tue Apr 9 17:18:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9123489428c58668a89f316db6619739cbdd2c2a Author: Brad Spengler Date: Tue Apr 9 17:17:46 2013 -0400 Update to pax-linux-3.8.6-test18.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 97bca8889e0f1e853f16b7026c39c6729a8587ab Merge: 675a41e e9d6073 Author: Brad Spengler Date: Mon Apr 8 21:32:59 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/us3_cpufreq.c commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef Author: Brad Spengler Date: Mon Apr 8 21:19:03 2013 -0400 Update to pax-linux-3.8.6-test17.patch: - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/sparc/include/asm/uaccess.h | 7 ---- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- tools/gcc/structleak_plugin.c | 15 ++++---- 6 files changed, 28 insertions(+), 69 deletions(-) commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5a216624a06429488f24ce47db093da042f90e48 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit e476ca18d21788898cd3acd1b57049971a2fb70f Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 Author: Johannes Berg Date: Tue Mar 19 20:26:57 2013 +0100 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d cfg80211: fix wdev tracing crash Arend reported a crash in tracing if the driver returns an ERR_PTR() value from the add_virtual_intf() callback. This is due to the tracing then still attempting to dereference the "pointer", fix this by using IS_ERR_OR_NULL(). Reported-by: Arend van Spriel Tested-by: Arend van Spriel Signed-off-by: Johannes Berg net/wireless/trace.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd Author: Johannes Berg Date: Mon Mar 25 11:51:14 2013 +0100 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b mac80211: fix remain-on-channel cancel crash If a ROC item is canceled just as it expires, the work struct may be scheduled while it is running (and waiting for the mutex). This results in it being run after being freed, which obviously crashes. To fix this don't free it when aborting is requested but instead mark it as "to be freed", which makes the work a no-op and allows freeing it outside. Cc: stable@vger.kernel.org [3.6+] Reported-by: Jouni Malinen Tested-by: Jouni Malinen Signed-off-by: Johannes Berg net/mac80211/cfg.c | 6 ++++-- net/mac80211/ieee80211_i.h | 3 ++- net/mac80211/offchannel.c | 23 +++++++++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 Author: Stone Piao Date: Fri Mar 29 19:21:21 2013 -0700 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f mwifiex: limit channel number not to overflow memory Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: # 3.5+ Signed-off-by: Stone Piao Signed-off-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 207c411512bdaf0e4271f93ecac6ca26588da36f Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f Author: Wei Yongjun Date: Fri Mar 22 01:28:18 2013 +0000 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_queue_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a79feb7d3251eca577d83d7f69eee2b961ab2924 Author: Pablo Neira Ayuso Date: Sat Mar 23 16:57:59 2013 +0100 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 netfilter: nfnetlink_acct: return -EINVAL if object name is empty If user-space tries to create accounting object with an empty name, then return -EINVAL. Reported-by: Michael Zintakis Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 Author: Matthias Schiffer Date: Sat Mar 30 10:23:12 2013 +0000 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: Matthias Schiffer Signed-off-by: Pablo Neira Ayuso net/ipv6/netfilter/ip6t_NPT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d12cae44a9d12441d81c489178803237219d403d Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f Author: Cong Wang Date: Fri Mar 22 19:14:07 2013 +0000 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb 8021q: fix a potential use-after-free vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/8021q/vlan.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit fff29c277024a39845d4b535083c8dafc21b45d9 Author: Hong zhi guo Date: Sat Mar 23 02:27:50 2013 +0000 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 bridge: fix crash when set mac address of br interface When I tried to set mac address of a bridge interface to a mac address which already learned on this bridge, I got system hang. The cause is straight forward: function br_fdb_change_mac_address calls fdb_insert with NULL source nbp. Then an fdb lookup is performed. If an fdb entry is found and it's local, it's OK. But if it's not local, source is dereferenced for printk without NULL check. Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller net/bridge/br_fdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 Author: Kumar Amit Mehta Date: Sat Mar 23 20:10:25 2013 +0000 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a bnx2x: fix assignment of signed expression to unsigned variable fix for incorrect assignment of signed expression to unsigned variable. Signed-off-by: Kumar Amit Mehta Acked-by: Dmitry Kravkov Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b964e1e61f0f0ccaa380be3342f956c604054bdc Author: Eric W. Biederman Date: Thu Mar 21 02:30:41 2013 -0700 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 yama: Better permission check for ptraceme Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" security/yama/yama_lsm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit b94e71c7b6abe75989edff18aca2781233fa143b Author: Stanislav Kinsbursky Date: Mon Apr 1 11:40:51 2013 +0400 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d ipc: set msg back to -EAGAIN if copy wasn't performed Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Linus Torvalds ipc/msg.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f07957378e0f55abb81da8e23b124a608fbe1cc Author: Paul Bolle Date: Wed Apr 3 12:24:45 2013 +0100 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 ARM: 7690/1: mm: fix CONFIG_LPAE typos CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix up the two typos under arch/arm/. The fix to head.S is slightly scary, but this is just for setting up an early io-mapping for the serial port when running on a big-endian, LPAE system. Since these systems don't exist in the wild (at least, I have no access to one outside of kvmtool, which doesn't provide a serial port suitable for earlyprintk), then we can revisit the code later if it causes any problems. Signed-off-by: Paul Bolle Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/kernel/head.S | 2 +- arch/arm/kernel/setup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 984ba346b2d8f158473e9723ba145031368431ed Author: Catalin Marinas Date: Tue Mar 26 23:35:04 2013 +0100 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down all use of the old entries. This patch implements the erratum workaround which consists of: 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. 2. Send IPI to the CPUs that are running the same mm (and ASID) as the one being invalidated (or all the online CPUs for global pages). 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception return code already). Signed-off-by: Catalin Marinas Signed-off-by: Russell King Conflicts: arch/arm/include/asm/tlbflush.h arch/arm/kernel/smp_tlb.c arch/arm/mm/context.c arch/arm/Kconfig | 10 +++++ arch/arm/include/asm/highmem.h | 7 ++++ arch/arm/include/asm/mmu_context.h | 2 + arch/arm/include/asm/tlbflush.h | 15 ++++++++ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ arch/arm/mm/context.c | 6 ++- 6 files changed, 104 insertions(+), 2 deletions(-) commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 53f5096daa14967938bc154e6c41f9119863fb36 Merge: e988d7c 0a45285 Author: Brad Spengler Date: Fri Apr 5 17:32:31 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 0a452855444d02502df6eb21ef3083cf303f71e1 Merge: 0277fa1 00cfbb8 Author: Brad Spengler Date: Fri Apr 5 17:31:15 2013 -0400 Update to pax-linux-3.8.6-test16.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/intel_display.c commit e988d7c8d946c816a2cb97f0d38048a1584966b8 Merge: baec40e 0277fa1 Author: Brad Spengler Date: Wed Apr 3 22:05:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0277fa123b486cf11420967e4568d7653e225fd3 Author: Brad Spengler Date: Wed Apr 3 22:04:48 2013 -0400 Update to pax-linux-3.8.5-test15.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) drivers/media/pci/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) commit baec40e6708fd5ae2000cad6c70c5980c998b91c Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 Merge: 6b69c35 0db9d15 Author: Brad Spengler Date: Tue Apr 2 17:47:27 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0db9d156826bdd50510086fde837648a3dfd370e Author: Brad Spengler Date: Tue Apr 2 17:46:05 2013 -0400 Update to pax-linux-3.8.5-test14.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/moduleloader.h | 4 +- tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 47 deletions(-) commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 01e1d503fd2220adaaec0b92ea19441bdff73555 Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit cd5ff114d958470f471c63775278e8c05e774630 Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 295ba16cc53df2375261accbedd6575ea327770a Merge: 18340f1 278a989 Author: Brad Spengler Date: Fri Mar 29 17:36:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/exec.c include/linux/thread_info.h commit 278a989c831d62193c7b3d119fe2302babd45d12 Author: Brad Spengler Date: Fri Mar 29 17:34:34 2013 -0400 Resync with pax-linux-3.8.5-test13.patch arch/arm/include/asm/pgtable.h | 3 ++- arch/arm/lib/delay.c | 1 + fs/exec.c | 8 ++++---- include/linux/compiler.h | 1 + include/linux/proc_fs.h | 2 +- include/linux/thread_info.h | 6 +++--- include/linux/zlib.h | 3 ++- init/main.c | 4 ++-- kernel/user_namespace.c | 2 +- lib/list_debug.c | 4 ++-- mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 1 + net/core/sysctl_net_core.c | 3 +-- tools/gcc/constify_plugin.c | 1 + 15 files changed, 24 insertions(+), 17 deletions(-) commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 Merge: 05f01ae e8cfeae Author: Brad Spengler Date: Fri Mar 29 17:30:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 Merge: b461cb7 aa4cfde Author: Brad Spengler Date: Fri Mar 29 17:30:44 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/nfsd/vfs.c commit 05f01ae4c3479541586a2387f916a6620889c479 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eea6ade59490784e83e08ec67322288fcf14cb31 Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e Merge: c3dc9a6 b461cb7 Author: Brad Spengler Date: Thu Mar 28 20:54:24 2013 -0400 Merge branch 'pax-test' into grsec-test commit b461cb7b1d85490430ef7896c247794af72c3749 Author: Brad Spengler Date: Thu Mar 28 20:54:11 2013 -0400 Add structleak plugin tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 270 insertions(+), 0 deletions(-) commit c3dc9a6ef10782894bb11fd088fd712db44d8062 Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e Merge: d8503a3 74bec16 Author: Brad Spengler Date: Thu Mar 28 20:47:10 2013 -0400 Merge branch 'pax-test' into grsec-test commit 74bec16b657147a5575b1f14f4423a717ba317a6 Author: Brad Spengler Date: Thu Mar 28 20:46:13 2013 -0400 Update to pax-linux-3.8.4-test13.patch: - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Makefile | 5 +++- arch/x86/include/asm/compat.h | 2 +- arch/x86/mm/fault.c | 3 +- fs/binfmt_elf.c | 2 +- include/linux/compiler.h | 42 ++++++++++++++-------------------------- security/Kconfig | 16 +++++++++++++++ tools/gcc/Makefile | 2 + tools/gcc/constify_plugin.c | 7 +++++- 8 files changed, 47 insertions(+), 32 deletions(-) commit d8503a3a35d68b9ba1615d29335aef3f70d51465 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 0b1c6223105a05d5a84e39a5e951868e37610e1c Merge: 93ff726 0deb54c Author: Brad Spengler Date: Mon Mar 25 18:35:15 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 Author: Brad Spengler Date: Mon Mar 25 18:35:05 2013 -0400 fix typo arch/x86/mm/ioremap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 Merge: be9f8b8 f95e53a Author: Brad Spengler Date: Mon Mar 25 18:30:06 2013 -0400 Merge branch 'pax-test' into grsec-test commit f95e53abadb6e4665866e4502ff9f518514193e1 Author: Brad Spengler Date: Mon Mar 25 18:29:25 2013 -0400 Update to pax-linux-3.8.4-test12.patch: - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by mcp - last fix for aslr gap accounting, promise (thanks to spender) arch/x86/mm/ioremap.c | 3 +++ fs/binfmt_elf.c | 5 ++--- mm/mmap.c | 2 +- net/sctp/socket.c | 19 +++++++++++++++---- tools/perf/util/include/linux/compiler.h | 8 ++++++++ 5 files changed, 29 insertions(+), 8 deletions(-) commit be9f8b82b0d8a21d7515fb6e44a907623381c5df Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee Author: Linus Torvalds Date: Fri Mar 22 11:44:04 2013 -0700 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 vfs,proc: guarantee unique inodes in /proc Dave Jones found another /proc issue with his Trinity tool: thanks to the namespace model, we can have multiple /proc dentries that point to the same inode, aliasing directories in /proc//net/ for example. This ends up being a total disaster, because it acts like hardlinked directories, and causes locking problems. We rely on the topological sort of the inodes pointed to by dentries, and if we have aliased directories, that odering becomes unreliable. In short: don't do this. Multiple dentries with the same (directory) inode is just a bad idea, and the namespace code should never have exposed things this way. But we're kind of stuck with it. This solves things by just always allocating a new inode during /proc dentry lookup, instead of using "iget_locked()" to look up existing inodes by superblock and number. That actually simplies the code a bit, at the cost of potentially doing more inode [de]allocations. That said, the inode lookup wasn't free either (and did a lot of locking of inodes), so it is probably not that noticeable. We could easily keep the old lookup model for non-directory entries, but rather than try to be excessively clever this just implements the minimal and simplest workaround for the problem. Reported-and-tested-by: Dave Jones Analyzed-by: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/proc/inode.c fs/proc/inode.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb Author: Vladimir Davydov Date: Fri Mar 22 15:04:51 2013 -0700 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only mnt_drop_write() must be called only if mnt_want_write() succeeded, otherwise the mnt_writers counter will diverge. mnt_writers counters are used to check if remounting FS as read-only is OK, so after an extra mnt_drop_write() call, it would be impossible to remount mqueue FS as read-only. Besides, on umount a warning would be printed like this one: ===================================== [ BUG: bad unlock balance detected! ] 3.9.0-rc3 #5 Not tainted ------------------------------------- a.out/12486 is trying to release lock (sb_writers) at: mnt_drop_write+0x1f/0x30 but there are no more locks to release! Signed-off-by: Vladimir Davydov Cc: Doug Ledford Cc: KOSAKI Motohiro Cc: "Eric W. Biederman" Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e Author: Brad Spengler Date: Sat Mar 23 13:02:32 2013 -0400 Don't use constify plugin if not enabled in config, reported by Alexey Vlasov Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afb82e020593249ac394e9859397c3e0ef5341c Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 Author: Brad Spengler Date: Sat Mar 23 12:13:12 2013 -0400 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak drivers/gpu/drm/i915/i915_debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44cb11a9470f72157601d0ad4d572d111f90f504 Author: Brad Spengler Date: Fri Mar 22 18:11:42 2013 -0400 use VM_DONTDUMP fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fd5f0d92b0fbec02029dad124501a9c80e527a32 Author: Brad Spengler Date: Fri Mar 22 17:08:48 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit b49ab1c73edb6442eec609b26bba4d850b3111b6 Merge: 5e9a707 783ade9 Author: Brad Spengler Date: Thu Mar 21 21:56:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 Author: Brad Spengler Date: Thu Mar 21 21:55:31 2013 -0400 Update to pax-linux-3.8.3-test11.patch: - rewrote the ASLR gap accounting code once again - fixed ptrace compat bug found by the size overflow plugin fs/binfmt_elf.c | 25 ++++++++++++------------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 5 +++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 32 insertions(+), 26 deletions(-) commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a Author: Brad Spengler Date: Thu Mar 21 19:37:33 2013 -0400 Make the constify plugin usage actually depend on the introduced config option (it was still forced on) tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1974b4f58d9d729c80ac1987785446115304a54c Author: Brad Spengler Date: Thu Mar 21 16:12:38 2013 -0400 fix failed merge arch/arm/mm/fault.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit 675a8ab4a8fe8315df348735a37a302a7535224c Author: Brad Spengler Date: Wed Mar 20 23:36:14 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 Author: Andy Honig Date: Wed Feb 20 14:48:10 2013 -0800 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- 2 files changed, 22 insertions(+), 29 deletions(-) commit 0bcac31b57c381001feb69fd6ec8069e61e03432 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695c59887e4ec10b0b695ab4f645d1226c433be0 Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e Merge: aec3cd4 c522e3a Author: Brad Spengler Date: Wed Mar 20 19:38:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 Merge: c57d855 405acc3 Author: Brad Spengler Date: Wed Mar 20 19:38:11 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 Author: Brad Spengler Date: Tue Mar 19 19:56:04 2013 -0400 include linux/compiler.h include/linux/zlib.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit dd65c05cd24faf8946d4941434a553ee285c35a3 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit e297b4f150b769efdc4c547d3caf1e3c0f24735f Author: Brad Spengler Date: Tue Mar 19 18:33:45 2013 -0400 Fix size_overflow false positive reported by slashbeast include/linux/zlib.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be Author: Brad Spengler Date: Tue Mar 19 17:35:36 2013 -0400 fix up failed merge arch/arm/mm/fault.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f00195c633f91cfbd8c1f530d2c371b713026e20 Author: Brad Spengler Date: Mon Mar 18 22:27:33 2013 -0400 Fix compile error reported by KDE on the forums kernel/user_namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 Merge: 0949569 c57d855 Author: Brad Spengler Date: Mon Mar 18 22:20:46 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 Author: Brad Spengler Date: Mon Mar 18 21:22:03 2013 -0400 Update to pax-linux-3.8.2-test9.patch: arm changes from spender - removed userland access to the vectors page - removed obsolete sigreturn trampoline handling - added emulation for __kuser_get_tls - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) - fixed recent sysfs/power_supply attr breakage reported by Steven Allen - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. arch/arm/kernel/process.c | 5 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/traps.c | 7 - arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 23 +- arch/arm/mm/mmu.c | 2 +- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/mm/fault.c | 4 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/power/power_supply_core.c | 1 + drivers/usb/core/message.c | 2 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 5 +- fs/exec.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/linux/compat.h | 4 +- include/linux/completion.h | 6 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/err.h | 4 +- include/linux/math64.h | 6 +- include/linux/sched.h | 2 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/uapi/linux/byteorder/little_endian.h | 4 +- include/uapi/linux/swab.h | 6 +- kernel/sched/core.c | 6 +- kernel/signal.c | 3 + kernel/time.c | 2 +- kernel/timer.c | 2 +- lib/div64.c | 4 +- mm/page-writeback.c | 2 +- net/socket.c | 2 + scripts/package/builddeb | 1 + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- tools/gcc/size_overflow_plugin.c | 1072 ++-- 53 files changed, 6227 insertions(+), 3951 deletions(-) commit 09495691bb31f11ec14d9127429f9a0f3f716f22 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deb85b00d0f9f886e264e116313f298401ec5c59 Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2126421f123513f604ceef2b23ba9ed516de7e58 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 Author: Brad Spengler Date: Sat Mar 16 16:43:45 2013 -0400 add user_arg_ptr back to exec.c fs/exec.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 3 +++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 16 insertions(+), 15 deletions(-) commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1cd623d11a462d151ea8a5cace4521e1724911a3 Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc Merge: 9cdf9bc db4cb92 Author: Brad Spengler Date: Thu Mar 14 20:23:14 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/keys/compat.c commit db4cb924546e3fec3a59f78d056f48176eaf7100 Author: Brad Spengler Date: Thu Mar 14 20:22:24 2013 -0400 Update to pax-linux-3.8.2-test8.patch arch/arm/include/asm/cache.h | 2 ++ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- arch/arm/mach-omap2/omap_device.c | 4 ++-- arch/arm/mach-omap2/omap_device.h | 4 ++-- arch/arm/plat-orion/include/plat/addr-map.h | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae Merge: 3c865f9 1a45c31 Author: Brad Spengler Date: Thu Mar 14 20:20:54 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/arm/include/asm/delay.h arch/arm/include/asm/pgtable.h arch/arm/lib/delay.c security/keys/compat.c commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 79b130c4b11c7940daf2b33d653a17666331c634 Merge: 6480ce9 3c865f9 Author: Brad Spengler Date: Sun Mar 10 20:04:03 2013 -0400 Merge branch 'pax-test' into grsec-test commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d Author: Brad Spengler Date: Sun Mar 10 20:03:12 2013 -0400 Update to pax-linux-3.8.2-test7.patch: - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) fs/binfmt_elf.c | 3 ++- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- init/main.c | 4 ++-- mm/mmap.c | 2 +- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 7 files changed, 18 insertions(+), 11 deletions(-) commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 Merge: 4a5305e 25b3569 Author: Brad Spengler Date: Sun Mar 10 10:41:16 2013 -0400 Merge branch 'pax-test' into grsec-test commit 25b356980568bed9958315bb5a551fdc610055ed Author: Brad Spengler Date: Sun Mar 10 10:40:48 2013 -0400 Update to pax-linux-3.8.2-test6.patch: - fixed a KERNEXEC false positive on arm reported by Gu1 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - added fix from spender for some namespace breakage reported by zakalwe - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot Documentation/kernel-parameters.txt | 5 +++++ arch/arm/kernel/patch.c | 2 ++ arch/x86/kernel/sys_i386_32.c | 5 +++-- drivers/acpi/blacklist.c | 2 +- drivers/video/aty/mach64_cursor.c | 1 + init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ net/ipv4/ip_fragment.c | 2 +- security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 10 files changed, 50 insertions(+), 10 deletions(-) commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause net/bridge/br_mdb.c | 4 ++++ net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 8 ++++++++ 3 files changed, 13 insertions(+), 0 deletions(-) commit 601dd446f896e3a362f706943df18a68d50420a1 Author: Brad Spengler Date: Sat Mar 9 09:35:25 2013 -0500 add open/close wrappers in __patch_text() as reported by Gu1 on IRC arch/arm/kernel/patch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ae39966fd85a493e9079b357e3faa62245a41222 Author: Peter Hurley Date: Fri Mar 8 12:43:27 2013 -0800 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 ipc: don't allocate a copy larger than max When MSG_COPY is set, a duplicate message must be allocated for the copy before locking the queue. However, the copy could not be larger than was sent which is limited to msg_ctlmax. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msg.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 61240e99650ea3e540a03a3e994349c5086f166b Author: Peter Hurley Date: Fri Mar 8 12:43:26 2013 -0800 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 ipc: fix potential oops when src msg > 4k w/ MSG_COPY If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msgutil.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 51727f602a267f34fb2e0dc9557f1714028d51a2 Author: Brad Spengler Date: Fri Mar 8 22:14:06 2013 -0500 add missing 'else' in recent constify fixups net/ipv4/ip_fragment.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a38c1a640729b3d8e584d1ab98e908c221bc12cf Merge: 1580bb3 47c3f47 Author: Brad Spengler Date: Fri Mar 8 18:18:37 2013 -0500 Merge branch 'pax-test' into grsec-test commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe Author: Brad Spengler Date: Fri Mar 8 18:17:22 2013 -0500 Update to pax-linux-3.8.2-test5.patch: - fixed some fallout after the last round of constification changes, reported by several people arch/arm/common/gic.c | 4 ++-- arch/arm/include/asm/hardware/gic.h | 3 ++- arch/x86/include/asm/nmi.h | 2 +- arch/x86/kernel/nmi.c | 2 +- arch/x86/pci/irq.c | 2 +- drivers/base/power/domain.c | 4 ++-- drivers/cpufreq/cpufreq_governor.c | 4 ++-- drivers/mfd/twl4030-irq.c | 1 + drivers/video/vesafb.c | 7 +++++-- include/linux/irq.h | 1 + include/linux/pm_domain.h | 2 +- kernel/sched/core.c | 4 ++++ lib/Kconfig.debug | 4 ++-- net/core/sysctl_net_core.c | 2 +- net/decnet/af_decnet.c | 1 + net/ipv4/devinet.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/route.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- scripts/sortextable.h | 6 +++--- 22 files changed, 36 insertions(+), 25 deletions(-) commit 1580bb38b4db0bf2a46316599815e8b234edad81 Author: Brad Spengler Date: Thu Mar 7 22:02:59 2013 -0500 add an additional open/close wrapper kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 21622672d28d58e0d93a805cd1f9650a894a752a Author: Brad Spengler Date: Thu Mar 7 21:58:24 2013 -0500 fix oops at shutdown with new constify code kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec Author: Brad Spengler Date: Thu Mar 7 21:18:44 2013 -0500 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally it currently conflicts with some lock debugging options, so made as an option to allow for debugging when necessary Makefile | 2 -- lib/Kconfig.debug | 6 +++--- security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) commit 0885b00b8373a1597b69c38032a0c9eee279303b Author: Brad Spengler Date: Thu Mar 7 20:55:19 2013 -0500 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8a2617165e7127a54f293cbf57d22d50dd83abd Author: Brad Spengler Date: Thu Mar 7 20:30:41 2013 -0500 Fix error: drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object with cast and proper kernexec accessors drivers/video/vesafb.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 Author: Brad Spengler Date: Thu Mar 7 20:20:28 2013 -0500 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 Author: Brad Spengler Date: Thu Mar 7 20:12:17 2013 -0500 fix compilation error -- no reason for task_pid_nr to not take a const task ptr include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ac6014ded57101e3e608941555ff507e20c1ece3 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 98a9a5f981f5deda4059a255c1196886f2f27e2f Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 4295a024e812f903fc580c81de5e81cc149503fa Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33edd486a9899a145a15586d7134636b0300aaee Merge: 4eeeaf3 a2a2094 Author: Brad Spengler Date: Thu Mar 7 17:53:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/include/asm/domain.h commit a2a20947f5e1332e474160a39af520738b3c8c19 Author: Brad Spengler Date: Thu Mar 7 17:51:04 2013 -0500 Update to pax-linux-3.8.2-test4.patch: fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) Documentation/dontdiff | 2 + arch/arm/include/asm/domain.h | 1 + arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/nmi.h | 4 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 10 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/base/bus.c | 4 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 ++- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 26 ++- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/iommu/iommu.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/mfd/twl4030-irq.c | 8 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/vxlan.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 6 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 4 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 ++- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- fs/exec.c | 6 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drmP.h | 12 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/iommu.h | 2 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/rculist.h | 16 ++ include/linux/sched.h | 2 +- include/linux/sock_diag.h | 2 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/xattr.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/pid_namespace.c | 2 +- kernel/rcutree_plugin.h | 2 +- kernel/sched/core.c | 39 ++-- kernel/smpboot.c | 4 +- kernel/softirq.c | 2 +- kernel/sysctl.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 2 +- lib/kobject.c | 4 +- lib/list_debug.c | 57 ++++- lib/swiotlb.c | 2 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/slab_common.c | 2 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 15 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 12 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 9 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipip.c | 4 +- net/ipv4/route.c | 14 +- net/ipv4/sysctl_net_ipv4.c | 43 ++-- net/ipv6/addrconf.c | 4 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 6 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/reassembly.c | 11 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/sysctl.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 ++- net/xfrm/xfrm_sysctl.c | 2 +- security/apparmor/lsm.c | 2 +- security/keys/key.c | 18 +- security/yama/yama_lsm.c | 22 +- tools/gcc/Makefile | 4 +- tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ tools/gcc/size_overflow_plugin.c | 7 +- 248 files changed, 994 insertions(+), 668 deletions(-) commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b Author: Brad Spengler Date: Wed Mar 6 12:58:21 2013 -0500 Make slab_state __read_only, it's only written to during init mm/slab_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a Author: Brad Spengler Date: Wed Mar 6 12:31:35 2013 -0500 Make two new helper functions: gr_is_global_root() and gr_is_global_nonroot() grsecurity/gracl.c | 10 +++++----- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_link.c | 4 ++-- grsecurity/grsec_sig.c | 10 +++++----- grsecurity/grsec_tpe.c | 6 +++--- include/linux/uidgid.h | 2 ++ 6 files changed, 18 insertions(+), 16 deletions(-) commit d45d88eddd4998b280b1e5b5384289ee11ca7088 Author: Brad Spengler Date: Wed Mar 6 12:14:41 2013 -0500 convert remaining task->pid to task_pid_nr(task) grsecurity/gracl.c | 22 +++++++++++----------- grsecurity/gracl_shm.c | 2 +- grsecurity/grsec_chroot.c | 4 ++-- grsecurity/grsec_sig.c | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) commit c877f2ece03ee2232dd281c1977ae59507297124 Author: Brad Spengler Date: Tue Mar 5 17:29:54 2013 -0500 compat-log is only used anymore by vm86-on-64bit and allows unlimited spamming of the kernel log buffer (and since it includes the changable process name, can avoid syslog log deduplication) Turn it off by default fs/compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c1964c4b7276889d7967bee70e46918cdca1b14 Author: Brad Spengler Date: Mon Mar 4 17:19:10 2013 -0500 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP is enabled, introduced with recent userns support init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 Author: Brad Spengler Date: Sun Mar 3 18:46:12 2013 -0500 Prevent TOMOYO from auto-loading modules by unprivileged users (Only reachable if TOMOYO is actually used) security/tomoyo/mount.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 79e142f9455b398759ff9d93d4963a21b98dddda Author: Brad Spengler Date: Sun Mar 3 18:28:45 2013 -0500 For now, don't permit any special access to /proc in a user namespace Later we can go back and allow a userns-uid0 special access to a /proc with a non-global pid namespace fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b91fb393049ce5f3c0a86f62247409853fd9700 Merge: d931eb8 603ef05 Author: Brad Spengler Date: Sun Mar 3 17:42:09 2013 -0500 Merge branch 'pax-test' into grsec-test commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b Author: Brad Spengler Date: Sun Mar 3 17:41:31 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/mach-omap2/wd_timer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b4c9ce81fdd7839a150c97873c710c479e788280 Author: Brad Spengler Date: Sun Mar 3 17:39:53 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d931eb81ab3da46896268fd61373a6aa7bbea930 Merge: bfa7f44 5948f93 Author: Brad Spengler Date: Sun Mar 3 17:34:36 2013 -0500 Merge branch 'pax-test' into grsec-test commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 Merge: ab30472 19b00d2 Author: Brad Spengler Date: Sun Mar 3 17:34:08 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. fs/exec.c | 6 +- fs/proc/base.c | 2 +- fs/proc/proc_net.c | 4 +- grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- grsecurity/gracl_cap.c | 4 +- grsecurity/gracl_ip.c | 16 +++--- grsecurity/gracl_segv.c | 12 +++- grsecurity/gracl_shm.c | 4 +- grsecurity/grsec_disabled.c | 10 ++-- grsecurity/grsec_fifo.c | 6 +- grsecurity/grsec_init.c | 24 ++++---- grsecurity/grsec_log.c | 3 - grsecurity/grsec_tpe.c | 6 +- include/linux/grinternal.h | 12 ++-- include/linux/grsecurity.h | 12 ++-- include/linux/uidgid.h | 3 + init/Kconfig | 2 - ipc/shm.c | 2 +- kernel/cred.c | 5 +- kernel/kallsyms.c | 2 +- kernel/kmod.c | 6 +- kernel/sys.c | 12 ++-- 22 files changed, 166 insertions(+), 115 deletions(-) commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit 5596211af754867ca825f58e6e0300a8439950fe Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7ca96db0817416fd40761e7437d1939fc0731380 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 idr: fix a subtle bug in idr_get_next() The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/idr.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 745362f28034f54242ba2e64eaa7374ab9869613 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit b53b3b14330920c6f7cfb74c8508a3026e1be620 Author: Brad Spengler Date: Thu Feb 28 18:29:26 2013 -0500 Fix bad git merge fs/namespace.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede Merge: 1cce1dd ab30472 Author: Brad Spengler Date: Thu Feb 28 17:45:14 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/core/sock_diag.c commit ab3047280e1dfb43f1b301a296123757b4ac4f6e Merge: 4b61d21 4c91a0e Author: Brad Spengler Date: Thu Feb 28 17:43:56 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 Author: Brad Spengler Date: Wed Feb 27 17:52:31 2013 -0500 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel kernel/printk.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 Author: Brad Spengler Date: Wed Feb 27 17:23:46 2013 -0500 Fix upstream vulnerability from addition of a /dev/kmsg device while neglecting to add the same set of existing permission checks from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. A temporary workaround without this patch would be to chmod 0600 /dev/kmsg (and is likely a good idea anyway). Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek Initially reported to Redhat bugzilla by Christian Kujau: https://bugzilla.redhat.com/show_bug.cgi?id=903192 kernel/printk.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 66c04806f5660988c3cb4855e60de294e77e3d0e Author: David Howells Date: Thu Feb 21 12:00:25 2013 +0000 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f KEYS: Revert one application of "Fix unreachable code" patch A patch to fix some unreachable code in search_my_process_keyrings() got applied twice by two different routes upstream as commits e67eab39bee2 and b010520ab3d2 (both "fix unreachable code"). Unfortunately, the second application removed something it shouldn't have and this wasn't detected by GIT. This is due to the patch not having sufficient lines of context to distinguish the two places of application. The effect of this is relatively minor: inside the kernel, the keyring search routines may search multiple keyrings and then prioritise the errors if no keys or negative keys are found in any of them. With the extra deletion, the presence of a negative key in the thread keyring (causing ENOKEY) is incorrectly overridden by an error searching the process keyring. So revert the second application of the patch. Signed-off-by: David Howells Cc: Jiri Kosina Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds security/keys/process_keys.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 954b0c8a95b08c09c3d15ec38106ce403bf714da Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 Author: Nicolas Pitre Date: Sun Feb 24 20:06:09 2013 -0500 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 tty vt: fix character insertion overflow Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") broke insert_char() in multiple ways. Then commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") partially fixed it. However, the buffer being moved is still too large and overflowing beyond the end of the current line, corrupting existing characters on the next line. Example test case: echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" Expected result: ab c de Current result: ab c e Needless to say that this is very annoying when inserting words in the middle of paragraphs with certain text editors. Signed-off-by: Nicolas Pitre Cc: Jean-François Moine Cc: Greg Kroah-Hartman Cc: Signed-off-by: Linus Torvalds drivers/tty/vt/vt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6cda35071669b4aabde081bd039e0ffea36f997a Author: Robin Holt Date: Fri Feb 22 16:35:34 2013 -0800 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. Additionally, the list traversal in __mmu_notifier_release() is not protected by the by the mmu_notifier_mm->hlist_lock which can result in callouts to the ->release() notifier from both mmu_notifier_unregister() and __mmu_notifier_release(). -stable suggestions: The stable trees prior to 3.7.y need commits 21a92735f660 and 70400303ce0c cherry-picked in that order prior to cherry-picking this commit. The 3.7.y tree already has those two commits. Signed-off-by: Robin Holt Cc: Andrea Arcangeli Cc: Wanpeng Li Cc: Xiao Guangrong Cc: Avi Kivity Cc: Hugh Dickins Cc: Marcelo Tosatti Cc: Sagi Grimberg Cc: Haggai Eran Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- 1 files changed, 42 insertions(+), 40 deletions(-) commit bf5167ed78ba6131c6874887f714bda50c2cab83 Author: Mike Galbraith Date: Mon Jan 28 12:19:25 2013 +0100 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 sched: Fix select_idle_sibling() bouncing cow syndrome If the previous CPU is cache affine and idle, select it. The current implementation simply traverses the sd_llc domain, taking the first idle CPU encountered, which walks buddy pairs hand in hand over the package, inflicting excruciating pain. 1 tbench pair (worst case) in a 10 core + SMT package: pre 15.22 MB/sec 1 procs post 252.01 MB/sec 1 procs Signed-off-by: Mike Galbraith Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 21 +++++++-------------- 1 files changed, 7 insertions(+), 14 deletions(-) commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c Author: Eric W. Biederman Date: Fri Dec 28 18:58:39 2012 -0800 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f userns: Avoid recursion in put_user_ns When freeing a deeply nested user namespace free_user_ns calls put_user_ns on it's parent which may in turn call free_user_ns again. When -fno-optimize-sibling-calls is passed to gcc one stack frame per user namespace is left on the stack, potentially overflowing the kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls so we can't count on gcc to optimize this code. Remove struct kref and use a plain atomic_t. Making the code more flexible and easier to comprehend. Make the loop in free_user_ns explict to guarantee that the stack does not overflow with CONFIG_FRAME_POINTER enabled. I have tested this fix with a simple program that uses unshare to create a deeply nested user namespace structure and then calls exit. With 1000 nesteuser namespaces before this change running my test program causes the kernel to die a horrible death. With 10,000,000 nested user namespaces after this change my test program runs to completion and causes no harm. Acked-by: Serge Hallyn Pointed-out-by: Vasily Kulikov Signed-off-by: "Eric W. Biederman" include/linux/user_namespace.h | 10 +++++----- kernel/user.c | 4 +--- kernel/user_namespace.c | 17 +++++++++-------- 3 files changed, 15 insertions(+), 16 deletions(-) commit 81501c7106ccc186c94806f4db954626295b5ebe Author: Brad Spengler Date: Tue Feb 26 17:12:30 2013 -0500 Pass the same flags to kern_path_create as the original function fs/namei.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a677c8eee35afe48868f92c7d6745bfe809cd481 Author: Al Viro Date: Fri Feb 22 22:45:42 2013 -0500 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 get rid of unprotected dereferencing of mnt->mnt_ns It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namespace.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 89298124d0c96dc34a60377e7a1308f8f532ff75 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 Author: Brad Spengler Date: Sat Feb 23 11:08:05 2013 -0500 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause net/core/sock_diag.c | 27 ++++++++++----------------- 1 files changed, 10 insertions(+), 17 deletions(-) commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 Author: Brad Spengler Date: Sat Feb 23 10:58:52 2013 -0500 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined arch/arm/include/asm/domain.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7b729586eb81f344fdedf0942fab0acc738a6725 Author: Brad Spengler Date: Fri Feb 22 19:02:51 2013 -0500 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. kernel/fork.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit fadc560d0c486af88da83177735f5515e88acdcc Author: Brad Spengler Date: Thu Feb 21 23:06:48 2013 -0500 put is_hugetlbfs_mnt inside ifdefs grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8252176922d405484f986eb2cc350b7cd3ae586e Author: Brad Spengler Date: Thu Feb 21 23:02:07 2013 -0500 remove unused label kernel/module.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dad4a980f0b625059e215d13da728aa7fd02a374 Author: Brad Spengler Date: Thu Feb 21 23:00:52 2013 -0500 compile fix fs/open.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 Author: Brad Spengler Date: Thu Feb 21 22:57:49 2013 -0500 remove kmalloc_array_error for the same reasons as kcalloc_error include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a Author: Brad Spengler Date: Thu Feb 21 22:49:35 2013 -0500 Initial port of grsecurity for Linux 3.8 Documentation/kernel-parameters.txt | 4 + Makefile | 10 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 14 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 27 +- arch/arm/mm/mmap.c | 6 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 3 +- arch/ia64/mm/hugetlbpage.c | 3 +- arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 3 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 19 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 6 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 3 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 3 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- crypto/ablkcipher.c | 12 +- crypto/aead.c | 9 +- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +- crypto/crypto_user.c | 38 +- crypto/pcompress.c | 3 +- crypto/rng.c | 2 +- crypto/shash.c | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 155 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 5 + fs/fs_struct.c | 26 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 269 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1021 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4017 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 384 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 357 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 174 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 329 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 ++ include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 257 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 66 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/vermagic.h | 9 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 5 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 109 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 80 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 38 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 62 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev.c | 9 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 19 + security/Kconfig | 320 ++- security/apparmor/lsm.c | 2 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/yama/Kconfig | 2 +- tools/gcc/Makefile | 2 +- 286 files changed, 15083 insertions(+), 2067 deletions(-) commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 Author: Brad Spengler Date: Wed Feb 20 21:00:42 2013 -0500 Initial import of pax-linux-3.8-test3.patch Documentation/dontdiff | 43 +- Documentation/kernel-parameters.txt | 7 + Makefile | 97 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 +++- arch/arm/include/asm/cache.h | 3 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/delay.h | 8 +- arch/arm/include/asm/domain.h | 32 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 10 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 20 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 14 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/fault.c | 78 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 186 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 28 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/uaccess.h | 142 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 +++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 12 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 ++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 65 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/io.h | 13 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 6 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 29 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 512 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/head_32.S | 237 ++- arch/x86/kernel/head_64.S | 158 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes-opt.c | 12 +- arch/x86/kernel/kprobes.c | 30 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 247 ++ arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 47 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 68 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 ++- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 555 +++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 92 +- arch/x86/mm/init_32.c | 122 +- arch/x86/mm/init_64.c | 48 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 12 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 18 +- drivers/block/loop.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 8 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_generic.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 6 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 9 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/ramster/tmem.c | 54 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 39 +- drivers/video/vesafb.c | 51 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 604 ++++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/relocation.c | 2 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 356 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 ++ include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 72 +- include/linux/cpu.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 3 + include/linux/mm.h | 91 +- include/linux/mm_types.h | 22 +- include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 55 +- include/linux/moduleloader.h | 18 +- include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/random.h | 5 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 64 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysrq.h | 2 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/gro_cells.h | 6 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 6 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/structs.h | 4 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 4 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 24 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/module.c | 333 ++- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 72 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 2 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/softirq.c | 16 +- kernel/srcu.c | 6 +- kernel/stop_machine.c | 2 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 +- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/list_debug.c | 89 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 54 + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 18 +- mm/memory.c | 404 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 573 +++- mm/mprotect.c | 138 +- mm/mremap.c | 44 +- mm/nommu.c | 11 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 104 +- mm/slab.h | 5 +- mm/slab_common.c | 9 +- mm/slob.c | 200 +- mm/slub.c | 98 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/sctp/socket.c | 2 + net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 4 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 654 ++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 43 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 359 +++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 +++ tools/gcc/latent_entropy_plugin.c | 321 ++ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 32 +- 1311 files changed, 26668 insertions(+), 6394 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466 Author: Brad Spengler Date: Sun Nov 24 17:50:21 2013 -0500 remove unnecessary code/comments after new reload method grsecurity/gracl.c | 4 ---- grsecurity/gracl_policy.c | 13 ------------- 2 files changed, 0 insertions(+), 17 deletions(-) commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d Author: Brad Spengler Date: Sun Nov 24 16:05:01 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3903 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 2 + 12 files changed, 3082 insertions(+), 2787 deletions(-) commit d8981a4fd03025434a466fd87a0eaea93755bc70 Author: Brad Spengler Date: Sun Nov 24 15:08:28 2013 -0500 compile fix for recent GRKERNSEC_CHROOT_INITRD change init/main.c | 12 +++--------- 1 files changed, 3 insertions(+), 9 deletions(-) commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit ecdd0610bef058fd33fee50b489d949c1a0db07a Author: Brad Spengler Date: Sat Nov 23 17:20:15 2013 -0500 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. Reported by acez on IRC arch/arm/mm/fault.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 3f4adfade80bba0d865b5c603bd58da555ca4553 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. Conflicts: init/main.c grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) commit d4a9bb63091852b5b49ebd216796b374e5c0dc71 Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit e727db195f8bed17c65d050e1772643d730fe565 Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb Merge: 2fcc3a5 2d1263b Author: Brad Spengler Date: Fri Nov 22 21:11:44 2013 -0500 Merge branch 'pax-test' into grsec-test commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1 Merge: d52f291 e0cd057 Author: Brad Spengler Date: Fri Nov 22 21:11:33 2013 -0500 Merge branch 'linux-3.11.y' into pax-test Conflicts: drivers/net/ethernet/chelsio/cxgb3/sge.c commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972 Author: Brad Spengler Date: Fri Nov 22 20:31:37 2013 -0500 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. It caused errors with traceroute, reported to upstream and fixed with http://patchwork.ozlabs.org/patch/293614/ But there's no reason for us to maintain this backport as we're already impervious to recvmsg/msg_name infoleaks Conflicts: net/ipv4/ping.c net/ieee802154/dgram.c | 3 ++- net/ipv4/ping.c | 11 +++++++++-- net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 8 files changed, 35 insertions(+), 12 deletions(-) commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b Author: Hannes Frederic Sowa Date: Mon Nov 18 07:07:45 2013 +0100 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 ping: prevent NULL pointer dereference on write to msg_name A plain read() on a socket does set msg->msg_name to NULL. So check for NULL pointer first. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv4/ping.c | 34 +++++++++++++++++++--------------- 1 files changed, 19 insertions(+), 15 deletions(-) commit 8bb32f2682953e1b748a59c4a4363b237c3510df Author: Hannes Frederic Sowa Date: Mon Nov 18 04:20:45 2013 +0100 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb Suggested-by: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ieee802154/dgram.c | 3 +-- net/ipv4/ping.c | 19 +++++++------------ net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- net/phonet/datagram.c | 9 ++++----- 8 files changed, 17 insertions(+), 38 deletions(-) commit 642d754081c130a151e7df27e5c07edf2f368106 Author: Jeff Layton Date: Wed Nov 13 09:08:21 2013 -0500 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. There is no guarantee that doing so will work however, so we can end up retrying the call in an infinite loop. Worse yet, we create the new client using rpc_clone_client_set_auth, which creates the new client as a child of the old one. Thus, we can end up with a *very* long lineage of rpc_clnts. When we go to put all of the references to them, we can end up with a long call chain that can smash the stack as each rpc_free_client() call can recurse back into itself. This patch fixes this by simply ensuring that the SETCLIENTID call will only be retried in this situation if the last attempt did not use RPC_AUTH_UNIX. Note too that with this change, we don't need the (i > 2) check in the -EACCES case since we now have a more reliable test as to whether we should reattempt. Cc: stable@vger.kernel.org # v3.10+ Cc: Chuck Lever Tested-by/Acked-by: Weston Andros Adamson Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2 Author: Chuck Lever Date: Wed Jul 24 12:28:28 2013 -0400 Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e NFS: Use root's credential for lease management when keytab is missing Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting" Fri Sep 14 17:24:32 2012 introduced Uniform Client String support, which forces our NFS client to establish a client ID immediately during a mount operation rather than waiting until a user wants to open a file. Normally machine credentials (eg. from a keytab) are used to perform a mount operation that is protected by Kerberos. Before 05fc350, SETCLIENTID used a machine credential, or fell back to a regular user's credential if no keytab is available. On clients that don't have a keytab, performing SETCLIENTID early means there's no user credential to fall back on, since no regular user has kinit'd yet. 05f4c350 seems to have broken the ability to mount with sec=krb5 on clients that don't have a keytab in kernels 3.7 - 3.10. To address this regression, commit 4edaa308 (NFS: Use "krb5i" to establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013, was merged in 3.10. This commit forces the NFS client to fall back to AUTH_SYS for lease management operations if no keytab is available. Neil Brown noticed that, since root is required to kinit to do a sec=krb5 mount when a client doesn't have a keytab, we can try to use root's Kerberos credential before AUTH_SYS. Now, when determining a principal and flavor to use for lease management, the NFS client tries in this order: 1. Flavor: AUTH_GSS, krb5i Principal: service principal (via keytab) 2. Flavor: AUTH_GSS, krb5i Principal: user principal established for UID 0 (via kinit) 3. Flavor: AUTH_SYS Principal: UID 0 / GID 0 Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 19 ++++++++++++++++++- 1 files changed, 18 insertions(+), 1 deletions(-) commit 6ebab64904f37af82e950b0c6d321437e810b248 Author: Trond Myklebust Date: Tue Nov 12 17:24:36 2013 -0500 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b SUNRPC: Avoid deep recursion in rpc_release_client In cases where an rpc client has a parent hierarchy, then rpc_free_client may end up calling rpc_release_client() on the parent, thus recursing back into rpc_free_client. If the hierarchy is deep enough, then we can get into situations where the stack simply overflows. The fix is to have rpc_release_client() loop so that it can take care of the parent rpc client hierarchy without needing to recurse. Reported-by: Jeff Layton Reported-by: Weston Andros Adamson Reported-by: Bruce Fields Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit fcb4306973aed105cc6d042077bf31e21b812008 Author: Trond Myklebust Date: Fri Nov 8 16:03:50 2013 -0500 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 SUNRPC: Fix a data corruption issue when retransmitting RPC calls The following scenario can cause silent data corruption when doing NFS writes. It has mainly been observed when doing database writes using O_DIRECT. 1) The RPC client uses sendpage() to do zero-copy of the page data. 2) Due to networking issues, the reply from the server is delayed, and so the RPC client times out. 3) The client issues a second sendpage of the page data as part of an RPC call retransmission. 4) The reply to the first transmission arrives from the server _before_ the client hardware has emptied the TCP socket send buffer. 5) After processing the reply, the RPC state machine rules that the call to be done, and triggers the completion callbacks. 6) The application notices the RPC call is done, and reuses the pages to store something else (e.g. a new write). 7) The client NIC drains the TCP socket send buffer. Since the page data has now changed, it reads a corrupted version of the initial RPC call, and puts it on the wire. This patch fixes the problem in the following manner: The ordering guarantees of TCP ensure that when the server sends a reply, then we know that the _first_ transmission has completed. Using zero-copy in that situation is therefore safe. If a time out occurs, we then send the retransmission using sendmsg() (i.e. no zero-copy), We then know that the socket contains a full copy of the data, and so it will retransmit a faithful reproduction even if the RPC call completes, and the application reuses the O_DIRECT buffer in the meantime. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- 1 files changed, 21 insertions(+), 7 deletions(-) commit 2c59d4080ae744532dbe595f6923dcba72279977 Merge: b2b99c6 d52f291 Author: Brad Spengler Date: Mon Nov 18 19:07:55 2013 -0500 Merge branch 'pax-test' into grsec-test commit d52f291621da9227cda5fd647e82dfe9bfc11265 Author: Brad Spengler Date: Mon Nov 18 19:07:14 2013 -0500 Update to pax-linux-3.11.8-test14.patch: - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878) mm/page_alloc.c | 2 +- tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 11 deletions(-) commit b2b99c6972e345565d561b722de210f071e5e259 Author: Brad Spengler Date: Thu Nov 14 20:47:37 2013 -0500 Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e ipv6: fix headroom calculation in udp6_ufo_fragment Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp fragmentation for tunnel traffic.") changed the calculation if there is enough space to include a fragment header in the skb from a skb->mac_header dervived one to skb_headroom. Because we already peeled off the skb to transport_header this is wrong. Change this back to check if we have enough room before the mac_header. This fixes a panic Saran Neti reported. He used the tbf scheduler which skb_gso_segments the skb. The offsets get negative and we panic in memcpy because the skb was erroneously not expanded at the head. Reported-by: Saran Neti Cc: Pravin B Shelar Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/udp_offload.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 012ee7647e16f464f8d1ad004e28eac2ba778158 Author: Dan Carpenter Date: Thu Nov 14 11:21:10 2013 +0300 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 isdnloop: use strlcpy() instead of strcpy() These strings come from a copy_from_user() and there is no way to be sure they are NUL terminated. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f Author: Eric Dumazet Date: Thu Nov 14 13:37:54 2013 -0800 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf ipv4: fix possible seqlock deadlock ip4_datagram_connect() being called from process context, it should use IP_INC_STATS() instead of IP_INC_STATS_BH() otherwise we can deadlock on 32bit arches, or get corruptions of SNMP counters. Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") Signed-off-by: Eric Dumazet Reported-by: Dave Jones Signed-off-by: David S. Miller net/ipv4/datagram.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1a642170613ae336331f2df38aa8f2c1227d3c96 Merge: 60c6423 84d78c7 Author: Brad Spengler Date: Thu Nov 14 20:28:51 2013 -0500 Merge branch 'pax-test' into grsec-test commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730 Author: Brad Spengler Date: Thu Nov 14 20:28:07 2013 -0500 Update to pax-linux-3.11.8-test13.patch: - forward port to 3.11.8 - removed some no longer used code from bpf jit - fixed some atomic_unchecked_t usage in oprofile and uio - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy arch/x86/include/asm/mmu_context.h | 8 ++++++++ arch/x86/kernel/setup.c | 2 +- drivers/bluetooth/btwilink.c | 2 +- drivers/md/dm-table.c | 2 +- drivers/message/i2o/i2o_proc.c | 16 ++++++++-------- drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/oprofilefs.c | 4 ++-- drivers/platform/x86/msi-wmi.c | 2 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++------------- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++---- drivers/usb/serial/console.c | 2 +- include/linux/filter.h | 4 ---- kernel/audit.c | 2 +- 20 files changed, 41 insertions(+), 45 deletions(-) commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43 Author: Brad Spengler Date: Thu Nov 14 19:07:11 2013 -0500 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ Will let this sit in -test for a while to weed out any app incompatibilities grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit 27c3b43bd5ad9c9b877016f26192dbc30da54018 Merge: 08e883f d0a09ad Author: Brad Spengler Date: Wed Nov 13 22:27:13 2013 -0500 Merge branch 'pax-test' into grsec-test commit d0a09ad6430008135b98da6e1941e98a6110b59e Merge: 4e826ac 02709ef Author: Brad Spengler Date: Wed Nov 13 22:27:03 2013 -0500 Merge branch 'linux-3.11.y' into pax-test commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 094c08532f9877a287ffac7a87b05841a56b4e5d Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e383790f8252620f52895e202cc057c4318da3f4 Author: Brad Spengler Date: Sun Nov 10 17:50:12 2013 -0500 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND arch/arm/mm/Kconfig | 2 +- grsecurity/Kconfig | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletions(-) commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26 Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 17f832897194f46c4759aa02e048ad5623a04eed Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20 Merge: fb281bd 4e826ac Author: Brad Spengler Date: Wed Nov 6 17:27:16 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/l2tp/l2tp_core.c commit 4e826ac763867707352d93b7d23ed86e4c6829cf Merge: e309bfb 39773be Author: Brad Spengler Date: Wed Nov 6 17:26:23 2013 -0500 Merge branch 'linux-3.11.y' into pax-test Conflicts: net/compat.c commit fb281bdee5ccb76facfe1172318a867b624011f4 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking Conflicts: security/Kconfig security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba Author: Dan Carpenter Date: Tue Oct 29 23:01:43 2013 +0300 Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 Staging: sb105x: info leak in mp_get_count() The icount.reserved[] array isn't initialized so it leaks stack information to userspace. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/sb105x/sb_pci_mp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de Author: Dan Carpenter Date: Tue Oct 29 22:06:04 2013 +0300 Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write() We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds arch/um/kernel/exitcode.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 1285d10ec38f216f3c5de7ce085ce43447c78916 Author: Jason Wang Date: Fri Nov 1 15:01:10 2013 +0800 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd net: flow_dissector: fail on evil iph->ihl We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae (rps: support IPIP encapsulation). Cc: Eric Dumazet Cc: Petr Matousek Cc: Michael S. Tsirkin Cc: Daniel Borkmann Signed-off-by: Jason Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/core/flow_dissector.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc Author: Ming Lei Date: Thu Oct 31 16:34:17 2013 -0700 Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper functions") introduces two sg buffer copy helpers, and calls flush_kernel_dcache_page() on pages in SG list after these pages are written to. Unfortunately, the commit may introduce a potential bug: - Before sending some SCSI commands, kmalloc() buffer may be passed to block layper, so flush_kernel_dcache_page() can see a slab page finally - According to cachetlb.txt, flush_kernel_dcache_page() is only called on "a user page", which surely can't be a slab page. - ARCH's implementation of flush_kernel_dcache_page() may use page mapping information to do optimization so page_mapping() will see the slab page, then VM_BUG_ON() is triggered. Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, and this patch fixes the bug by adding test of '!PageSlab(miter->page)' before calling flush_kernel_dcache_page(). Signed-off-by: Ming Lei Reported-by: Aaro Koskinen Tested-by: Simon Baatz Cc: Russell King - ARM Linux Cc: Will Deacon Cc: Aaro Koskinen Acked-by: Catalin Marinas Cc: FUJITA Tomonori Cc: Tejun Heo Cc: "James E.J. Bottomley" Cc: Jens Axboe Cc: [3.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/scatterlist.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4 Author: Dan Carpenter Date: Tue Oct 29 23:01:11 2013 +0300 Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba Staging: bcm: info leak in ioctl The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/bcm/Bcmchar.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a2ab9d69265a08280241a2f2152e535316d02f53 Author: Dan Carpenter Date: Tue Oct 29 22:11:06 2013 +0300 Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5 aacraid: missing capable() check in compat ioctl In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the check as well. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/scsi/aacraid/linit.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e Author: Dan Carpenter Date: Tue Oct 29 23:00:15 2013 +0300 Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054 staging: wlags49_h2: buffer overflow setting station name We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit afd645c1684265260b64ec8189cbc2703b91f6ab Author: Dan Carpenter Date: Tue Oct 29 22:07:47 2013 +0300 Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15 staging: ozwpan: prevent overflow in oz_cdev_write() We need to check "count" so we don't overflow the ei->data buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/ozwpan/ozcdev.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 4a907baeb462b7e0f50923be5a9d842aec93c97a Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds Date: Sun Oct 27 15:17:05 2013 -0400 Merge branch 'pax-test' into grsec-test commit e309bfbf7b506b2294b30233f7a3299173a75cf7 Author: Hugh Dickins Date: Wed Oct 16 13:47:09 2013 -0700 Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779 mm: revert mremap pud_free anti-fix Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail calling pmd_alloc()"). The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map() ensure that the pud, pmd, pt is already allocated, and seldom do they need to allocate; on failure, upper levels are freed if appropriate by the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an unconditional pud_free() of a most-likely still-in-use pud: saved only by the near-impossiblity of pmd_alloc() failing. Signed-off-by: Hugh Dickins Cc: Chen Gang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mremap.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 0970b16a9df08b8cca6929b6443f67df432ac3e5 Author: Eric Dumazet Date: Tue Oct 1 21:04:11 2013 -0700 Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693 net: do not call sock_put() on TIMEWAIT sockets commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. We should instead use inet_twsk_put() Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/inet_hashtables.c | 2 +- net/ipv6/inet6_hashtables.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28 Author: Andi Kleen Date: Mon Sep 30 13:29:08 2013 -0700 Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645 igb: Avoid uninitialized advertised variable in eee_set_cur eee_get_cur assumes that the output data is already zeroed. It can read-modify-write the advertised field: if (ipcnfg & E1000_IPCNFG_EEE_100M_AN) 2594 edata->advertised |= ADVERTISED_100baseT_Full; This is ok for the normal ethtool eee_get call, which always zeroes the input data before. But eee_set_cur also calls eee_get_cur and it did not zero the input field. Later on it then compares agsinst the field, which can contain partial stack garbage. Zero the input field in eee_set_cur() too. Cc: jeffrey.t.kirsher@intel.com Cc: netdev@vger.kernel.org Signed-off-by: Andi Kleen Acked-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 651730a8caabce37f78d8e6c84283b96e434d19f Author: Dan Carpenter Date: Thu Oct 3 00:27:20 2013 +0300 Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8 net: heap overflow in __audit_sockaddr() We need to cap ->msg_namelen or it leads to a buffer overflow when we to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to exploit this bug. The call tree is: ___sys_recvmsg() move_addr_to_user() audit_sockaddr() __audit_sockaddr() Reported-by: Jüri Aedla Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Conflicts: net/compat.c net/compat.c | 2 ++ net/socket.c | 24 ++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc Author: Salva Peiró Date: Wed Oct 16 12:46:50 2013 +0200 Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 wanxl: fix info leak in ioctl The wanxl_ioctl() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: David S. Miller drivers/net/wan/wanxl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f Author: Geyslan G. Bem Date: Fri Oct 11 16:49:16 2013 -0300 Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4 ecryptfs: Fix memory leakage in keystore.c In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem Signed-off-by: Tyler Hicks Cc: stable@vger.kernel.org # v2.6.28+ fs/ecryptfs/keystore.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 0ccb7b191245318a36bbd1f59a1846dda72cb738 Author: Colin Ian King Date: Thu Oct 24 14:08:07 2013 +0000 Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e eCryptfs: fix 32 bit corruption issue Shifting page->index on 32 bit systems was overflowing, causing data corruption of > 4GB files. Fix this by casting it first. https://launchpad.net/bugs/1243636 Signed-off-by: Colin Ian King Reported-by: Lars Duesing Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Tyler Hicks fs/ecryptfs/crypto.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4 Author: Brad Spengler Date: Sun Oct 27 13:29:49 2013 -0400 This is a replacement patch only for stable which does fix the problems handled by the following two commits in -net: "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) Three frames are written on a corked udp socket for which the output netdevice has UFO enabled. If the first and third frame are smaller than the mtu and the second one is bigger, we enqueue the second frame with skb_append_datato_frags without initializing the gso fields. This leads to the third frame appended regulary and thus constructing an invalid skb. This fixes the problem by always using skb_append_datato_frags as soon as the first frag got enqueued to the skb without marking the packet as SKB_GSO_UDP. The problem with only two frames for ipv6 was fixed by "ipv6: udp packets following an UFO enqueued packet need also be handled by UFO" (2811ebac2521ceac84f2bdae402455baa6a7fb47). Cc: Jiri Pirko Cc: Eric Dumazet Cc: David Miller Signed-off-by: Hannes Frederic Sowa include/linux/skbuff.h | 5 +++++ net/ipv4/ip_output.c | 2 +- net/ipv6/ip6_output.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) commit aead8ff29424c6a5d25eb4614be91a01f9f6af00 Merge: 5cf8361 ddadc82 Author: Brad Spengler Date: Sat Oct 26 08:42:26 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec Author: Brad Spengler Date: Sat Oct 26 08:41:24 2013 -0400 - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs and Natanael Copa (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e) - updated config help for latent entropy to reflect recent changes arch/x86/include/asm/uaccess_64.h | 4 ++-- security/Kconfig | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad Author: Johannes Weiner Date: Wed Oct 16 13:47:00 2013 -0700 Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc fs: buffer: move allocation failure loop into the allocator Buffer allocation has a very crude indefinite loop around waking the flusher threads and performing global NOFS direct reclaim because it can not handle allocation failures. The most immediate problem with this is that the allocation may fail due to a memory cgroup limit, where flushers + direct reclaim might not make any progress towards resolving the situation at all. Because unlike the global case, a memory cgroup may not have any cache at all, only anonymous pages but no swap. This situation will lead to a reclaim livelock with insane IO from waking the flushers and thrashing unrelated filesystem cache in a tight loop. Use __GFP_NOFAIL allocations for buffers for now. This makes sure that any looping happens in the page allocator, which knows how to orchestrate kswapd, direct reclaim, and the flushers sensibly. It also allows memory cgroups to detect allocations that can't handle failure and will allow them to ultimately bypass the limit if reclaim can not make progress. Reported-by: azurIt Signed-off-by: Johannes Weiner Cc: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/buffer.c | 14 ++++++++++++-- mm/memcontrol.c | 2 ++ 2 files changed, 14 insertions(+), 2 deletions(-) commit 799326c8683d8d70b2035b1e5ab913c159112b6b Author: Miklos Szeredi Date: Thu Oct 10 16:48:19 2013 +0200 Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 ext[34]: fix double put in tmpfile d_tmpfile() already swallowed the inode ref. Signed-off-by: Miklos Szeredi Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ext3/namei.c | 5 ++--- fs/ext4/namei.c | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3 Author: Jan Klos Date: Sun Oct 6 21:08:20 2013 +0200 Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20 cifs: Fix inability to write files >2GB to SMB2/3 shares When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super(). The patch fixes this by checking for the correct bit according to the protocol version. CC: Stable Signed-off-by: Jan Klos Reviewed-by: Jeff Layton Signed-off-by: Steve French fs/cifs/cifsfs.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22 Author: Tim Gardner Date: Sun Oct 13 13:29:03 2013 -0600 Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a cifs: ntstatus_to_dos_map[] is not terminated Functions that walk the ntstatus_to_dos_map[] array could run off the end. For example, ntstatus_to_dos() loops while ntstatus_to_dos_map[].ntstatus is not 0. Granted, this is mostly theoretical, but could be used as a DOS attack if the error code in the SMB header is bogus. [Might consider adding to stable, as this patch is low risk - Steve] Reviewed-by: Jeff Layton Signed-off-by: Tim Gardner Signed-off-by: Steve French fs/cifs/netmisc.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit ed8c09a96fa260e1864c632e1dd91b1320876305 Author: Eric Dumazet Date: Tue Oct 15 11:54:30 2013 -0700 Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9 tcp: must unclone packets before mangling them TCP stack should make sure it owns skbs before mangling them. We had various crashes using bnx2x, and it turned out gso_size was cleared right before bnx2x driver was populating TC descriptor of the _previous_ packet send. TCP stack can sometime retransmit packets that are still in Qdisc. Of course we could make bnx2x driver more robust (using ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. We have identified two points where skb_unclone() was needed. This patch adds a WARN_ON_ONCE() to warn us if we missed another fix of this kind. Kudos to Neal for finding the root cause of this bug. Its visible using small MSS. Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Cc: Yuchung Cheng Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit e5dcf1772ca2a85952da10a21d0650507dc061d3 Author: Dan Carpenter Date: Mon Oct 14 15:28:38 2013 +0300 Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5 yam: integer underflow in yam_ioctl() We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be negative. I don't know the impact of using a negative bitrate but let's prevent it. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller include/linux/yam.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1f5d72d633f317248bba25158c326a61394aebf2 Merge: 7ca4328 4df1b96 Author: Brad Spengler Date: Fri Oct 18 19:36:17 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: ipc/shm.c commit 4df1b965687831808af2548487e0f35a2ccc5c29 Merge: e41125e 5070441 Author: Brad Spengler Date: Fri Oct 18 19:35:31 2013 -0400 Merge branch 'linux-3.11.y' into pax-test Conflicts: arch/x86/kernel/setup.c commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525 Author: Brad Spengler Date: Wed Oct 16 18:35:00 2013 -0400 From: Mathias Krause To: Evgeniy Polyakov Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org # v2.6.14+ Signed-off-by: Mathias Krause drivers/connector/connector.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489 Author: Brad Spengler Date: Wed Oct 16 18:36:25 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause kernel/audit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9557a8727fd46e68f092dec0830a982e85b231f7 Author: Brad Spengler Date: Wed Oct 16 19:02:32 2013 -0400 add 2nd chunk of audit nlmsg_len() fix from minipli kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd Author: Brad Spengler Date: Wed Oct 16 18:37:59 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7547b29750381c776dfd47f4b1277a492d5b0f72 Author: Brad Spengler Date: Wed Oct 16 18:41:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , Bart De Schuymer Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Bart De Schuymer Signed-off-by: Mathias Krause Conflicts: net/bridge/netfilter/ebt_ulog.c net/bridge/netfilter/ebt_ulog.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528 Author: Brad Spengler Date: Wed Oct 16 18:43:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Signed-off-by: Mathias Krause Conflicts: net/ipv4/netfilter/ipt_ULOG.c net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 2965f6e6122325a18e69296ad3817c66ca59b7e3 Author: Brad Spengler Date: Wed Oct 16 18:49:45 2013 -0400 From: Mathias Krause To: "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH net] unix_diag: fix info leak When filling the netlink message we miss to wipe the pad field, therefore leak one byte of heap memory to userland. Fix this by setting pad to 0. Signed-off-by: Mathias Krause net/unix/diag.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc Author: Mathias Krause Date: Mon Sep 30 22:03:06 2013 +0200 Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682 proc connector: fix info leaks Initialize event_data for all possible message types to prevent leaking kernel stack contents to userland (up to 20 bytes). Also set the flags member of the connector message to 0 to prevent leaking two more stack bytes this way. Cc: stable@vger.kernel.org # v2.6.15+ Signed-off-by: Mathias Krause Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04 Author: AKASHI Takahiro Date: Wed Oct 9 15:58:29 2013 +0100 Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() In ftrace_syscall_enter(), syscall_get_arguments(..., 0, n, ...) if (i == 0) { ...; n--;} memcpy(..., n * sizeof(args[0])); If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in syscall_get_arguments(), none of arguments should be copied by memcpy(). Otherwise 'n--' can be a big positive number and unexpected amount of data will be copied. Tracing system calls which take no argument, say sync(void), may hit this case and eventually make the system corrupted. This patch fixes the issue both in syscall_get_arguments() and syscall_set_arguments(). Cc: Acked-by: Will Deacon Signed-off-by: AKASHI Takahiro Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/include/asm/syscall.h | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2 Author: Dave Jones Date: Thu Oct 10 20:05:35 2013 -0400 Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc ext4: fix memory leak in xattr If we take the 2nd retry path in ext4_expand_extra_isize_ea, we potentionally return from the function without having freed these allocations. If we don't do the return, we over-write the previous allocation pointers, so we leak either way. Spotted with Coverity. [ Fixed by tytso to set is and bs to NULL after freeing these pointers, in case in the retry loop we later end up triggering an error causing a jump to cleanup, at which point we could have a double free bug. -- Ted ] Signed-off-by: Dave Jones Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Cc: stable@vger.kernel.org fs/ext4/xattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 224e55268fbd4f81fca479e315c9483df591411d Author: Salva Peiró Date: Fri Oct 11 12:50:03 2013 +0300 Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194 farsync: fix info leak in ioctl The fst_get_iface() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/wan/farsync.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9 Author: James Hogan Date: Mon Oct 7 12:14:26 2013 +0100 Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92 MIPS: stack protector: Fix per-task canary switch Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary per task) was merged in v3.11 and introduced assembly in the MIPS resume functions to update the value of the current canary in __stack_chk_guard. However it used PTR_L resulting in a load of the canary value, instead of PTR_LA to construct its address. The value is intended to be random but is then treated as an address in the subsequent LONG_S (store). This was observed to cause a fault and panic: CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4 Oops[#1]: ... $24 : 139fea20 1e1f7cb6 ... Call Trace: [<8000cc0c>] resume+0xac/0x118 [<8034f2a4>] __schedule+0x5f8/0x78c [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c [<80348eec>] rest_init+0x74/0x84 [<804dc990>] start_kernel+0x43c/0x454 Code: 3c18804b 8f184030 8cb901f8 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc This can also be forced by modifying arch/mips/include/asm/stackprotector.h so that the default __stack_chk_guard value is more likely to be a bad (or unaligned) pointer. Fix it to use PTR_LA instead, to load the address of the canary value, which the LONG_S can then use to write into it. Reported-by: bobjones (via #mipslinux on IRC) Signed-off-by: James Hogan Cc: Ralf Baechle Cc: Gregory Fong Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/6026/ Signed-off-by: Ralf Baechle arch/mips/kernel/octeon_switch.S | 2 +- arch/mips/kernel/r2300_switch.S | 2 +- arch/mips/kernel/r4k_switch.S | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c Author: Fan Du Date: Tue Sep 17 15:14:13 2013 +0800 Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda xfrm: Guard IPsec anti replay window against replay bitmap For legacy IPsec anti replay mechanism: bitmap in struct xfrm_replay_state could only provide a 32 bits window size limit in current design, thus user level parameter sadb_sa_replay should honor this limit, otherwise misleading outputs("replay=244") by setkey -D will be: 192.168.25.2 192.168.22.2 esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=1 pid=4854 refcnt=0 192.168.22.2 192.168.25.2 esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=0 pid=4854 refcnt=0 And also, optimizing xfrm_replay_check window checking by setting the desirable x->props.replay_window with only doing the comparison once for all when xfrm_state is first born. Signed-off-by: Fan Du Signed-off-by: Steffen Klassert net/key/af_key.c | 3 ++- net/xfrm/xfrm_replay.c | 3 +-- net/xfrm/xfrm_user.c | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541 Author: Thomas Egerer Date: Thu Sep 19 13:19:19 2013 +0200 Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c xfrm: Fix aevent generation for each received packet If asynchronous events are enabled for a particular netlink socket, the notify function is called by the advance function. The notify function creates and dispatches a km_event if a replay timeout occurred, or at least replay_maxdiff packets have been received since the last asynchronous event has been sent. The function is supposed to return if neither of the two events were detected for a state, or replay_maxdiff is equal to zero. Replay_maxdiff is initialized in xfrm_state_construct to the value of the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state if the netlink attribute XFRMA_REPLAY_THRESH is set. If, however, replay_maxdiff is set to zero, then all of the three notify implementations perform a break from the switch statement instead of checking whether a timeout occurred, and -- if not -- return. As a result an asynchronous event is generated for every replay update of a state that has a zero replay_maxdiff value. This patch modifies the notify functions such that they immediately return if replay_maxdiff has the value zero, unless a timeout occurred. Signed-off-by: Thomas Egerer Signed-off-by: Steffen Klassert net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++---------------------- 1 files changed, 27 insertions(+), 24 deletions(-) commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8 Author: Steffen Klassert Date: Tue Oct 8 10:49:45 2013 +0200 Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee xfrm: Add refcount handling to queued policies We need to ensure that policies can't go away as long as the hold timer is armed, so take a refcont when we arm the timer and drop one if we delete it. Bug was introduced with git commit a0073fe18 ("xfrm: Add a state resolution packet queue") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 24 +++++++++++++++++------- 1 files changed, 17 insertions(+), 7 deletions(-) commit b4948dc963442682534b3a039664b564c764e4f8 Author: Steffen Klassert Date: Tue Oct 8 10:49:51 2013 +0200 Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0 xfrm: check for a vaild skb in xfrm_policy_queue_process We might dreference a NULL pointer if the hold_queue is empty, so add a check to avoid this. Bug was introduced with git commit a0073fe18 ("xfrm: Add a state resolution packet queue") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit fad7f264b264b0b17a307aa16162cb43c7688a30 Author: Marc Kleine-Budde Date: Mon Oct 7 23:19:58 2013 +0200 Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89 net: vlan: fix nlmsg size calculation in vlan_get_size() This patch fixes the calculation of the nlmsg size, by adding the missing nla_total_size(). Cc: Patrick McHardy Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller net/8021q/vlan_netlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd Author: François Cachereul Date: Wed Oct 2 10:16:02 2013 +0200 Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses IPv4 mapped addresses cause kernel panic. The patch juste check whether the IPv6 address is an IPv4 mapped address. If so, use IPv4 API instead of IPv6. [ 940.026915] general protection fault: 0000 [#1] [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 [ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 [ 940.026915] Stack: [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 [ 940.026915] Call Trace: [ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 [ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] [ 940.026915] [] ? pskb_expand_head+0x161/0x214 [ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] [ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] [ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] [ 940.026915] [] ? vfs_write+0xa2/0x106 [ 940.026915] [] ? SyS_write+0x56/0x8a [ 940.026915] [] ? system_call_fastpath+0x16/0x1b [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 [ 940.026915] RIP [] ip6_xmit+0x276/0x326 [ 940.026915] RSP [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: François CACHEREUL Signed-off-by: David S. Miller net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- net/l2tp/l2tp_core.h | 3 +++ 2 files changed, 26 insertions(+), 4 deletions(-) commit 2db6fe58460d400bc8b995fa2328be03e27e55e1 Merge: 28f9622 e41125e Author: Brad Spengler Date: Tue Oct 15 10:00:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/ds.c net/sysctl_net.c commit e41125e4742f332cd8cd8cf0c00cb189dba0e037 Merge: 740e5ec a145cb9 Author: Brad Spengler Date: Tue Oct 15 09:58:29 2013 -0400 Merge branch 'linux-3.11.y' into pax-test commit 28f9622091224541efadf3ae006f0e5651c7fa45 Author: Brad Spengler Date: Tue Oct 1 22:48:34 2013 -0400 Fix this strlcpy crap properly arch/sparc/kernel/ds.c | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) commit 837193210e4125fe4e9e554b28d7bc33985f3554 Author: David S. Miller Date: Fri Sep 27 13:46:04 2013 -0700 Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355 sparc64: Fix buggy strlcpy() conversion in ldom_reboot(). Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using strlcpy() instead of strcpy()") added a bug to ldom_reboot in arch/sparc/kernel/ds.c - strcpy(full_boot_str + strlen("boot "), boot_command); + strlcpy(full_boot_str + strlen("boot "), boot_command, + sizeof(full_boot_str + strlen("boot "))); That last sizeof() expression evaluates to sizeof(size_t) which is not what was intended. Also even the corrected: sizeof(full_boot_str) + strlen("boot ") is not right as the destination buffer length is just plain "sizeof(full_boot_str)" and that's what the final argument should be. Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249 Author: Hannes Frederic Sowa Date: Sun Sep 29 05:40:50 2013 +0200 Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae ipv6: gre: correct calculation of max_headroom gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header, so initialize max_headroom to zero. Otherwise the if (encap_limit >= 0) { max_headroom += 8; mtu -= 8; } increments an uninitialized variable before max_headroom was reset. Found with coverity: 728539 Cc: Dmitry Kozlov Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller Conflicts: net/ipv6/ip6_gre.c net/ipv6/ip6_gre.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0d68ac550952d0eaf60851497ceee68dbba24516 Merge: 64257ad 740e5ec Author: Brad Spengler Date: Tue Oct 1 18:11:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/hid/hid-core.c drivers/hid/hid-lg2ff.c drivers/hid/hid-lg3ff.c drivers/hid/hid-lg4ff.c drivers/hid/hid-lgff.c drivers/hid/hid-logitech-dj.c drivers/hid/hid-steelseries.c drivers/hid/hid-zpff.c include/linux/hid.h commit 740e5ec087969afd43ae0b552b4e05914437ed32 Merge: c38c6b0 db20388 Author: Brad Spengler Date: Tue Oct 1 17:40:46 2013 -0400 Merge branch 'linux-3.11.y' into pax-test commit 64257ad95c51285d415f93ebdd486fae6bb9415d Author: Hannes Frederic Sowa Date: Sat Sep 21 06:27:00 2013 +0200 Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47 ipv6: udp packets following an UFO enqueued packet need also be handled by UFO In the following scenario the socket is corked: If the first UDP packet is larger then the mtu we try to append it to the write queue via ip6_ufo_append_data. A following packet, which is smaller than the mtu would be appended to the already queued up gso-skb via plain ip6_append_data. This causes random memory corruptions. In ip6_ufo_append_data we also have to be careful to not queue up the same skb multiple times. So setup the gso frame only when no first skb is available. This also fixes a shortcoming where we add the current packet's length to cork->length but return early because of a packet > mtu with dontfrag set (instead of sutracting it again). Found with trinity. Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 53 ++++++++++++++++++++---------------------------- 1 files changed, 22 insertions(+), 31 deletions(-) commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6 Author: Dan Carpenter Date: Tue Sep 24 15:27:45 2013 -0700 Just a whitespace fix to sync with upstream as we already applied this fix via Vasiliy Kulikov in 2010. It fell through the cracks upstream cciss: fix info leak in cciss_ioctl32_passthru() The arg64 struct has a hole after ->buf_size which isn't cleared. Or if any of the calls to copy_from_user() fail then that would cause an information leak as well. This was assigned CVE-2013-2147. Signed-off-by: Dan Carpenter Acked-by: Mike Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: drivers/block/cciss.c drivers/block/cciss.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e Author: Paul E. McKenney Date: Tue Sep 24 18:29:11 2013 -0700 Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b mm: Place preemption point in do_mlockall() loop There is a loop in do_mlockall() that lacks a preemption point, which means that the following can happen on non-preemptible builds of the kernel. Dave Jones reports: "My fuzz tester keeps hitting this. Every instance shows the non-irq stack came in from mlockall. I'm only seeing this on one box, but that has more ram (8gb) than my other machines, which might explain it. INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0) sending NMI to all CPUs: NMI backtrace for cpu 3 CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32 Call Trace: lru_add_drain_all+0x15/0x20 SyS_mlockall+0xa5/0x1a0 tracesys+0xdd/0xe2" This commit addresses this problem by inserting the required preemption point. Reported-by: Dave Jones Signed-off-by: Paul E. McKenney Cc: KOSAKI Motohiro Cc: Michel Lespinasse Cc: Andrew Morton Signed-off-by: Linus Torvalds mm/mlock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9 Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit 55f1e409275973513a3314fe5bfa76a4781c0db7 Merge: 2eac654 c38c6b0 Author: Brad Spengler Date: Fri Sep 27 20:35:04 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/hid/hid-picolcd_core.c commit c38c6b0bbbe53bd528aeeb4a059764abc028c276 Merge: 115bf6a a3308b5 Author: Brad Spengler Date: Fri Sep 27 20:34:15 2013 -0400 Merge branch 'linux-3.11.y' into pax-test Conflicts: arch/x86/ia32/ia32_signal.c arch/x86/include/asm/checksum_32.h arch/x86/include/asm/mmu_context.h arch/x86/kernel/signal.c arch/x86/lib/csum-wrappers_64.c include/linux/compat.h commit 2eac65435fdffca548a56e5187840908438fc95c Merge: ba0ebde 115bf6a Author: Brad Spengler Date: Thu Sep 26 20:00:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit 115bf6af0083ea28c751d551a39cfdba1798e9dc Author: Brad Spengler Date: Thu Sep 26 19:59:14 2013 -0400 Update to pax-linux-3.11.1-test10.patch: - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040) - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released) - beefed up latent entropy extraction - latent_entropy itself will be initialized to a compile-time random value (instead of 0) - entropy will be collected from various irq and softirq handlers arch/arm/kernel/module.c | 2 ++ arch/arm/kernel/vmlinux.lds.S | 2 +- block/blk-iopoll.c | 2 +- block/blk-softirq.c | 2 +- fs/binfmt_elf.c | 8 +++++--- include/linux/genhd.h | 2 +- include/linux/random.h | 4 ++-- kernel/hrtimer.c | 2 +- kernel/rcutiny.c | 2 +- kernel/rcutree.c | 2 +- kernel/sched/fair.c | 2 +- kernel/softirq.c | 4 ++-- kernel/timer.c | 2 +- lib/percpu-refcount.c | 2 +- net/core/dev.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 2 +- 16 files changed, 24 insertions(+), 20 deletions(-) commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6 Author: Brad Spengler Date: Sun Sep 22 18:14:07 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35 Merge: f1e4228 90db383 Author: Brad Spengler Date: Wed Sep 18 17:34:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 90db383fd7d650172d52229b0116ad7604c9bec1 Author: Brad Spengler Date: Wed Sep 18 17:32:42 2013 -0400 Update to pax-linux-3.11.1-test9.patch: - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer - better implementation of __read_only for modules - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard arch/arm/kernel/entry-common.S | 12 ++++++------ arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++-- arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++- arch/x86/include/asm/cache.h | 4 ---- drivers/bus/arm-cci.c | 2 +- drivers/clk/socfpga/clk.c | 2 +- drivers/mmc/host/mmci.c | 4 +++- drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +- include/linux/cache.h | 4 ++++ net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- scripts/module-common.lds | 4 ++++ 12 files changed, 49 insertions(+), 19 deletions(-) commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810 Author: Brad Spengler Date: Wed Sep 18 17:32:25 2013 -0400 Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error" This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f. net/sctp/protocol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f1e42285e17479067b6cbcffc43916720e6dedd3 Merge: 456ca17 5e30989 Author: Brad Spengler Date: Mon Sep 16 21:42:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5e30989102e2d0df166ab6ff915b90f675f8786f Author: Brad Spengler Date: Mon Sep 16 21:41:44 2013 -0400 mark sctp_af_inet forward declaration as __read_only to fix compile error net/sctp/protocol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 456ca176141f10355c1569b29225c9ce4b7db18e Merge: b406eac 5df8f36 Author: Brad Spengler Date: Mon Sep 16 20:02:05 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6 Author: Brad Spengler Date: Mon Sep 16 20:01:38 2013 -0400 Update to pax-linux-3.11.1-test7.patch: - fixed arm compile error, reported by Arnaud Ebalard - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743) - fixed od_ops constification, fixes cpufreq ondemand on AMD - latent entropy will now be gathered from module init code as well (i.e., at module load/init time) - __read_only will now be enforced in modules as well - removed unneccessary __read_only from ntfs arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/x86/include/asm/cache.h | 4 ++++ drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 2 +- fs/ntfs/file.c | 4 ++-- include/linux/init.h | 5 ----- include/net/xfrm.h | 5 ++++- init/main.c | 9 +++------ mm/page_alloc.c | 1 + net/ipv4/xfrm4_policy.c | 4 ++-- net/ipv6/xfrm6_policy.c | 4 ++-- net/xfrm/xfrm_policy.c | 11 ++--------- 12 files changed, 23 insertions(+), 30 deletions(-) commit b406eac579bb3a5faa1c9d73b8af5530f942009a Author: Brad Spengler Date: Mon Sep 16 12:53:22 2013 -0400 Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce author Steffen Klassert 2013-09-09 07:39:01 (GMT) committer Steffen Klassert 2013-09-16 07:39:37 (GMT) xfrm: Fix replay size checking on async events We pass the wrong netlink attribute to xfrm_replay_verify_len(). It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as we currently doing. This causes memory corruptions if the replay esn attribute has incorrect length. Fix this by passing the right attribute to xfrm_replay_verify_len(). Reported-by: Michael Rossberg Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9 Merge: 84843a3 0a0ced6 Author: Brad Spengler Date: Sun Sep 15 11:24:30 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/wireless/ath/ath10k/core.c drivers/net/wireless/ath/ath10k/htc.c commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d Author: Brad Spengler Date: Sun Sep 15 11:21:43 2013 -0400 Update to pax-linux-3.11.1-test6.patch: - forward port to 3.11.1 - fixed some CONSTIFY fallout, reported by spender - fixed INVPCID on i386, reported by spender - simplified/consolidated the recent security_ops change arch/x86/include/asm/mmu_context.h | 4 ++-- arch/x86/include/asm/tlbflush.h | 6 +++--- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- drivers/net/wireless/ath/ath10k/core.c | 6 +++--- drivers/net/wireless/ath/ath10k/htc.c | 7 ++++--- include/linux/security.h | 2 -- security/security.c | 3 --- security/selinux/hooks.c | 5 +++-- 8 files changed, 16 insertions(+), 19 deletions(-) commit 84843a394cde0578be728cb5fd34da9859dcf110 Author: Brad Spengler Date: Sun Sep 15 09:19:21 2013 -0400 remove unnecessary check from when protocol was signed net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cc7c916cac4c2eb0ec243690627e2b6a13234fef Author: Brad Spengler Date: Sun Sep 15 08:53:27 2013 -0400 resync with PaX security/selinux/hooks.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit fdeadf7ba061242685e07a2504c6be99161f292c Author: Brad Spengler Date: Sat Sep 14 23:04:53 2013 -0400 Fix constification of ath10k_hif_cb struct located on stack drivers/net/wireless/ath/ath10k/hif.h | 1 + drivers/net/wireless/ath/ath10k/htc.c | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-) commit 73c6875760e610cb636f86566a1be7a744d89b82 Author: Brad Spengler Date: Sat Sep 14 22:41:06 2013 -0400 use a no_const typedef for ath10k_htc_ops, which is located on the stack drivers/net/wireless/ath/ath10k/core.c | 6 +++--- drivers/net/wireless/ath/ath10k/htc.h | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) commit bffb0279b95b717c739365a5a25ca0391e7479b1 Author: Brad Spengler Date: Sat Sep 14 22:13:46 2013 -0400 fix compilation error under constify drivers/net/wireless/ath/ath10k/core.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1044c726fd98de89a711c6655f811600d4051e46 Merge: ffc8003 e39d12a Author: Brad Spengler Date: Sat Sep 14 21:57:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit e39d12a3b877293ba677bf7642c8887144ae1576 Author: Brad Spengler Date: Sat Sep 14 21:56:56 2013 -0400 Update to pax-linux-3.11-test5.patch: - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd) - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin mm/mremap.c | 5 ++++- tools/gcc/kernexec_plugin.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b Author: Brad Spengler Date: Sat Sep 14 21:48:03 2013 -0400 fix compile error introduced by pipacs security/selinux/hooks.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 874e80f445b1325df45f04cc317f67587e241218 Author: Brad Spengler Date: Sat Sep 14 21:12:45 2013 -0400 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a Author: Brad Spengler Date: Sat Sep 14 19:53:56 2013 -0400 change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs arch/x86/include/asm/tlbflush.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838 Author: Daniel Borkmann Date: Sat Sep 7 16:44:59 2013 +0200 Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95 net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE If we do not add braces around ... mask |= POLLERR | sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0; ... then this condition always evaluates to true as POLLERR is defined as 8 and binary or'd with whatever result comes out of sock_flag(). Hence instead of (X | Y) ? A : B, transform it into X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix smatch warnings inside datagram_poll") forgot about SCTP. :-( Introduced by 7d4c04fc170 ("net: add option to enable error queue packets waking select"). Signed-off-by: Daniel Borkmann Cc: Jacob Keller Acked-by: Neil Horman Acked-by: Vlad Yasevich Acked-by: Jacob Keller Signed-off-by: David S. Miller net/sctp/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986 Author: Jason Wang Date: Wed Sep 11 18:09:48 2013 +0800 Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0 tuntap: correctly handle error in tun_set_iff() Commit c8d68e6be1c3b242f1c598595830890b65cea64a (tuntap: multiqueue support) only call free_netdev() on error in tun_set_iff(). This causes several issues: - memory of tun security were leaked - use after free since the flow gc timer was not deleted and the tfile were not detached This patch solves the above issues. Reported-by: Wannes Rombouts Cc: Michael S. Tsirkin Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/net/tun.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit b504140d8590bd67ed481ea84824a9846dde2d74 Author: Herbert Xu Date: Sun Sep 8 14:33:50 2013 +1000 Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa crypto: api - Fix race condition in larval lookup crypto_larval_lookup should only return a larval if it created one. Any larval created by another entity must be processed through crypto_larval_wait before being returned. Otherwise this will lead to a larval being killed twice, which will most likely lead to a crash. Cc: stable@vger.kernel.org Reported-by: Kees Cook Tested-by: Kees Cook Signed-off-by: Herbert Xu crypto/api.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit f4212fa9ec1c34c59fabc43904e16112b776b6b2 Author: Daniel Borkmann Date: Wed Sep 11 16:58:36 2013 +0200 Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7 net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport does not seem to have the desired effect: SCTP + IPv4: 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): SCTP + IPv6: 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] Moreover, Alan says: This problem was seen with both Racoon and Racoon2. Other people have seen this with OpenSwan. When IPsec is configured to encrypt all upper layer protocols the SCTP connection does not initialize. After using Wireshark to follow packets, this is because the SCTP packet leaves Box A unencrypted and Box B believes all upper layer protocols are to be encrypted so it drops this packet, causing the SCTP connection to fail to initialize. When IPsec is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" string on the other end, results in cleartext on the wire where SCTP eventually does not report any errors, thus in the latter case that Alan reports, the non-paranoid user might think he's communicating over an encrypted transport on SCTP although he's not (tcpdump ... -X): ... 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the receiver side. Initial follow-up analysis from Alan's bug report was done by Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). This has the implication that it probably never really got updated along with changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since a call to inet6_csk_xmit() would solve this problem, but result in unecessary route lookups, let us just use the cached flowi6 instead that we got through sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), we do the route lookup / flow caching in sctp_transport_route(), hold it in tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() instead to get the correct source routed dst entry, which we assign to the skb. Also source address routing example from 625034113 ("sctp: fix sctp to work with ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 it is actually 'recommended' to not use that anyway due to traffic amplification [1]. So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if we overwrite the flow destination here, the lower IPv6 layer will be unable to put the correct destination address into IP header, as routing header is added in ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, result of this patch is that we do not have any XfrmInTmplMismatch increase plus on the wire with this patch it now looks like: SCTP + IPv6: 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 This fixes Kernel Bugzilla 24412. This security issue seems to be present since 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have its fun with that. lksctp-tools IPv6 regression test suite passes as well with this patch. [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf Reported-by: Alan Chester Reported-by: Alexey Dobriyan Signed-off-by: Daniel Borkmann Cc: Steffen Klassert Cc: Hannes Frederic Sowa Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/ipv6.c | 42 +++++++++++++----------------------------- 1 files changed, 13 insertions(+), 29 deletions(-) commit 726915e42b1a23b88cd420029003d82208a30006 Author: Kees Cook Date: Fri Sep 13 14:52:04 2013 -0700 Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7 isdn: clean up debug format string usage Avoid unneeded local string buffers for constructing debug output. Also cleans up debug calls that contain a single parameter so that they cannot be accidentally parsed as format strings. Signed-off-by: Kees Cook Cc: Karsten Keil Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: David S. Miller drivers/isdn/hisax/amd7930_fn.c | 4 +- drivers/isdn/hisax/avm_pci.c | 4 +- drivers/isdn/hisax/config.c | 2 +- drivers/isdn/hisax/diva.c | 4 +- drivers/isdn/hisax/elsa.c | 2 +- drivers/isdn/hisax/elsa_ser.c | 2 +- drivers/isdn/hisax/hfc_pci.c | 2 +- drivers/isdn/hisax/hfc_sx.c | 2 +- drivers/isdn/hisax/hscx_irq.c | 4 +- drivers/isdn/hisax/icc.c | 4 +- drivers/isdn/hisax/ipacx.c | 8 +++--- drivers/isdn/hisax/isac.c | 4 +- drivers/isdn/hisax/isar.c | 6 ++-- drivers/isdn/hisax/jade.c | 18 ++++---------- drivers/isdn/hisax/jade_irq.c | 4 +- drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++------------------------- drivers/isdn/hisax/netjet.c | 2 +- drivers/isdn/hisax/q931.c | 6 ++-- drivers/isdn/hisax/w6692.c | 8 +++--- 19 files changed, 57 insertions(+), 79 deletions(-) commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3 Author: Brad Spengler Date: Sat Sep 14 19:16:48 2013 -0400 Fix a bad git merge, re-applied a previously reverted patch arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 5dea4b212b0405d6bcbea57516d77b21035d1178 Author: Brad Spengler Date: Sat Sep 14 16:56:37 2013 -0400 finish porting namei.c fs/namei.c | 50 +++++++++++--------------------------------------- 1 files changed, 11 insertions(+), 39 deletions(-) commit a7d5c5e2d0fd4831df19247e41c73c362809b00f Author: Brad Spengler Date: Sat Sep 14 16:44:08 2013 -0400 cred->user -> current_user() fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit be3db5fa6532557384fb66d2d9297d77666912cf Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce9afc12137b65991bfc7cce70e28d86bbb76956 Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 84aa149aa0f178516f5784d028522d60d35696c9 Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1145b56059535549be226da9891b56ab2d902b2f Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4 Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 74dc00678ec84a254617b500a2880974dac95220 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() Signed-off-by: Brad Spengler grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Signed-off-by: Brad Spengler drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 889852764d245f44e416da4eb203fda0bd327584 Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit f30e932a87f25b53779d1f92b49923f8a2dc9834 Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit f9eac59133855befee23d0c899e0d0e6ebcd3d44 Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9f5ae466957014bc300929374ebb7afdd9d116d6 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit b643b8f8af23488d92f16a817bf16c162d612ce1 Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 975723a41239b1befae172e88082ff4422753508 Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 05c3db7daee82d79c628c15b304f8621159e14f3 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a79f25f59fdd0abaf4ecfab93017aa49de089498 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 6fe8eb06e432f165872d3486fdce0d09de1515b3 Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c147e32922dd91edf1969b8a6eb333aafb4abb79 Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683 Author: Kees Cook Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs Signed-off-by: Brad Spengler arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit abde07f6c047c0331f511318cb49a36d49218dfc Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Signed-off-by: Brad Spengler arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit d502375416b17270008ebdf11f1c3be7837f7c50 Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 Signed-off-by: Brad Spengler include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit f6c363aba68cccff2815a488a7e9ed68990100d2 Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages Signed-off-by: Brad Spengler arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 Signed-off-by: Brad Spengler security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! Signed-off-by: Brad Spengler kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) commit 5c0737b045d057152a39154746d8c8e5d59185ed Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8 Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs Signed-off-by: Brad Spengler mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6 Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include Signed-off-by: Brad Spengler grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation Signed-off-by: Brad Spengler include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d4d49138661d5cb646f0dd012178447380b79956 Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping Signed-off-by: Brad Spengler fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define Signed-off-by: Brad Spengler grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4a307f7d3ff3ab232c0b6341415088e7618c494e Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 78011eb5c2454b8afc96b98bd86ac172e589b13c Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e670dc535e4501fd12d8bf00f1e1306c44266fe7 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 2834fe28e69176da6ac4989c6e3dc713faafefe5 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit 2669672647f6955f0e5154596492c73cd4fda330 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t Signed-off-by: Brad Spengler include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 75de5da79f5e03936a79ffe2c827462000001985 Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 9055a8feb8493a30d1ad0fcef25eb496630d223f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 129b6204587740fd082e731a54d00e8a9fc35f8b Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit 67fc73af0876d311c0d01d3b16fa429f44af12b9 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 798adb5cab6c3a8056e1b415e6f34a270f369721 Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 4d4945ce90d83784634b898f83cb5a7699537733 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6db464f72eff84f77335b69dc2748a3759e151d1 Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit e78a78dcfc089142273243b54509840d3b50c538 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b27005e62bebc09e6604a6f5dc099742bb6b4434 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 101b84a778c254dfd7399f5bcd6264ff437f1176 Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship Signed-off-by: Brad Spengler grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT Signed-off-by: Brad Spengler fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3e182e4da46de4c6b9a9f45d41030bef19260954 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error Signed-off-by: Brad Spengler mm/madvise.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel Signed-off-by: Brad Spengler mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 32537d92b8da84f38bf45eb85b6953f452064936 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70 Author: Brad Spengler Date: Sat Sep 14 16:15:10 2013 -0400 Initial port of grsecurity to 3.11 using new git method Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 12 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 128 ++- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++--------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 256 +++- fs/namespace.c | 16 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 ++- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 69 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 341 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 +++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 235 files changed, 4384 insertions(+), 1312 deletions(-) commit a76b033c58b4886552911442f1b89e0cee041dae Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches Signed-off-by: Brad Spengler arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit d1cf217118e0750f54aca9136d8c6a41f0ae439c Author: Brad Spengler Date: Sat Sep 14 14:36:40 2013 -0400 Initial import of pax-linux-3.11-test4.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 23 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 95 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 104 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 185 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 728 +++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 16 +- arch/x86/ia32/ia32entry.S | 157 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 74 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 20 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 128 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 82 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/tlbflush.h | 74 +- arch/x86/include/asm/uaccess.h | 112 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 130 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 +- arch/x86/kernel/entry_64.S | 669 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 138 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 5 +- arch/x86/kernel/setup.c | 65 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 19 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 28 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 89 +- arch/x86/lib/copy_user_nocache_64.S | 22 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 13 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 22 +- arch/x86/lib/memmove_64.S | 36 +- arch/x86/lib/memset_64.S | 11 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 571 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 139 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 39 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 7 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 24 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/host1x/drm/dc.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bcache/super.c | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 2 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.h | 4 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 12 +- drivers/tty/hvc/hvsi_lib.c | 6 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 648 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 18 +- fs/dcache.c | 3 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 38 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 6 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 41 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 5 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 17 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 8 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 19 + include/linux/proc_ns.h | 2 +- include/linux/random.h | 15 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 +- include/linux/seq_file.h | 1 + include/linux/signal.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 32 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 18 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 84 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 12 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 170 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 10 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 74 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 49 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 32 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 14 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 588 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 108 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 88 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 10 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 2 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 6 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ieee802154/6lowpan.c | 2 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 28 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 10 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 4 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 690 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 12 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 6 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 8 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 471 ++ tools/gcc/latent_entropy_plugin.c | 321 + tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2113 +++++++ tools/gcc/stackleak_plugin.c | 327 + tools/gcc/structleak_plugin.c | 277 + tools/lib/lk/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1664 files changed, 32957 insertions(+), 7636 deletions(-) commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c Merge: c3ccfb2 777e08c Author: Brad Spengler Date: Sun Sep 8 19:49:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 Author: Brad Spengler Date: Sun Sep 8 19:47:32 2013 -0400 Update to pax-linux-3.10.11-test26.patch: - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 14 +- tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- 3 files changed, 247 insertions(+), 194 deletions(-) commit 5c3161364270c842d901789faac731f79a9f9cd6 Merge: cf9c476 85cdabb Author: Brad Spengler Date: Sun Sep 8 19:24:25 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c3ccfb29794a03413095422100ce90d40ef7df0f Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit d260badf708d6aa16c44f56f54727532dcae826e Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 Author: Dan Carpenter Date: Thu Aug 29 11:47:00 2013 +0300 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 mISDN: return -EINVAL on error in dsp_control_req() If skb->len is too short then we should return an error. Otherwise we read beyond the end of skb->data for several bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/mISDN/dsp_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit da68dbcd96c617923a0aedb177d36b2701f9c858 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit ce0e893adc830ee110f97071cc17e661fb35ae3d Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd Merge: 7ee3899 cf9c476 Author: Brad Spengler Date: Sun Sep 1 13:56:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit cf9c47690fa0f3da590de766ea8c6a543984ee3c Author: Brad Spengler Date: Sun Sep 1 13:56:16 2013 -0400 Update to pax-linux-3.10.10-test25.patch: - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop block/blk-cgroup.c | 4 ++-- drivers/video/hyperv_fb.c | 4 ++-- fs/namespace.c | 4 ++-- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/output_core.c | 15 ++++++--------- net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- 7 files changed, 21 insertions(+), 27 deletions(-) commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa Merge: fd0338c 2bdeae7 Author: Brad Spengler Date: Sat Aug 31 22:07:38 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 Author: Brad Spengler Date: Sat Aug 31 22:06:55 2013 -0400 Update to pax-linux-3.10.10-test24.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users drivers/acpi/apei/ghes.c | 4 ++-- drivers/ata/libata-core.c | 4 ++-- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/block/drbd/drbd_nl.c | 4 ++-- drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/hv/hv_balloon.c | 18 +++++++++--------- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/input/misc/ims-pcu.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/v4l2-core/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/pci/hotplug/pciehp_hpc.c | 4 +--- drivers/regulator/core.c | 4 ++-- drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ drivers/staging/android/timed_output.c | 6 +++--- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/target/sbp/sbp_target.c | 4 ++-- drivers/tty/hvc/hvsi.c | 12 ++++++------ drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/btrfs/delayed-inode.c | 6 +++--- fs/btrfs/delayed-inode.h | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- net/ceph/messenger.c | 4 ++-- net/core/netpoll.c | 4 ++-- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 43 files changed, 93 insertions(+), 95 deletions(-) commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 Merge: 1bdf7ec 85099d2 Author: Brad Spengler Date: Sat Aug 31 21:07:29 2013 -0400 Merge branch 'pax-test' into grsec-test commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed Author: Brad Spengler Date: Sat Aug 31 21:06:55 2013 -0400 Update to pax-linux-3.10.10-test23.patch: - added the necessary atomic_unchecked_t conversion for mips - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/arm/kvm/arm.c | 8 ++++---- arch/arm/mm/context.c | 10 +++++----- arch/mips/kernel/irq.c | 6 +++--- arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- 8 files changed, 45 insertions(+), 45 deletions(-) commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 Merge: 995a168 38ee86c Author: Brad Spengler Date: Fri Aug 30 19:23:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 38ee86c05df0f8db582df8776b9f23f317d42bbb Author: Brad Spengler Date: Fri Aug 30 19:23:11 2013 -0400 Update to pax-linux-3.10.10-test22.patch: - fixed !REFCOUNT/mips compilation, by Corey Minyard - fixed a few more format strings arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- drivers/md/bcache/super.c | 2 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- drivers/pci/hotplug/pciehp_hpc.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- drivers/vfio/vfio.c | 4 ++-- fs/ntfs/super.c | 6 +++--- include/linux/workqueue.h | 6 +++--- net/mac80211/main.c | 2 +- sound/pci/hda/hda_codec.c | 8 ++------ 11 files changed, 32 insertions(+), 25 deletions(-) commit 995a16841e2097c3a9dfc652e856469679c4a0ba Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 Merge: be2497c 1052971 Author: Brad Spengler Date: Thu Aug 29 20:44:29 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/sched.h commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 Merge: e902dad 8bf3379 Author: Brad Spengler Date: Thu Aug 29 20:39:50 2013 -0400 Update to pax-linux-3.10.10-test21.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 Merge: 081c22b e902dad Author: Brad Spengler Date: Wed Aug 28 20:52:44 2013 -0400 Merge branch 'pax-test' into grsec-test commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 Author: Brad Spengler Date: Wed Aug 28 20:51:21 2013 -0400 Update to pax-linux-3.10.9-test21.patch: - removed unnecessary type cast in do_PrefetchAbort, noticed by spender - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov - fixed a REFCOUNT false positive in UHID - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network arch/arm/mm/fault.c | 2 +- arch/mips/kernel/traps.c | 2 -- drivers/hid/uhid.c | 6 +++--- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/usb/dwc3/gadget.c | 2 -- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- 10 files changed, 14 insertions(+), 16 deletions(-) commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 8044382257ec75a03f3d784ce048ef14e94b90ca Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 270ba9096ddecdc3cf6c4d76e6892184820116be Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 60115e8108e508060815bce5ef9504233c81898c Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38627769bb2b9a550e251b2caf1babda7566fb4a Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 813f51e0881e4ea6d221da828b1cced02ad9694d Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 95e3cfb5a995dabe45b98cafb77e59d074de151f Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 96a55ce1b2f3af376c400a02059174e79ce4399c Author: Brad Spengler Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit eb1106eef5f17bfda833ca3cf89e315919173257 Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 Author: Brad Spengler Date: Wed Aug 28 17:01:21 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 Author: Andy Lutomirski Date: Thu Aug 22 11:39:15 2013 -0700 Upstream commit: d661684cf6820331feae71146c35da83d794467e net: Check the correct namespace when spoofing pid over SCM_RIGHTS This is a security bug. The follow-up will fix nsproxy to discourage this type of issue from happening again. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/core/scm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 8333e0981469a226a47d0142ff31090a48db95a4 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 xen/events: initialize local per-cpu mask for all possible events The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk CC: stable@vger.kernel.org drivers/xen/events.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2a9a83768433937a2b7a97001ba1627156c0efed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit e6fe57dee152671afd618d6bc8cbf23155be6c34 Merge: cdc8f7d f2095a4 Author: Brad Spengler Date: Tue Aug 27 18:13:35 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c security/Kconfig commit f2095a4787f7d332e5919f0bd00f8de6021ad612 Author: Brad Spengler Date: Tue Aug 27 18:08:23 2013 -0400 Update to pax-linux-3.10.9-test20.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - added REFCOUNT support for mips, by Corey Minyard - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) arch/arm/mm/fault.c | 11 +- arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- arch/mips/kernel/traps.c | 14 +- arch/x86/include/asm/tlbflush.h | 4 + arch/x86/include/asm/uaccess_64.h | 2 +- fs/ntfs/file.c | 2 +- kernel/events/internal.h | 4 +- kernel/events/uprobes.c | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 +- security/Kconfig | 2 +- tools/gcc/kernexec_plugin.c | 18 +- tools/gcc/latent_entropy_plugin.c | 26 +- tools/gcc/size_overflow_plugin.c | 3 +- 14 files changed, 750 insertions(+), 70 deletions(-) commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 Merge: 5a9ae57 745975e Author: Brad Spengler Date: Mon Aug 26 20:27:33 2013 -0400 Merge branch 'pax-test' into grsec-test commit 745975e3b3b74b64e00e85778f9a22714d1274f2 Author: Brad Spengler Date: Mon Aug 26 20:26:33 2013 -0400 Fix compilation when UDEREF is enabled and KERNEXEC is disabled, as reported by fabled on the forums: http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 arch/arm/include/asm/pgtable.h | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 Merge: 486ec00 f68df21 Author: Brad Spengler Date: Tue Aug 20 20:15:20 2013 -0400 Merge branch 'pax-test' into grsec-test commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 Author: Brad Spengler Date: Tue Aug 20 20:14:50 2013 -0400 Update to pax-linux-3.10.9-test18.patch: - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) - forward port to 3.10.9 arch/x86/kernel/entry_64.S | 18 +++++++++--------- arch/x86/kernel/i386_ksyms_32.c | 4 ++++ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f Merge: f47a293 d8fed0e Author: Brad Spengler Date: Tue Aug 20 20:12:47 2013 -0400 Merge branch 'pax-test' into grsec-test commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 Merge: f6ace8e 0a4b6d4 Author: Brad Spengler Date: Tue Aug 20 20:12:33 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit f47a293a1440da2a3e2c239d43d636e37ca74f10 Merge: f1e8ec7 f6ace8e Author: Brad Spengler Date: Tue Aug 20 18:20:05 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/kernel/perf_event.c include/linux/sched.h commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 Merge: b4fa847 6f54059 Author: Brad Spengler Date: Tue Aug 20 18:18:02 2013 -0400 Update to pax-linux-3.10.8-test18.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca Merge: 6f88011 b4fa847 Author: Brad Spengler Date: Tue Aug 20 18:05:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 Author: Brad Spengler Date: Tue Aug 20 18:04:14 2013 -0400 Update to pax-linux-3.10.7-test18.patch: - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) - fixed a UDEREF resume regression due to the constification of clone_pgd_mask - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause arch/arm/kernel/process.c | 2 +- arch/x86/include/asm/processor.h | 25 ++----------------------- arch/x86/kernel/cpu/common.c | 4 ++++ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/staging/zcache/tmem.c | 4 ++-- drivers/staging/zcache/tmem.h | 6 ++---- 6 files changed, 47 insertions(+), 30 deletions(-) commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 Merge: 6eba999 5de93c8 Author: Brad Spengler Date: Sun Aug 18 22:03:19 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db Author: Brad Spengler Date: Sun Aug 18 22:02:47 2013 -0400 Update to pax-linux-3.10.7-test15.patch: - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) - fixed some new REFCOUNT false positives, caught by inspection arch/x86/kernel/cpu/common.c | 5 +++-- arch/x86/kernel/entry_64.S | 11 +++++++---- fs/ceph/super.c | 4 ++-- mm/backing-dev.c | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) commit 94c119587c76723c1072237b98fff9886ccb7689 Author: Brad Spengler Date: Sun Aug 18 20:49:39 2013 -0400 fix pipacs' DEMORGAN typo arch/x86/include/asm/tlbflush.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 Merge: df347f6 64a293e Author: Brad Spengler Date: Sun Aug 18 18:13:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 Author: Brad Spengler Date: Sun Aug 18 18:12:37 2013 -0400 Update to pax-linux-3.10.7-test14.patch: - fixed compile error introduced by the previous PCID change - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) arch/x86/include/asm/tlbflush.h | 2 +- kernel/posix-timers.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 Merge: d8efbc5 e11b314 Author: Brad Spengler Date: Sun Aug 18 08:15:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit e11b314734c5b7317f5468be75305ad812e78c2b Author: Brad Spengler Date: Sun Aug 18 08:14:26 2013 -0400 Update to pax-linux-3.10.7-test13.patch: - always enable the use of PCID and INVPCID when available in the CPU - kvm guest kernels can use these features even if the host kernel lacks UDEREF arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- 2 files changed, 70 insertions(+), 47 deletions(-) commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c8feffa95ce2db280160015027b52bb41a344c8 Merge: dbf6930 0bb1c2b Author: Brad Spengler Date: Sat Aug 17 11:57:50 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 Author: Brad Spengler Date: Sat Aug 17 11:56:43 2013 -0400 Update to pax-linux-3.10.7-test12.patch: - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause - fixed some arm compile problems arch/x86/include/asm/tlbflush.h | 2 +- drivers/clocksource/bcm_kona_timer.c | 2 +- kernel/signal.c | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) commit dbf69305ad4f8a037aae95af90f9201f556dcb48 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 Merge: 68bd16f f562e3e Author: Brad Spengler Date: Sat Aug 17 10:35:02 2013 -0400 Merge branch 'pax-test' into grsec-test commit f562e3ef7737ea8d80431a722479b36a12504ace Author: Brad Spengler Date: Sat Aug 17 10:34:51 2013 -0400 add uderef_64.c arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ 1 files changed, 37 insertions(+), 0 deletions(-) commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 Author: Asbjoern Sloth Toennesen Date: Mon Aug 12 16:30:09 2013 +0000 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by: Asbjoern Sloth Toennesen Reviewed-by: Vlad Yasevich Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c7bc5bafddddff55ed4687203a977e96f72540a Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb Author: Daniel Borkmann Date: Fri Aug 9 16:25:21 2013 +0200 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/transport.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3925eab5483946fd746575a46f97bee9d566bb77 Author: Stephane Grosjean Date: Fri Aug 9 11:44:06 2013 +0200 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e can: pcan_usb: fix wrong memcpy() bytes length Fix possibly wrong memcpy() bytes length since some CAN records received from PCAN-USB could define a DLC field in range [9..15]. In that case, the real DLC value MUST be used to move forward the record pointer but, only 8 bytes max. MUST be copied into the data field of the struct can_frame object of the skb given to the network core. Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c1ac6642baae4a400d1f87115024d1bb1ef53598 Author: Linus Lüssing Date: Tue Aug 6 20:21:15 2013 +0200 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 batman-adv: fix potential kernel paging errors for unicast transmissions There are several functions which might reallocate skb data. Currently some places keep reusing their old ethhdr pointer regardless of whether they became invalid after such a reallocation or not. This potentially leads to kernel paging errors. This patch fixes these by refetching the ethdr pointer after the potential reallocations. Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli net/batman-adv/bridge_loop_avoidance.c | 2 ++ net/batman-adv/gateway_client.c | 13 ++++++++++++- net/batman-adv/gateway_client.h | 3 +-- net/batman-adv/soft-interface.c | 9 ++++++++- net/batman-adv/unicast.c | 13 ++++++++++--- 5 files changed, 33 insertions(+), 7 deletions(-) commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue_core.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f Author: Pablo Neira Ayuso Date: Thu Jul 25 10:46:46 2013 +0200 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 netfilter: xt_TCPOPTSTRIP: fix possible off by one access Fix a possible off by one access since optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen that stores the TCP header length, to save some cycles. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 4634def261cf5f635bc60afe8a6ad436b3ec151e Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 Author: Dave Jones Date: Fri Aug 9 11:16:34 2013 -0700 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e 8139cp: Fix skb leak in rx_status_loop failure path. Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 ("8139cp: Add dma_mapping_error checking") Signed-off-by: Dave Jones Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 227b279491a0bbcc70ca3654f34903282c378600 Author: Timo Teräs Date: Tue Aug 6 13:45:43 2013 +0300 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b ip_gre: fix ipgre_header to return correct offset Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar Signed-off-by: Timo Teräs Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit f02bce292d1c2fe610be509c96593e70b3de387b Author: Julia Lawall Date: Mon Aug 5 16:47:38 2013 +0200 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 net/vmw_vsock/af_vsock.c: drop unneeded semicolon Drop the semicolon at the end of the list_for_each_entry loop header. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 Author: Tiger Yang Date: Tue Aug 13 16:00:58 2013 -0700 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as the struct file pointer, it finally result in a null pointer dereference in ocfs2_duplicate_clusters_by_page. This patch replace file pointer with inode pointer in cow_duplicate_clusters to fix this issue. [jeff.liu@oracle.com: rebased patch against linux-next tree] Signed-off-by: Tiger Yang Signed-off-by: Jie Liu Cc: Joel Becker Cc: Mark Fasheh Acked-by: Tao Ma Tested-by: David Weber Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 2 +- fs/ocfs2/file.c | 6 ++-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- fs/ocfs2/refcounttree.h | 6 ++-- 5 files changed, 16 insertions(+), 53 deletions(-) commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 Author: Dan Carpenter Date: Thu Aug 15 15:52:57 2013 +0300 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 26ad267ddda451919357965a0cf271ca24d1bcf2 Author: Weiping Pan Date: Tue Aug 13 21:46:56 2013 +0800 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 tun: compare with 0 instead of total_len Since we set "len = total_len" in the beginning of tun_get_user(), so we should compare the new len with 0, instead of total_len, or the if statement always returns false. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller drivers/net/tun.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 Author: Guenter Roeck Date: Fri Aug 16 20:50:55 2013 -0700 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 s390: Fix broken build Fix this build error: In file included from fs/exec.c:61:0: arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range invalidation corner cases"). Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] Signed-off-by: Linus Torvalds arch/s390/include/asm/tlb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4e57312c2de2a25ddb181d129dafbc0251062c33 Author: Linus Torvalds Date: Thu Aug 15 11:42:25 2013 -0700 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce Fix TLB gather virtual address range invalidation corner cases Ben Tebulin reported: "Since v3.7.2 on two independent machines a very specific Git repository fails in 9/10 cases on git-fsck due to an SHA1/memory failures. This only occurs on a very specific repository and can be reproduced stably on two independent laptops. Git mailing list ran out of ideas and for me this looks like some very exotic kernel issue" and bisected the failure to the backport of commit 53a59fc67f97 ("mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). That commit itself is not actually buggy, but what it does is to make it much more likely to hit the partial TLB invalidation case, since it introduces a new case in tlb_next_batch() that previously only ever happened when running out of memory. The real bug is that the TLB gather virtual memory range setup is subtly buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: enable tlb flush range in generic mmu_gather"), and the range handling was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots"), but that fix was not complete. The problem with the TLB gather virtual address range is that it isn't set up by the initial tlb_gather_mmu() initialization (which didn't get the TLB range information), but it is set up ad-hoc later by the functions that actually flush the TLB. And so any such case that forgot to update the TLB range entries would potentially miss TLB invalidates. Rather than try to figure out exactly which particular ad-hoc range setup was missing (I personally suspect it's the hugetlb case in zap_huge_pmd(), which didn't have the same logic as zap_pte_range() did), this patch just gets rid of the problem at the source: make the TLB range information available to tlb_gather_mmu(), and initialize it when initializing all the other tlb gather fields. This makes the patch larger, but conceptually much simpler. And the end result is much more understandable; even if you want to play games with partial ranges when invalidating the TLB contents in chunks, now the range information is always there, and anybody who doesn't want to bother with it won't introduce subtle bugs. Ben verified that this fixes his problem. Reported-bisected-and-tested-by: Ben Tebulin Build-testing-by: Stephen Rothwell Build-testing-by: Richard Weinberger Reviewed-by: Michal Hocko Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/arm/include/asm/tlb.h | 7 +++++-- arch/arm64/include/asm/tlb.h | 7 +++++-- arch/ia64/include/asm/tlb.h | 9 ++++++--- arch/s390/include/asm/tlb.h | 8 ++++++-- arch/sh/include/asm/tlb.h | 6 ++++-- arch/um/include/asm/tlb.h | 6 ++++-- fs/exec.c | 4 ++-- include/asm-generic/tlb.h | 2 +- mm/hugetlb.c | 2 +- mm/memory.c | 36 +++++++++++++++++++++--------------- mm/mmap.c | 4 ++-- 11 files changed, 57 insertions(+), 34 deletions(-) commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 Merge: 5568c80 ffceabf Author: Brad Spengler Date: Sat Aug 17 09:11:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit ffceabfcc65c60109ba5fca694d78d4dc7047809 Author: Brad Spengler Date: Sat Aug 17 09:10:44 2013 -0400 Update to pax-linux-3.10.7-test11.patch: - simplified some arm code - disabled preemption when calling show_regs, reported by Corey Minyard - added PCID based support for UDEREF on amd64 (blog will have more details) - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc - nopcid turns it off - by default a strong form of UDEREF is used under PCID - pax_weakuderef switches to the older, less secure UDEREF - fixed several bugs that would also have manifested under SMAP - INVPCID is used when available (Haswell) - added a few more return insn instrumentation in new amd64 crypto code Documentation/kernel-parameters.txt | 7 + arch/arm/include/asm/uaccess.h | 3 + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ arch/x86/ia32/ia32_signal.c | 2 +- arch/x86/ia32/ia32entry.S | 24 ++++- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/fpu-internal.h | 2 + arch/x86/include/asm/futex.h | 4 + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- arch/x86/include/asm/pgtable.h | 10 +- arch/x86/include/asm/processor.h | 15 +++- arch/x86/include/asm/segment.h | 5 +- arch/x86/include/asm/smap.h | 64 +++++++++++- arch/x86/include/asm/tlbflush.h | 63 +++++++++-- arch/x86/include/asm/uaccess.h | 18 +++- arch/x86/include/asm/xsave.h | 4 + arch/x86/kernel/cpu/common.c | 38 +++++++ arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- arch/x86/kernel/head_32.S | 2 +- arch/x86/kernel/head_64.S | 8 +- arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/setup.c | 8 +- arch/x86/kernel/signal.c | 4 +- arch/x86/kernel/smpboot.c | 15 ++- arch/x86/lib/copy_user_64.S | 50 +-------- arch/x86/lib/copy_user_nocache_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 11 ++- arch/x86/lib/memcpy_64.S | 4 +- arch/x86/lib/memmove_64.S | 2 +- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/usercopy_64.c | 5 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/fault.c | 29 ++++-- arch/x86/mm/init.c | 7 +- arch/x86/mm/init_64.c | 9 ++- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 3 + arch/x86/platform/efi/efi_32.c | 2 +- arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/realmode/rm/trampoline_64.S | 1 + fs/exec.c | 2 + include/asm-generic/uaccess.h | 8 ++ include/linux/compat.h | 1 + include/linux/preempt.h | 19 +++ include/linux/signal.h | 1 + include/linux/smp.h | 2 + init/main.c | 14 ++- kernel/signal.c | 16 +++ security/Kconfig | 5 + tools/lib/lk/Makefile | 2 +- tools/perf/Makefile | 2 +- 64 files changed, 673 insertions(+), 136 deletions(-) commit 5568c8059e78d6d002815409df4e90c83b3b08a8 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 Author: Brad Spengler Date: Fri Aug 16 22:55:24 2013 -0400 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b arch/arm/kernel/perf_event.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3637bc893b57a227b01852fe34685ab237285b10 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 11802e1f961a088c39af58d1c1b14d861eedfb35 Author: Brad Spengler Date: Fri Aug 16 22:53:30 2013 -0400 More ARM backports arch/arm/kernel/entry-armv.S | 3 ++- arch/arm/kernel/fiq.c | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0a3dac834746de241c10d4978bf61b4f146ba89d Merge: dc19474 e12de30 Author: Brad Spengler Date: Fri Aug 16 17:39:01 2013 -0400 Merge branch 'pax-test' into grsec-test commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 Author: Brad Spengler Date: Fri Aug 16 17:34:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch: - Emese fixed a size overflow false positive reported by Sven Vermeulen - fixed some arm compile problems reported by spender - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard eventually we'll have full REFCOUNT support on mips arch/arm/kernel/process.c | 5 ++- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 3 ++ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ mm/internal.h | 2 +- 5 files changed, 65 insertions(+), 4 deletions(-) commit dc19474d0ea6ea3c939544ae5f906067b1784a10 Merge: 51b78c0 82266f9 Author: Brad Spengler Date: Thu Aug 15 21:47:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 82266f90a3f87ab5017329fb539aebf94c42253a Author: Brad Spengler Date: Thu Aug 15 21:14:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch arch/arm/kernel/process.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 51b78c06d1f41614f593cd36456b4af559e9d7fa Merge: e32d904 cb77ead Author: Brad Spengler Date: Thu Aug 15 20:53:45 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit cb77ead0eccb5abb75f7e437a3725d0254558ccd Merge: 13675b8 519be45 Author: Brad Spengler Date: Thu Aug 15 20:50:47 2013 -0400 Update to pax-linux-3.10.7-test8.patch Merge branch 'linux-3.10.y' into pax-test commit e32d904b87292288e74e2637b900fd1115687b8e Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c Author: Oleg Nesterov Date: Thu Aug 8 18:55:32 2013 +0200 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 another local DoS found in reaction to the one I reported, we don't allow unpriv user ns use so this doesn't matter much to us userns: limit the maximum depth of user_namespace->parent chain Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/user_namespace.h | 1 + kernel/user_namespace.c | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) commit 223ac007ef18bf3a5095ba0a56675c1f16200149 Merge: 1c92de4 13675b8 Author: Brad Spengler Date: Thu Aug 8 20:45:24 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 13675b848cf02bffd26924b2b84d927095bc253d Author: Brad Spengler Date: Thu Aug 8 20:43:52 2013 -0400 Update to pax-linux-3.10.5-test8.patch: - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard arch/arm/include/asm/pgtable-2level.h | 4 +++- arch/arm/mm/proc-v7-2level.S | 3 --- arch/mips/mm/fault.c | 8 ++++++++ arch/x86/include/asm/processor.h | 3 ++- include/linux/math64.h | 2 +- security/Kconfig | 2 -- 6 files changed, 14 insertions(+), 8 deletions(-) commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 Merge: e65aa3d 1660f49 Author: Brad Spengler Date: Mon Aug 5 18:50:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 1660f496848b8400d263f7920989dae15e72185a Merge: 7f91ba1 dc51cd2 Author: Brad Spengler Date: Mon Aug 5 18:50:12 2013 -0400 Update to pax-linux-3.10.5-test7.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/head_64.S mm/mempolicy.c commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 50d20ebce56b6e0b9622685930e007e46c7c04bb Author: Daniel Borkmann Date: Fri Aug 2 11:32:43 2013 +0200 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by: Daniel Borkmann Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/devinet.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 Author: Himanshu Madhani Date: Fri Aug 2 23:15:56 2013 -0400 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 qlcnic: Free up memory in error path. Signed-off-by: Himanshu Madhani Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a Author: Shahed Shaikh Date: Fri Aug 2 23:15:54 2013 -0400 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f qlcnic: Fix MAC address filter issue on 82xx adapter Driver was passing the address of a pointer instead of the pointer itself. Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 24 ++++++++++++++++++++++-- 2 files changed, 22 insertions(+), 19 deletions(-) commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b8966a5d577e9220fbc63306eee978f819f24e2e Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1704c23fdc55b68f512dc9927940e72237f3f43e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit faf81c100c8565524e21c9af780a0ad2ce3fd925 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c Merge: 65019c9 7f91ba1 Author: Brad Spengler Date: Wed Jul 31 17:47:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 65019c9bd05f860437071cbf00e2027fd2d68615 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 Author: Brad Spengler Date: Wed Jul 31 17:46:00 2013 -0400 Update to pax-linux-3.10.4-test7.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - fixed a UDEREF/i386 regression, __get_user_8 would always fail arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/lib/getuser.S | 4 +- arch/x86/xen/smp.c | 2 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- fs/exec.c | 50 +++++++++++++-------------- include/linux/sched.h | 2 + 14 files changed, 88 insertions(+), 47 deletions(-) commit 043130da54cb7cc8dc44e0ce889d426e889a0532 Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ed0a195abd4e41c2449a020a53a19c74dc866d78 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit e75b3f504692b97960a7530ad0855d91441d79c0 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e5abbaf95313066a724e1a843d4fc902a9a6450e Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 877d6c2f8b3518ff39601084560bb33c58d35a1f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 23278a1ee1c7738dd1e7005241394d32b82196e4 Author: Brad Spengler Date: Tue Jul 30 19:48:58 2013 -0400 revert recent PaX change that causes boot failures with 32bit userland arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit ec27f71a813656fea8ab37faecb2b485fe99d08e Merge: 3a11bcf 05f0a61 Author: Brad Spengler Date: Tue Jul 30 19:42:21 2013 -0400 Merge branch 'pax-test' into grsec-test commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 Author: Brad Spengler Date: Tue Jul 30 19:41:44 2013 -0400 Update to pax-linux-3.10.4-test6.patch: - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender include/linux/syscalls.h | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8b744005f8bae565e24c1fd88af77e6e619b9434 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b93b829afcc98b6108b18d99ff63c53642d0b951 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit ac695a081d1124fb28bec46814535d34c5e40611 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 82631f451cc7432b6c5578cf8d24155473feb25c Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 84c4a433dfb096e4a1162ee5e68025122c70b421 Merge: c9d3ed3 9fe5897 Author: Brad Spengler Date: Mon Jul 29 17:08:56 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9fe58978938e357642885866ca48090a7753d403 Merge: 8f693ad 6f7bb6b Author: Brad Spengler Date: Mon Jul 29 17:08:43 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 Merge: d5e5bfd 8f693ad Author: Brad Spengler Date: Sun Jul 28 10:03:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8f693ade9b3e448f92706d34148b00a087637f70 Author: Brad Spengler Date: Sun Jul 28 10:02:16 2013 -0400 Update to pax-linux-3.10.3-test5.patch: - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) - fixed handling of faulting userland accesses for UDEREF/arm, from spender - updated the size overflow hash table, from Emese arch/arm/kernel/entry-armv.S | 3 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- 7 files changed, 513 insertions(+), 55 deletions(-) commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 Merge: 19e077b 8a8a0d0 Author: Brad Spengler Date: Thu Jul 25 21:05:18 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 Author: Brad Spengler Date: Thu Jul 25 21:04:09 2013 -0400 Update to pax-linux-3.10.3-test4.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 ++++ fs/buffer.c | 2 +- fs/dcache.c | 3 ++- include/linux/slab.h | 7 +++++++ include/linux/slab_def.h | 4 ++++ kernel/fork.c | 2 +- mm/rmap.c | 6 ++++-- mm/slab.c | 27 +++++++++++++++++++++++++++ mm/slab.h | 12 +++++++++++- mm/slab_common.c | 14 ++++++++++++++ mm/slob.c | 5 +++++ mm/slub.c | 11 +++++++++++ net/core/skbuff.c | 6 ++++-- security/Kconfig | 23 +++++++++++++++++------ 14 files changed, 112 insertions(+), 14 deletions(-) commit 19e077bfff54ca211d0142c07cb6dd88069a390c Merge: 960ec51 c8f7f51 Author: Brad Spengler Date: Thu Jul 25 19:53:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit c8f7f51591207b82530214300e86277028919286 Merge: d5142e3 81a4648 Author: Brad Spengler Date: Thu Jul 25 19:52:29 2013 -0400 Update to pax-linux-3.10.3-test3.patch: - fixed some compile issues reported by Michael Tremer and spender - fixed an i386 regression with the lower address space gap on i386, reported by cnu Merge branch 'linux-3.10.y' into pax-test Conflicts: kernel/time/tick-broadcast.c commit 960ec51ab2142544fbae563d4fd5744775408965 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 Merge: ab95b58 d5142e3 Author: Brad Spengler Date: Sun Jul 21 22:47:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit d5142e31785f8c32c7338c51fcc27313bdd4a84e Merge: f36ae8c 0f4a56e Author: Brad Spengler Date: Sun Jul 21 22:47:34 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit ab95b5842899d61ff5c30f4582e72029b3155be8 Author: Brad Spengler Date: Sun Jul 21 22:28:40 2013 -0400 compile fix with constification reported by Michael Tremer drivers/gpu/host1x/drm/dc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 817cd2d1e7a55720326599dd8f542578eef30927 Author: Hannes Frederic Sowa Date: Fri Jul 12 23:46:33 2013 +0200 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 ipv6: only static routes qualify for equal cost multipathing Static routes in this case are non-expiring routes which did not get configured by autoconf or by icmpv6 redirects. To make sure we actually get an ecmp route while searching for the first one in this fib6_node's leafs, also make sure it matches the ecmp route assumptions. v2: a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF already ensures that this route, even if added again without RTF_EXPIRES (in case of a RA announcement with infinite timeout), does not cause the rt6i_nsiblings logic to go wrong if a later RA updates the expiration time later. v3: a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, because an pmtu event could update the RTF_EXPIRES flag and we would not count this route, if another route joins this set. We now filter only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that don't get changed after rt6_info construction. Cc: Nicolas Dichtel Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_fib.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) commit 77db8196d51b043e2e2d124094da101b0f01bccb Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 926473317fd7953137ef97835edd36dabc584b01 Author: Brad Spengler Date: Wed Jul 17 21:29:02 2013 -0400 add missing asm/pgtable.h include, reported by Michael Tremer drivers/clk/socfpga/clk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c592ae0001b31932ef1491784dfa374058797c66 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 Merge: 9c96441 f36ae8c Author: Brad Spengler Date: Sun Jul 14 19:23:13 2013 -0400 Merge branch 'pax-test' into grsec-test commit f36ae8c741ae32b1caff10825be12c327792c925 Author: Brad Spengler Date: Sun Jul 14 19:22:15 2013 -0400 Update to pax-linux-3.10-test2.patch: - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer - spender fixed an madvise regression, reported by Peter Keel - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) - fixed a headers_install regression, reported by Mathias Krause - fixed a SLOB compile regression, reported by Mathias Krause arch/arm/include/asm/uaccess.h | 4 ++-- arch/arm/mm/mmu.c | 15 +++++++++++++-- drivers/clk/socfpga/clk.c | 6 ++++-- mm/madvise.c | 4 ++-- mm/slab.c | 4 ++-- mm/slob.c | 4 ++-- scripts/headers_install.sh | 2 +- 7 files changed, 26 insertions(+), 13 deletions(-) commit 9c9644156a49637050741d9165df79174e59b0ef Author: Brad Spengler Date: Sun Jul 14 19:19:54 2013 -0400 Fix sparc64 compilation, reported by Blake Self arch/sparc/kernel/sys_sparc_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error mm/madvise.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a10e377d0eddd37e8a3665b135e546ab03d9d171 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 08c5adca34d408772255b313f90d82c250c1d967 Author: Brad Spengler Date: Sun Jul 14 11:26:34 2013 -0400 don't make high vector mapping non-present on old ARM architectures, no point in emulating some vector entries when the processor doesn't even support XN arch/arm/mm/mmu.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 2b40781d4197a89a003616af584884e36361c5b2 Author: Brad Spengler Date: Sun Jul 14 09:51:58 2013 -0400 Temporary compile fix for code incorrectly modifying const data Wrap a cast version of the code with open/close Thanks to Michael Tremer for the report drivers/clk/socfpga/clk.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a8258c1b4098c396cd4ea719e20858182feac1c1 Author: Brad Spengler Date: Sun Jul 14 09:41:16 2013 -0400 Fix missing right parens in pipacs' "improvement" of my ARM code ;) Thanks to Michael Tremer for reporting arch/arm/include/asm/uaccess.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8542e1e973be7cc9a009d2ada8033576b2890e6f Merge: 86f446e 2577f8e Author: Brad Spengler Date: Sat Jul 13 20:46:58 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/memcontrol.c commit 2577f8e4ec41efb347706a59c6838de20f0c90da Merge: 75a36f0 cb5d8be Author: Brad Spengler Date: Sat Jul 13 20:43:42 2013 -0400 Merge branch 'linux-3.10.y' into pax-test Conflicts: crypto/algapi.c drivers/block/nbd.c commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 Author: Brad Spengler Date: Fri Jul 12 23:02:11 2013 -0400 we always want the vector page to be noaccess for userland therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY which turns into supervisor rwx, userland rx, we instead omit that entirely, leaving it as supervisor rwx only Fixes booting on ARMv5 and earlier, which need to write directly to the high vector mapping via set_tls when context switching Thanks to Michael Tremer for the bugreport arch/arm/mm/mmu.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 90cd0827eef656ec884f19c977873fefe2f2e47d Author: Cong Wang Date: Sat Jun 29 12:02:59 2013 +0800 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 gre: fix a regression in ioctl When testing GRE tunnel, I got: # ip tunnel show get tunnel gre0 failed: Invalid argument get tunnel gre1 failed: Invalid argument This is a regression introduced by commit c54419321455631079c7d ("GRE: Refactor GRE tunneling code.") because previously we only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the check is moved for all commands. So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. After this patch I got: # ip tunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit Cc: Pravin B Shelar Cc: "David S. Miller" Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 Author: Cong Wang Date: Sat Jun 29 13:00:57 2013 +0800 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 vti: remove duplicated code to fix a memory leak vti module allocates dev->tstats twice: in vti_fb_tunnel_init() and in vti_tunnel_init(), this lead to a memory leak of dev->tstats. Just remove the duplicated operations in vti_fb_tunnel_init(). (candidate for -stable) Cc: Stephen Hemminger Cc: Saurabh Mohan Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd Author: Michal Schmidt Date: Mon Jul 1 17:23:05 2013 +0200 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a bnx2x: remove zeroing of dump data buffer There is no need to initialize the dump data with zeros. data is allocated with vzalloc, so it's already zero-filled. More importantly, the memset is harmful, because dump->len (the length requested by userspace) can be bigger than the allocated buffer (whose size is determined by asking the driver's .get_dump_flag method). Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c771072b72c261f9bddd6734dca6979c1b96e7df Author: Michal Schmidt Date: Mon Jul 1 17:23:06 2013 +0200 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 bnx2x: fix dump flag handling bnx2x interprets the dump flag as an index of a register preset. It is important to validate the index to avoid out of bounds memory accesses. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ 2 files changed, 5 insertions(+), 0 deletions(-) commit aed315c8fad9b2044143b46b239574b1b72135ce Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit 5c57991e66216e386dcc875d34c33f0edd038569 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit cd83094a85d9bbd5a67332156407d53cf8835432 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c Author: Michael S. Tsirkin Date: Sun Jul 7 14:26:53 2013 +0300 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 vhost-net: fix use-after-free in vhost_net_flush vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 088806db74ac2f08c106202bc5498585a9ee529f Author: Michal Hocko Date: Mon Jul 8 16:00:29 2013 -0700 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b memcg, kmem: fix reference count handling on the error path mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. This is not correct because only memcg_propagate_kmem takes an additional reference while mem_cgroup_sockets_init is allowed to fail as well (although no current implementation fails) but it doesn't take any reference. This all suggests that it should be memcg_propagate_kmem that should clean up after itself so this patch moves mem_cgroup_put over there. Unfortunately this is not that easy (as pointed out by Li Zefan) because memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if memcg_propagate_kmem fails so the additional reference is dropped in that case in kmem_cgroup_destroy which means that the reference would be dropped two times. The easiest way then would be to simply remove mem_cgrroup_put from mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right thing. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.8] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 08bfb6e700d13886ed722c2236e1ec10f03a95df Author: Michal Hocko Date: Mon Jul 8 16:00:27 2013 -0700 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Revert "memcg: avoid dangling reference count in creation failure" This reverts commit e4715f01be697a. mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops an additional reference from all parents so the additional mem_cgrroup_put(parent) potentially causes use-after-free. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 3267ec559f48327a1836eccecd53215afc5810d0 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit cdfeb4049e7cb38702215b2c356ce0407974ac79 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08c87e049c8a50707908785d950fd48c334f4c09 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 Author: Brad Spengler Date: Fri Jul 12 20:38:45 2013 -0400 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums Unlike slub, slab can initally create two of the kmalloc_caches which will be used later for generic kmallocs of their particular aligned size (since the later loop in the unified allocator code skips any already-existing kmalloc_caches) mm/slab.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit e2d027c7e0f106be683c0c72482b8285daefcbe6 Author: Brad Spengler Date: Tue Jul 9 20:58:40 2013 -0400 commit successful merges Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 129 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 4 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/mwave/tp3780i.c | 1 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/resize.c | 17 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 234 ++- fs/namespace.c | 16 + fs/notify/fanotify/fanotify_user.c | 1 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 70 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 343 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 ++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 242 files changed, 4385 insertions(+), 2042 deletions(-) commit 043a378c0f72ed92cc30182c48abce39867ac93f Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 Author: Brad Spengler Date: Tue Jul 9 17:35:47 2013 -0400 Initial import of pax-linux-3.10-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 14 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 122 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 33 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 28 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 +- arch/x86/kernel/entry_64.S | 548 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 143 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 2 + arch/x86/kernel/setup.c | 21 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 13 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 98 +- arch/x86/mm/init_32.c | 113 +- arch/x86/mm/init_64.c | 38 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 11 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/algapi.c | 2 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/nbd.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 45 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 6 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/output.c | 2 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 607 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/lockd/svc.c | 2 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 10 +- fs/nfs/callback.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 40 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 65 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 42 +- include/linux/slab_def.h | 28 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 10 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 83 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 10 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 11 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 22 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 6 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 15 +- mm/mmap.c | 606 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 79 +- mm/slab.h | 5 +- mm/slab_common.c | 46 +- mm/slob.c | 201 +- mm/slub.c | 79 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_core.c | 8 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 6 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 676 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 +++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1607 files changed, 30734 insertions(+), 7318 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40d67e38a42d4e94b43b3d7400addc662b9857dc Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit a1fff2c95162314626dd96bec71d951a8c1c4708 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00131c458eea5200971c8fc326e90fdb6c2d0baa Merge: 37b97a9 47beb61 Author: Brad Spengler Date: Thu Jul 4 15:02:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 Author: Brad Spengler Date: Thu Jul 4 15:01:37 2013 -0400 Update to pax-linux-3.9.9-test13.patch: - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/entry-armv.S | 4 ++-- arch/arm/mm/Kconfig | 2 +- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/page.h | 1 + arch/x86/kernel/entry_32.S | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- arch/x86/kernel/head64.c | 12 ++++++------ arch/x86/kernel/head_64.S | 16 ++++++++++++---- arch/x86/mm/init.c | 8 ++++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ 15 files changed, 64 insertions(+), 44 deletions(-) commit 89085d2d0643813a62f23d1199a335dc1e129bc0 Merge: 963af7f 0adf2e7 Author: Brad Spengler Date: Thu Jul 4 14:55:44 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 Author: Brad Spengler Date: Thu Jul 4 13:29:51 2013 -0400 update log arguments grsecurity/grsec_sig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 3 +-- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit ef808866c070aa1901bd2224521baaf5d145a3a7 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 Author: Brad Spengler Date: Wed Jul 3 16:14:09 2013 -0400 fix renamed export of csum_partial_copy_from_user, as reported by fabled on the forums arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 318235973c2a548c3d25562645d6b69f66e85934 Author: Brad Spengler Date: Wed Jul 3 16:09:16 2013 -0400 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error reported on the forums by fabled arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b569a7f60fab7a522d8c142765c8b847bbce8a1e Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- 1 files changed, 27 insertions(+), 3 deletions(-) commit c22280b85088978bd8b45bd23096879459b48008 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 Author: Brad Spengler Date: Sat Jun 29 13:10:02 2013 -0400 on context switch, make sure we switch DACR when domain support and KERNEXEC is disabled but UDEREF is enabled arch/arm/kernel/entry-armv.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08d017fa51370921694ce087b28c96fec92993d4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be Author: Michael S. Tsirkin Date: Sun Jun 23 17:19:03 2013 +0300 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 tun: fix recovery from gup errors get user pages might fail partially in tun zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 Author: Balazs Peter Odor Date: Sat Jun 22 19:24:43 2013 +0200 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 netfilter: nf_nat_sip: fix mangling In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) there were some missing brackets around the logging information, thus always returning drop. Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 Signed-off-by: Balazs Peter Odor Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_sip.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b0471b6c1160858fc646d8e94628fd1299f61692 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Bluetooth: Fix invalid length check in l2cap_information_rsp() The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Cc: stable@vger.kernel.org Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan net/bluetooth/l2cap_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4184af98c360d825e638b268b1a9847232e8d299 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 1fe6f23c9acd14d832d056909ff326bde418e645 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 4d4464407611527ef6b6b5475cfcab6121b3da66 Merge: 59571a9 963af7f Author: Brad Spengler Date: Thu Jun 27 18:54:52 2013 -0400 Merge branch 'pax-test' into grsec-test commit 963af7f7f591759b731ce6325ceb583a72fcf423 Merge: c51e25a 55db48a Author: Brad Spengler Date: Thu Jun 27 18:54:42 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 59571a9db7485f530a1e865a13cacc4c991ec41f Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 Author: Brad Spengler Date: Wed Jun 26 18:33:06 2013 -0400 update rand_threadstack code to continue the search for a gap if the first choice doesn't have enough space, instead of returning ENOMEM mm/mmap.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 87020d4a4d83038d65ff1fd519938840f6888b9e Merge: 2682346 c51e25a Author: Brad Spengler Date: Wed Jun 26 18:25:32 2013 -0400 Merge branch 'pax-test' into grsec-test commit c51e25a23f30a1198076bd085f19b2073caf164d Author: Brad Spengler Date: Wed Jun 26 18:24:54 2013 -0400 Update to pax-linux-3.9.7-test12.patch: - fixed a regression on PARAVIRT/amd64 kernels - simplified the recent vm_unmapped_area_info based change arch/x86/kernel/entry_64.S | 8 ++++---- mm/mmap.c | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) commit 26823469a08e59cb67bea18d448d9e8c65f82e08 Author: Brad Spengler Date: Tue Jun 25 21:26:51 2013 -0400 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX vm_unmapped_area code is complete arch/x86/kernel/sys_i386_32.c | 5 +++++ grsecurity/Kconfig | 2 +- mm/mmap.c | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 Merge: e58fe8c c4e0704 Author: Brad Spengler Date: Tue Jun 25 19:08:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/sys_i386_32.c commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 Author: Brad Spengler Date: Tue Jun 25 19:05:39 2013 -0400 Update to pax-linux-3.9.7-test11.patch: - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure - fixed the recent nested nmi related fixes some more - fixed a regression in kernel memory initialization on relocatable i386 kernels - empty_zero_page can be read-only on amd64 as well arch/arm/mm/mmap.c | 6 -- arch/x86/kernel/entry_64.S | 8 +-- arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/setup.c | 2 +- arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- drivers/lguest/core.c | 2 +- include/linux/mm.h | 6 +- include/linux/vmalloc.h | 2 +- mm/mmap.c | 30 +++++++- 9 files changed, 83 insertions(+), 134 deletions(-) commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f Author: Brad Spengler Date: Sun Jun 23 14:36:35 2013 -0400 compile fix, reported by KDE on forums kernel/printk.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 1fc9a5e2e267205d28302e1e86ca0da434561111 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d x86/efi: Fix dummy variable buffer allocation 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Matt Fleming arch/x86/platform/efi/efi.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 Author: Dave Kleikamp Date: Tue Jun 18 09:05:36 2013 -0500 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 sparc: tsb must be flushed before tlb This fixes a race where a cpu may re-load a tlb from a stale tsb right after it has been flushed by a remote function call. I still see some instability when stressing the system with parallel kernel builds while creating memory pressure by writing to /proc/sys/vm/nr_hugepages, but this patch improves the stability significantly. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d93b62f6485db9aadda34322a6867868db07f56f Merge: 4ef62f5 71d83e9 Author: Brad Spengler Date: Fri Jun 21 16:52:55 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 71d83e97c936563913bcfb5a25c45b2021a331eb Author: Brad Spengler Date: Fri Jun 21 16:48:42 2013 -0400 Update to pax-linux-3.9.7-test10.patch: - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - fixed a locking issue with track_exec_limit reported by spender - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 2 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/iommu/irq_remapping.c | 2 +- drivers/video/output.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/nfs/callback.c | 4 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfscache.c | 3 +- init/initramfs.c | 2 +- kernel/rcutree.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mmap.c | 4 +- mm/slub.c | 2 +- mm/vmalloc.c | 15 +++---- net/bluetooth/hci_core.c | 8 ++-- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- 40 files changed, 116 insertions(+), 111 deletions(-) commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c Merge: 39efd8f 256eff7 Author: Brad Spengler Date: Fri Jun 21 16:45:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/printk.c commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 Merge: e6e3059 485f25f Author: Brad Spengler Date: Thu Jun 20 22:14:24 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d Author: Brad Spengler Date: Tue Jun 18 17:20:18 2013 -0400 add apparmor compat patch security/apparmor/Kconfig | 9 ++ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 0 deletions(-) commit 49bee3c5341687504669bf62becf4a419a226ba0 Author: Brad Spengler Date: Mon Jun 17 18:48:04 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) commit 5a450f1c46f0c84379518aee878993d3f4a331b6 Author: Theodore Ts'o Date: Thu Jun 6 11:14:31 2013 -0400 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 ext4: verify group number in verify_group_input() before using it Check the group number for sanity earilier, before calling routines such as ext4_bg_has_super() or ext4_group_overhead_blocks(). Reported-by: Jonathan Salwan Signed-off-by: "Theodore Ts'o" fs/ext4/resize.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e13515ad7a9c7634599a105b2527752e527a905d Author: Saurabh Mohan Date: Mon Jun 10 17:45:10 2013 -0700 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 net/ipv4: ip_vti clear skb cb before tunneling. If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af361b412e816e894fb42ddff7a0545b7def64c0 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1f43aca088c35dda35abf76e08544e534c71fed4 Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f Author: Andy Lutomirski Date: Wed Jun 5 19:38:26 2013 +0000 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab net: Unbreak compat_sys_{send,recv}msg I broke them in this commit: commit 1be374a0518a288147c6a7398792583200a67261 Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It also reverts some unnecessary checks in sys_socketcall. Apparently I was suffering from underscore blindness the first time around. Signed-off-by: Andy Lutomirski Tested-by: Eric Dumazet Signed-off-by: David S. Miller include/linux/socket.h | 3 ++ net/compat.c | 13 +++++++- net/socket.c | 72 ++++++++++++++++++++++-------------------------- 3 files changed, 47 insertions(+), 41 deletions(-) commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 Upstream commit: 1be374a0518a288147c6a7398792583200a67261 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. Miller" Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Cc: David S. Miller Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller net/socket.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb67a67049ace7b94ad7e2febfac69816d50d85 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 Author: Johan Hedberg Date: Tue May 28 13:46:30 2013 +0300 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 Bluetooth: Fix missing length checks for L2CAP signalling PDUs There has been code in place to check that the L2CAP length header matches the amount of data received, but many PDU handlers have not been checking that the data received actually matches that expected by the specific PDU. This patch adds passing the length header to the specific handler functions and ensures that those functions fail cleanly in the case of an incorrect amount of data. Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- 1 files changed, 52 insertions(+), 18 deletions(-) commit 628be2427afb241b5a1aa24bc5907d05287e1f25 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 066d9226bc6c569d5f420c978b758e0bddd23444 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 94e2a91600b07d39825e7059195f35eb611a39a2 Merge: 20cc761 e6e3059 Author: Brad Spengler Date: Thu Jun 13 16:23:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a Merge: c6aadb1 4b73feb Author: Brad Spengler Date: Thu Jun 13 16:23:39 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 20cc7613e38cde07adc73179a91d6c15292e8d43 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 386ba837978cc8a1111440bdcd8600f2df4634a4 Author: Brad Spengler Date: Wed Jun 12 20:37:48 2013 -0400 fix deadlock when booting i386 kernel without NX mm/mmap.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc43377e1e757cd37a06be0187884a42af718aab Merge: 3cdea63 c6aadb1 Author: Brad Spengler Date: Tue Jun 11 18:50:39 2013 -0400 Merge branch 'pax-test' into grsec-test commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 Author: Brad Spengler Date: Tue Jun 11 18:49:36 2013 -0400 Update to pax-linux-3.9.4-test9.patch: - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort arch/x86/kernel/setup.c | 2 +- mm/mlock.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 3cdea63e90607d8d55820b101854091623feedb8 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 373a2b5df78f82b9d3db72bd6577e29a71591323 Author: Brad Spengler Date: Mon Jun 10 21:16:46 2013 -0400 Backport infoleak fix by Dan Carpenter in cpqarray: https://lkml.org/lkml/2013/6/3/131 drivers/block/cpqarray.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 251e84b9b05e063981b20be154c9389862f94759 Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 383d89bf95818b05a485a6e8b118963b5bcbc83e Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1c590aa70c95ebd76ba9672aa23d800b81780615 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 Merge: 4e85539 117c3fa Author: Brad Spengler Date: Sun Jun 9 17:30:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit 117c3fa8d26c3806103123560f807d99071b60b6 Merge: ed9b427 5dd2e98 Author: Brad Spengler Date: Sun Jun 9 17:30:00 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5771263fe368cd384127dd17d7596a7e1a4e2eec Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c01c9af268cb066f240aec53454b8b74d8d01688 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 Author: Timo Teräs Date: Wed May 22 01:40:47 2013 +0000 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 xfrm: properly handle invalid states as an error The error exit path needs err explicitly set. Otherwise it returns success and the only caller, xfrm_output_resume(), would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is NULL. Bug introduced in commit bb65a9cb (xfrm: removes a superfluous check and add a statistic). Signed-off-by: Timo Teräs Cc: Li RongQing Cc: Steffen Klassert Signed-off-by: David S. Miller net/xfrm/xfrm_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit c18cef940310c06bdf86d64d8cb227e56e165300 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c47de62893a9f269be0a272c2840aac1e2a35c68 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce869e6f799f95fcac340420ba3612503df80dbf Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5dc65cd34d442783118a17c518e2daedb90a31d0 Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit 84619a3501fd38285a72d9e963f58d1827beedd6 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e Author: Brad Spengler Date: Sat Jun 1 13:43:26 2013 -0400 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" Applying upstream fix instead This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings drivers/usb/atm/cxacru.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 Author: Brad Spengler Date: Sat Jun 1 11:30:17 2013 -0400 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 8578566969d91678a3d7d5251b4eafc6d7775314 Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 Merge: 643b294 ed9b427 Author: Brad Spengler Date: Wed May 29 19:19:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit ed9b4276488528d0c3803df1dc0df804238241e0 Author: Brad Spengler Date: Wed May 29 19:18:45 2013 -0400 Updated to pax-linux-3.9.4-test8.patch: - fixed some fallout detected by the checker plugin arch/x86/kernel/crash_dump_64.c | 2 +- drivers/base/devtmpfs.c | 6 +++--- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/mem.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- drivers/i2c/i2c-dev.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 4 ++-- fs/compat_ioctl.c | 4 ++-- fs/exec.c | 2 +- fs/namespace.c | 8 ++++---- fs/proc/vmcore.c | 12 ++++++++---- fs/read_write.c | 2 +- include/linux/syscalls.h | 8 ++++---- init/do_mounts_initrd.c | 8 ++++---- init/main.c | 4 ++-- kernel/events/core.c | 2 +- kernel/events/internal.h | 10 +++++----- mm/page_io.c | 2 +- security/keys/internal.h | 2 +- tools/gcc/checker_plugin.c | 1 + 24 files changed, 63 insertions(+), 54 deletions(-) commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 Author: Brad Spengler Date: Wed May 29 18:51:31 2013 -0400 eliminate gcc warning fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 Author: Brad Spengler Date: Wed May 29 18:30:20 2013 -0400 use BUILD_BUG() instead of BUILD_BUG_ON(1) arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5343410354267368e5809f3ad8d9a264f141be18 Author: Brad Spengler Date: Wed May 29 17:57:41 2013 -0400 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON for unknown opcodes arch/x86/net/bpf_jit_comp.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- 1 files changed, 39 insertions(+), 40 deletions(-) commit 163a5539b36247865d39b2bcfa8efc03a62124a6 Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 3e54faf888d324d5f362dcba16173ea7bba61e8a Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 2d74639040ba6ce47f57ec010714ec06529c4b42 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 65d05c7ea468c23c175105526dd4f163302a92cf Merge: 1a98d0a 6ce3a135 Author: Brad Spengler Date: Sat May 25 07:48:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/vm86_32.c commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 Merge: 79bdd65 0bfd8ff Author: Brad Spengler Date: Sat May 25 07:46:55 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 Author: Brad Spengler Date: Thu May 23 18:42:23 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2b80ef8586061e32e986b31608717c25d1e7c54 Merge: cb45fbd 79bdd65 Author: Brad Spengler Date: Thu May 23 17:58:53 2013 -0400 Merge branch 'pax-test' into grsec-test commit 79bdd65dac68267bc1b201c6b4a99966a373c305 Author: Brad Spengler Date: Thu May 23 17:57:46 2013 -0400 Update to pax-linux-3.9.3-test7.patch: - fixed some size overflow related warnings (hash table, attributes) - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/page_64.h | 2 +- arch/x86/kernel/head64.c | 2 +- tools/gcc/constify_plugin.c | 48 ++- tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ 4 files changed, 651 insertions(+), 592 deletions(-) commit cb45fbda4967b1b544a754fbdc92d73283379522 Merge: 62588fa 57c11b8 Author: Brad Spengler Date: Mon May 20 17:32:17 2013 -0400 Merge branch 'pax-test' into grsec-test commit 57c11b85acd841a088aa4df8e60be337880df8cd Merge: 0598b37 4bb0869 Author: Brad Spengler Date: Mon May 20 17:32:08 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 Merge: e261c7b 0598b37 Author: Brad Spengler Date: Fri May 17 22:57:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 Author: Brad Spengler Date: Fri May 17 22:57:07 2013 -0400 Update to pax-linux-3.9.2-test6.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado arch/x86/include/asm/pgtable.h | 9 +++++++-- tools/gcc/structleak_plugin.c | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit e261c7bc611e9127bbb7bd95cddd51524bf255ae Author: Brad Spengler Date: Thu May 16 22:54:12 2013 -0400 add offset to topdown check, fixes compilation arch/x86/kernel/sys_x86_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 Author: Brad Spengler Date: Thu May 16 20:57:41 2013 -0400 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, reported by lulzh3ad on irc security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d4593e84707cdf6deb6b925c18c676a476b1613 Merge: 43cd0c0 39a877f Author: Brad Spengler Date: Thu May 16 20:39:11 2013 -0400 Merge branch 'pax-test' into grsec-test commit 39a877f192ed305d88edac10a14a9e8e1e161f3f Author: Brad Spengler Date: Thu May 16 20:37:35 2013 -0400 Update to pax-linux-3.9.2-test105.patch: - fixed !EFI boot problem, reported by spender - fixed a few compile warnings - fixed some more compile errors due to constification - fixed some arm fallout, reported by Michael Tremer arch/arm/include/asm/psci.h | 2 +- arch/arm/kernel/psci.c | 2 +- arch/x86/kernel/sys_x86_64.c | 3 +-- arch/x86/realmode/init.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- drivers/irqchip/irq-gic.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- drivers/platform/x86/chromeos_laptop.c | 2 +- fs/jfs/super.c | 4 ++-- include/linux/irqchip/arm-gic.h | 2 ++ include/sound/compress_driver.h | 2 +- net/mac80211/cfg.c | 4 ++-- sound/soc/fsl/fsl_ssi.c | 2 +- 14 files changed, 31 insertions(+), 22 deletions(-) commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 Author: Brad Spengler Date: Thu May 16 20:35:22 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 56a166129d817f6634c8c230e6ec497669bdfaca Author: Amerigo Wang Date: Thu May 9 21:56:37 2013 +0000 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f ipv6,gre: do not leak info to user-space There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d6f50dae2653ad912952da40417a8ccbd59c7699 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 01322c6951bed4eedefbd2178dbd99292b365d99 Author: Brad Spengler Date: Mon May 13 17:19:57 2013 -0400 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its existing stack-heap gap code for the new unified vm_unmapped_area grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 Author: Brad Spengler Date: Mon May 13 15:40:32 2013 -0400 fix NX fault on early boot arch/x86/realmode/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 Author: Brad Spengler Date: Mon May 13 10:48:13 2013 -0400 compile fix, we weren't using %pa anyway and it's now being used by upstream for physical address printing lib/vsprintf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d Author: Brad Spengler Date: Mon May 13 10:39:52 2013 -0400 compile fix grsecurity/grsec_chroot.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b Author: Brad Spengler Date: Mon May 13 10:35:36 2013 -0400 compile fixes grsecurity/grsec_chroot.c | 2 +- include/linux/grinternal.h | 8 ++++---- include/linux/grsecurity.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 Author: Brad Spengler Date: Mon May 13 10:27:18 2013 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 Author: Brad Spengler Date: Mon May 13 10:23:17 2013 -0400 Initial port of grsecurity for 3.9.2 Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 6 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 181 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 241 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1031 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 387 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 187 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 + include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 242 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 68 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/net/secure_seq.h | 1 + include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 13 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 64 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/8021q/vlan.c | 7 + net/core/dev_ioctl.c | 4 + net/core/net-procfs.c | 5 + net/core/secure_seq.c | 4 +- net/core/sock_diag.c | 7 + net/ipv4/af_inet.c | 5 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 2 +- net/sctp/probe.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/tipc/link.c | 11 +- net/unix/af_unix.c | 31 +- security/Kconfig | 342 ++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 291 files changed, 15221 insertions(+), 2052 deletions(-) commit 88854c350c899bceca4a94598c42bed44d0dc91b Author: Brad Spengler Date: Mon May 13 07:37:47 2013 -0400 Initial import of pax-linux-3.9.2-test2.patch Documentation/dontdiff | 45 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 6 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 15 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/kernel/us3_cpufreq.c | 69 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 21 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 6 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page_64.h | 2 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 113 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 530 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 1 - arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 120 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 19 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 248 + arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 57 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 +- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 90 +- arch/x86/mm/init_32.c | 119 +- arch/x86/mm/init_64.c | 44 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 2 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 10 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 605 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/super.c | 2 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 6 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compat.h | 6 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 110 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 2 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 68 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 8 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 6 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 576 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 105 +- mm/slab.h | 5 +- mm/slab_common.c | 11 +- mm/slob.c | 201 +- mm/slub.c | 99 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 14 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 6 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.pl | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 675 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 518 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 ++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 276 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1555 files changed, 30474 insertions(+), 7126 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 Merge: 814820a 3a59a59 Author: Brad Spengler Date: Sun May 12 21:51:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f Author: Brad Spengler Date: Sun May 12 21:50:07 2013 -0400 Update to pax-linux-3.8.13-test24.patch: - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/arm/kernel/vmlinux.lds.S | 4 ++-- arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes-opt.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- kernel/trace/trace.h | 2 +- net/socket.c | 2 +- security/Kconfig | 2 +- 22 files changed, 67 insertions(+), 34 deletions(-) commit 814820abfe5b9a34401d838b2510431a4cd92be9 Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ed0428c4ef6c5498870772f212ac651216eb8d0c Merge: 2452d8d dbf932a Author: Brad Spengler Date: Sun May 12 21:18:25 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/cpu/perf_event_intel_uncore.c arch/x86/mm/init.c commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 Author: Brad Spengler Date: Sun May 12 20:24:01 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit c75e4664fe4d20da1639f70d9def097c4f20856b Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04638852588cf243f865f5a73aa9dab94fab53b7 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff Merge: 539fff0 2452d8d Author: Brad Spengler Date: Wed May 8 18:13:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a Merge: 6c850d8 9c9ab76 Author: Brad Spengler Date: Wed May 8 18:13:31 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/irq.c kernel/trace/trace_stack.c commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a Author: Brad Spengler Date: Tue May 7 21:43:00 2013 -0400 turn counter into a flag grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 418102925c0cfb0de51b0a021abaa575e28fafa6 Author: Peter Zijlstra Date: Fri May 3 14:11:25 2013 +0200 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL We should always have proper privileges when requesting kernel data. Signed-off-by: Peter Zijlstra Cc: Cc: Andi Kleen Cc: eranian@google.com Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] Signed-off-by: Ingo Molnar Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f Author: Brad Spengler Date: Wed May 1 18:30:48 2013 -0400 remove references to CONFIG_X86_WP_WORKS_OK arch/um/defconfig | 1 - security/Kconfig | 2 +- 2 files changed, 1 insertions(+), 2 deletions(-) commit 408da6791f93ffe00d26bfe919f1b2218fe0804d Merge: a8dbe8e 6c850d8 Author: Brad Spengler Date: Wed May 1 18:28:44 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/mm/ultra.S drivers/tty/tty_io.c commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf Merge: cdbcbef 9fa1d01 Author: Brad Spengler Date: Wed May 1 18:25:18 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 55eba82aca97aa56378e000840c48965557721e8 Author: Brad Spengler Date: Mon Apr 29 18:43:03 2013 -0400 compilation fix kernel/trace/trace.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3bf912b54af6df7fbebc68b5999554562056c5c Merge: 5b72e37 cdbcbef Author: Brad Spengler Date: Mon Apr 29 18:34:42 2013 -0400 Merge branch 'pax-test' into grsec-test commit cdbcbef45c4f003cbee11e10668a35d424c17c60 Author: Brad Spengler Date: Mon Apr 29 18:33:35 2013 -0400 Update to pax-linux-3.8.10-test21.patch: - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) - reverted the nested NMI fix in search for a real one - simplified the arm_delay_ops constification arch/arm/include/asm/delay.h | 8 ++++---- arch/arm/lib/delay.c | 17 +++++------------ arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 11 files changed, 34 insertions(+), 26 deletions(-) commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 5344a24e2320d61dbdb88aae04922f0799deefd0 Author: Zhao Hongjiang Date: Fri Apr 26 11:03:53 2013 +0800 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad aio: fix possible invalid memory access when DEBUG is enabled dprintk() shouldn't access @ring after it's unmapped. Signed-off-by: Zhao Hongjiang Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 Merge: ba54c97 4d05084 Author: Brad Spengler Date: Fri Apr 26 18:17:20 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kvm/x86.c include/linux/capability.h commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 Merge: c664779 bb8dd67 Author: Brad Spengler Date: Fri Apr 26 18:15:45 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 Author: David S. Miller Date: Wed Apr 24 16:52:18 2013 -0700 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. Reported-by: Meelis Roos Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 Author: David S. Miller Date: Fri Apr 19 17:26:26 2013 -0400 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 sparc64: Fix race in TLB batch processing. As reported by Dave Kleikamp, when we emit cross calls to do batched TLB flush processing we have a race because we do not synchronize on the sibling cpus completing the cross call. So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) and either flushes are missed or flushes will flush the wrong addresses. Fix this by using generic infrastructure to synchonize on the completion of the cross call. This first required getting the flush_tlb_pending() call out from switch_to() which operates with locks held and interrupts disabled. The problem is that smp_call_function_many() cannot be invoked with IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). We get the batch processing outside of locked IRQ disabled sections by using some ideas from the powerpc port. Namely, we only batch inside of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a region, we flush TLBs synchronously. 1) Get rid of xcall_flush_tlb_pending and per-cpu type implementations. 2) Do TLB batch cross calls instead via: smp_call_function_many() tlb_pending_func() __flush_tlb_pending() 3) Batch only in lazy mmu sequences: a) Add 'active' member to struct tlb_batch b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE c) Set 'active' in arch_enter_lazy_mmu_mode() d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() e) Check 'active' in tlb_batch_add_one() and do a synchronous flush if it's clear. 4) Add infrastructure for synchronous TLB page flushes. a) Implement __flush_tlb_page and per-cpu variants, patch as needed. b) Likewise for xcall_flush_tlb_page. c) Implement smp_flush_tlb_page() to invoke the cross-call. d) Wire up global_flush_tlb_page() to the right routine based upon CONFIG_SMP 5) It turns out that singleton batches are very common, 2 out of every 3 batch flushes have only a single entry in them. The batch flush waiting is very expensive, both because of the poll on sibling cpu completeion, as well as because passing the tlb batch pointer to the sibling cpus invokes a shared memory dereference. Therefore, in flush_tlb_pending(), if there is only one entry in the batch perform a completely asynchronous global_flush_tlb_page() instead. Reported-by: Dave Kleikamp Signed-off-by: David S. Miller Acked-by: Dave Kleikamp arch/sparc/include/asm/pgtable_64.h | 1 + arch/sparc/include/asm/switch_to_64.h | 3 +- arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- arch/sparc/kernel/smp_64.c | 41 ++++++++++- arch/sparc/mm/tlb.c | 38 +++++++++- arch/sparc/mm/tsb.c | 57 ++++++++++++---- arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- 7 files changed, 241 insertions(+), 55 deletions(-) commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 Author: Linus Torvalds Date: Fri Apr 19 15:32:32 2013 +0000 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 net: fix incorrect credentials passing Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/net/scm.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98ad6adbc48759e4f9eae435d3e51ba487155685 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3600395e8fef3ae712e72f9b68c3609639616df8 Author: Thomas Graf Date: Thu Apr 11 10:57:18 2013 +0000 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 tcp: Reallocate headroom if it would overflow csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. Verify if the acking and collapsing resulted in a headroom exceeding what csum_start can cover and reallocate the headroom if so. A big thank you to Jim Foraker and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker Signed-off-by: Thomas Graf Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 Author: Ivan Vecera Date: Fri Apr 12 16:49:24 2013 +0200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f be2net: take care of __vlan_put_tag return value The driver should use return value of __vlan_put_tag with appropriate NULL-check instead of old skb pointer. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 Author: Wei Yongjun Date: Fri Apr 12 03:17:12 2013 +0000 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 tuntap: fix error return code in tun_set_iff() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. [ Bug added in linux-3.8 , commit 4008e97f866db665 ("tuntap: fix ambigious multiqueue API") ] Signed-off-by: Wei Yongjun Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2b45b5f52c2a8930f80c62de392a62516c83e225 Author: Bjørn Mork Date: Tue Apr 16 00:17:07 2013 +0000 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 net: cdc_mbim: remove bogus sizeof() The intention was to test against the constant, not the size of the constant. Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 17d7408795519037a5a1272c7888238e20830bfe Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text fs/exec.c | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) commit 3cb37d0c0c77dc3928ff8417f982139f95366eba Merge: e87c19f c664779 Author: Brad Spengler Date: Wed Apr 17 20:06:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit c664779987cb0c27a242029f0e0db812e3236203 Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e87c19f8312355b8658e5138c16bfa6043a379c8 Merge: 802d119 d0c636c Author: Brad Spengler Date: Wed Apr 17 16:57:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit d0c636ceaaf406e606898ce3e770e32fb043ea8a Merge: bc88628 2396403 Author: Brad Spengler Date: Wed Apr 17 16:57:01 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/paravirt.c commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b Author: Brad Spengler Date: Sun Apr 14 21:39:51 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1a860d7d67051559ab2e6d10f9888649c92904e6 Author: Brad Spengler Date: Sun Apr 14 21:34:46 2013 -0400 A denied setfsuid by the RBAC system would result in an abort_creds() being called with an uninitalized pointer, introduced by a bad forward-port kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 Merge: c38d142 bc88628 Author: Brad Spengler Date: Sun Apr 14 21:28:33 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit bc88628a6a8fcccaabb90908640809b0540df225 Author: Brad Spengler Date: Sun Apr 14 21:26:41 2013 -0400 Update to pax-linux-3.8.7-test20.patch: - fixed KERNEXEC and NMI nesting problem reported by stef&hunger - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- security/Kconfig | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) commit c38d142744489fc4d9be80188b6435a278438fd9 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93019624b80ba59798393942798d7f6ed0c1dbc6 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 5277b052b5fab36729e1255fb3b12f47a4b12867 Author: Dave Hansen Date: Fri Apr 12 16:23:54 2013 -0700 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables This patch attempts to fix: https://bugzilla.kernel.org/show_bug.cgi?id=56461 The symptom is a crash and messages like this: chrome: Corrupted page table at address 34a03000 *pdpt = 0000000000000000 *pde = 0000000000000000 Bad pagetable: 000f [#1] PREEMPT SMP Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: enable tlb flush range support for x86") since that code started to free unused pagetables. On x86-32 PAE kernels, that new code has the potential to free an entire PMD page and will clear one of the four page-directory-pointer-table (aka pgd_t entries). The hardware aggressively "caches" these top-level entries and invlpg does not actually affect the CPU's copy. If we clear one we *HAVE* to do a full TLB flush, otherwise we might continue using a freed pmd page. (note, we do this properly on the population side in pud_populate()). This patch tracks whenever we clear one of these entries in the 'struct mmu_gather', and ensures that we follow up with a full tlb flush. BTW, I disassembled and checked that: if (tlb->fullmm == 0) and if (!tlb->fullmm && !tlb->need_flush_all) generate essentially the same code, so there should be zero impact there to the !PAE case. Signed-off-by: Dave Hansen Cc: Peter Anvin Cc: Ingo Molnar Cc: Artem S Tashkinov Signed-off-by: Linus Torvalds arch/x86/include/asm/tlb.h | 2 +- arch/x86/mm/pgtable.c | 7 +++++++ include/asm-generic/tlb.h | 7 ++++++- mm/memory.c | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) commit 521e573fc77d1783c1d4636dfbb4617a922f043d Merge: 032f626 f807619 Author: Brad Spengler Date: Fri Apr 12 19:29:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit f80761993b85df96fc142dfc3a317cadc0f8eae5 Author: Brad Spengler Date: Fri Apr 12 19:28:21 2013 -0400 Update to pax-linux-3.8.7-test19.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) - fixed the structleak plugin to compile for gcc 4.5-4.6 as well Makefile | 2 +- arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 Merge: a3a770e 89886f5 Author: Brad Spengler Date: Fri Apr 12 18:38:40 2013 -0400 Merge branch 'pax-test' into grsec-test commit 89886f561cc0d1c42a99624ec8c3704711088155 Merge: 9123489 531ec28 Author: Brad Spengler Date: Fri Apr 12 18:38:30 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a3a770e18578841e4fbe2aa0831a22811b4812cf Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 Author: Konrad Rzeszutek Wilk Date: Fri Mar 29 10:20:56 2013 -0400 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/mmu.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb Author: Neil Horman Date: Tue Apr 9 23:19:00 2013 +0000 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 e100: Add dma mapping error check e100 uses pci_map_single, but fails to check for a dma mapping error after its use, resulting in a stack trace: [ 46.656594] ------------[ cut here ]------------ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() [ 46.657004] Hardware name: To Be Filled By O.E.M. [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] [ 46.657004] Modules linked in: [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core sata_promise crc_itu_t [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 [ 46.657004] Call Trace: [ 46.657004] [] warn_slowpath_common+0x70/0xa0 [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 [ 46.657004] [] check_unmap+0x47b/0x950 [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] [ 46.657004] [] ? net_rx_action+0xa1/0x370 [ 46.657004] [] net_rx_action+0x172/0x370 [ 46.657004] [] __do_softirq+0xef/0x3d0 [ 46.657004] [] call_softirq+0x1c/0x30 [ 46.657004] [] do_softirq+0x85/0xc0 [ 46.657004] [] irq_exit+0xd5/0xe0 [ 46.657004] [] do_IRQ+0x56/0xc0 [ 46.657004] [] common_interrupt+0x72/0x72 [ 46.657004] [] ? _raw_spin_unlock_irqrestore+0x3b/0x70 [ 46.657004] [] __slab_free+0x58/0x38b [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 [ 46.657004] [] ? kmem_cache_free+0x97/0x320 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] kmem_cache_free+0x312/0x320 [ 46.657004] [] sock_destroy_inode+0x34/0x40 [ 46.657004] [] destroy_inode+0x38/0x60 [ 46.657004] [] evict+0x10e/0x1a0 [ 46.657004] [] iput+0xf5/0x180 [ 46.657004] [] dput+0x248/0x310 [ 46.657004] [] __fput+0x171/0x240 [ 46.657004] [] ____fput+0xe/0x10 [ 46.657004] [] task_work_run+0xac/0xe0 [ 46.657004] [] do_exit+0x26d/0xc30 [ 46.657004] [] ? finish_task_switch+0x7c/0x120 [ 46.657004] [] ? retint_swapgs+0x13/0x1b [ 46.657004] [] do_group_exit+0x49/0xc0 [ 46.657004] [] sys_exit_group+0x14/0x20 [ 46.657004] [] system_call_fastpath+0x16/0x1b [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- [ 46.657004] Mapped at: [ 46.657004] [] debug_dma_map_page+0x91/0x140 [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the dma_mapping_error check in the obvious place This was reported previously here: http://article.gmane.org/gmane.linux.network/257893 But nobody stepped up and fixed it. CC: Josh Boyer CC: e1000-devel@lists.sourceforge.net Signed-off-by: Neil Horman Reported-by: Michal Jaegermann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- 1 files changed, 25 insertions(+), 11 deletions(-) commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 Author: Trond Myklebust Date: Wed Apr 10 12:44:18 2013 -0400 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Make sure that we set the status to 0 on success. Missed in testing because it never appears when doing multiple mounts to _different_ servers. Signed-off-by: Trond Myklebust Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list fs/nfs/nfs4client.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea Author: Yuval Mintz Date: Wed Apr 10 13:34:39 2013 +0300 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b bnx2x: Prevent null pointer dereference in AFEX mode The cnic module is responsible for initializing various bnx2x structs via callbacks provided by the bnx2x module. One such struct is the queue object for the FCoE queue. If a device is working in AFEX mode and its configuration allows FCoE yet the cnic module is not loaded, it's very likely a null pointer dereference will occur, as the bnx2x will erroneously access the FCoE's queue object. Prevent said access until cnic properly registers itself. Signed-off-by: Yuval Mintz Signed-off-by: Ariel Elior Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2908830232725db624aaa052f7ad38d1f98bf541 Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit d40b572e845a5fb561e3c4a80cc306cd38888a4e Author: Christoph Paasch Date: Sun Apr 7 04:53:15 2013 +0000 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd ipv6/tcp: Stop processing ICMPv6 redirect messages Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske Signed-off-by: Christoph Paasch Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c7d5c2524456ef3ea9194840e7a9a75069a46824 Author: Brad Spengler Date: Wed Apr 10 20:32:54 2013 -0400 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit acac2380fd97acee4367d2aa24c74322dcf1d22b Author: Trond Myklebust Date: Fri Apr 5 16:11:11 2013 -0400 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list It is unsafe to use list_for_each_entry_safe() here, because when we drop the nn->nfs_client_lock, we pin the _current_ list entry and ensure that it stays in the list, but we don't do the same for the _next_ list entry. Use of list_for_each_entry() is therefore the correct thing to do. Also fix the refcounting in nfs41_walk_client_list(). Finally, ensure that the nfs_client has finished being initialised and, in the case of NFSv4.1, that the session is set up. Signed-off-by: Trond Myklebust Cc: Chuck Lever Cc: Bryan Schumaker Cc: stable@vger.kernel.org [>= 3.7] fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) commit a6cf5f387b882ac0ce655b75f623f86c075517be Author: Chuck Lever Date: Fri Mar 22 12:52:59 2013 -0400 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e SUNRPC: Remove extra xprt_put() While testing error cases where rpc_new_client() fails, I saw some oopses. If rpc_new_client() fails, it already invokes xprt_put(). Thus __rpc_clone_client() does not need to invoke it again. Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" Fri Sep 14, 2012. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org [>=3.7] Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9529169b8c405874fd543b785f53c74fa0501c2a Author: Christopher Harvey Date: Fri Apr 5 10:51:15 2013 -0400 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. This change properly enables the "requester" in G200ER cards that is responsible for getting pixels out of memory and clocking them out to the screen. Signed-off-by: Christopher Harvey Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- 1 files changed, 3 insertions(+), 10 deletions(-) commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a Author: Al Viro Date: Thu Mar 28 13:30:23 2013 -0400 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee ecryptfs: close rmmod race Signed-off-by: Al Viro fs/ecryptfs/miscdev.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83280e384ae3ceadad30369ced111dc7d4b46085 Author: Andrey Vagin Date: Tue Apr 9 17:33:29 2013 +0400 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 mnt: release locks on error path in do_loopback do_loopback calls lock_mount(path) and forget to unlock_mount if clone_mnt or copy_mnt fails. [ 77.661566] ================================================ [ 77.662939] [ BUG: lock held when returning to user space! ] [ 77.664104] 3.9.0-rc5+ #17 Not tainted [ 77.664982] ------------------------------------------------ [ 77.666488] mount/514 is leaving the kernel with locks still held! [ 77.668027] 2 locks held by mount/514: [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 Signed-off-by: Andrey Vagin Signed-off-by: Al Viro fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 679e536b9d9536d804f049fe942367a596253e6d Author: Alex Williamson Date: Tue Mar 26 11:33:16 2013 -0600 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson drivers/vfio/pci/vfio_pci.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5261a6384ee42499b29495aaae40b271e77d394 Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 Merge: 97bca88 9123489 Author: Brad Spengler Date: Tue Apr 9 17:18:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9123489428c58668a89f316db6619739cbdd2c2a Author: Brad Spengler Date: Tue Apr 9 17:17:46 2013 -0400 Update to pax-linux-3.8.6-test18.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 97bca8889e0f1e853f16b7026c39c6729a8587ab Merge: 675a41e e9d6073 Author: Brad Spengler Date: Mon Apr 8 21:32:59 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/us3_cpufreq.c commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef Author: Brad Spengler Date: Mon Apr 8 21:19:03 2013 -0400 Update to pax-linux-3.8.6-test17.patch: - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/sparc/include/asm/uaccess.h | 7 ---- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- tools/gcc/structleak_plugin.c | 15 ++++---- 6 files changed, 28 insertions(+), 69 deletions(-) commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5a216624a06429488f24ce47db093da042f90e48 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit e476ca18d21788898cd3acd1b57049971a2fb70f Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 Author: Johannes Berg Date: Tue Mar 19 20:26:57 2013 +0100 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d cfg80211: fix wdev tracing crash Arend reported a crash in tracing if the driver returns an ERR_PTR() value from the add_virtual_intf() callback. This is due to the tracing then still attempting to dereference the "pointer", fix this by using IS_ERR_OR_NULL(). Reported-by: Arend van Spriel Tested-by: Arend van Spriel Signed-off-by: Johannes Berg net/wireless/trace.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd Author: Johannes Berg Date: Mon Mar 25 11:51:14 2013 +0100 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b mac80211: fix remain-on-channel cancel crash If a ROC item is canceled just as it expires, the work struct may be scheduled while it is running (and waiting for the mutex). This results in it being run after being freed, which obviously crashes. To fix this don't free it when aborting is requested but instead mark it as "to be freed", which makes the work a no-op and allows freeing it outside. Cc: stable@vger.kernel.org [3.6+] Reported-by: Jouni Malinen Tested-by: Jouni Malinen Signed-off-by: Johannes Berg net/mac80211/cfg.c | 6 ++++-- net/mac80211/ieee80211_i.h | 3 ++- net/mac80211/offchannel.c | 23 +++++++++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 Author: Stone Piao Date: Fri Mar 29 19:21:21 2013 -0700 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f mwifiex: limit channel number not to overflow memory Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: # 3.5+ Signed-off-by: Stone Piao Signed-off-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 207c411512bdaf0e4271f93ecac6ca26588da36f Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f Author: Wei Yongjun Date: Fri Mar 22 01:28:18 2013 +0000 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_queue_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a79feb7d3251eca577d83d7f69eee2b961ab2924 Author: Pablo Neira Ayuso Date: Sat Mar 23 16:57:59 2013 +0100 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 netfilter: nfnetlink_acct: return -EINVAL if object name is empty If user-space tries to create accounting object with an empty name, then return -EINVAL. Reported-by: Michael Zintakis Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 Author: Matthias Schiffer Date: Sat Mar 30 10:23:12 2013 +0000 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: Matthias Schiffer Signed-off-by: Pablo Neira Ayuso net/ipv6/netfilter/ip6t_NPT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d12cae44a9d12441d81c489178803237219d403d Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f Author: Cong Wang Date: Fri Mar 22 19:14:07 2013 +0000 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb 8021q: fix a potential use-after-free vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/8021q/vlan.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit fff29c277024a39845d4b535083c8dafc21b45d9 Author: Hong zhi guo Date: Sat Mar 23 02:27:50 2013 +0000 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 bridge: fix crash when set mac address of br interface When I tried to set mac address of a bridge interface to a mac address which already learned on this bridge, I got system hang. The cause is straight forward: function br_fdb_change_mac_address calls fdb_insert with NULL source nbp. Then an fdb lookup is performed. If an fdb entry is found and it's local, it's OK. But if it's not local, source is dereferenced for printk without NULL check. Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller net/bridge/br_fdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 Author: Kumar Amit Mehta Date: Sat Mar 23 20:10:25 2013 +0000 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a bnx2x: fix assignment of signed expression to unsigned variable fix for incorrect assignment of signed expression to unsigned variable. Signed-off-by: Kumar Amit Mehta Acked-by: Dmitry Kravkov Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b964e1e61f0f0ccaa380be3342f956c604054bdc Author: Eric W. Biederman Date: Thu Mar 21 02:30:41 2013 -0700 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 yama: Better permission check for ptraceme Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" security/yama/yama_lsm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit b94e71c7b6abe75989edff18aca2781233fa143b Author: Stanislav Kinsbursky Date: Mon Apr 1 11:40:51 2013 +0400 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d ipc: set msg back to -EAGAIN if copy wasn't performed Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Linus Torvalds ipc/msg.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f07957378e0f55abb81da8e23b124a608fbe1cc Author: Paul Bolle Date: Wed Apr 3 12:24:45 2013 +0100 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 ARM: 7690/1: mm: fix CONFIG_LPAE typos CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix up the two typos under arch/arm/. The fix to head.S is slightly scary, but this is just for setting up an early io-mapping for the serial port when running on a big-endian, LPAE system. Since these systems don't exist in the wild (at least, I have no access to one outside of kvmtool, which doesn't provide a serial port suitable for earlyprintk), then we can revisit the code later if it causes any problems. Signed-off-by: Paul Bolle Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/kernel/head.S | 2 +- arch/arm/kernel/setup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 984ba346b2d8f158473e9723ba145031368431ed Author: Catalin Marinas Date: Tue Mar 26 23:35:04 2013 +0100 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down all use of the old entries. This patch implements the erratum workaround which consists of: 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. 2. Send IPI to the CPUs that are running the same mm (and ASID) as the one being invalidated (or all the online CPUs for global pages). 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception return code already). Signed-off-by: Catalin Marinas Signed-off-by: Russell King Conflicts: arch/arm/include/asm/tlbflush.h arch/arm/kernel/smp_tlb.c arch/arm/mm/context.c arch/arm/Kconfig | 10 +++++ arch/arm/include/asm/highmem.h | 7 ++++ arch/arm/include/asm/mmu_context.h | 2 + arch/arm/include/asm/tlbflush.h | 15 ++++++++ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ arch/arm/mm/context.c | 6 ++- 6 files changed, 104 insertions(+), 2 deletions(-) commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 53f5096daa14967938bc154e6c41f9119863fb36 Merge: e988d7c 0a45285 Author: Brad Spengler Date: Fri Apr 5 17:32:31 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 0a452855444d02502df6eb21ef3083cf303f71e1 Merge: 0277fa1 00cfbb8 Author: Brad Spengler Date: Fri Apr 5 17:31:15 2013 -0400 Update to pax-linux-3.8.6-test16.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/intel_display.c commit e988d7c8d946c816a2cb97f0d38048a1584966b8 Merge: baec40e 0277fa1 Author: Brad Spengler Date: Wed Apr 3 22:05:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0277fa123b486cf11420967e4568d7653e225fd3 Author: Brad Spengler Date: Wed Apr 3 22:04:48 2013 -0400 Update to pax-linux-3.8.5-test15.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) drivers/media/pci/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) commit baec40e6708fd5ae2000cad6c70c5980c998b91c Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 Merge: 6b69c35 0db9d15 Author: Brad Spengler Date: Tue Apr 2 17:47:27 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0db9d156826bdd50510086fde837648a3dfd370e Author: Brad Spengler Date: Tue Apr 2 17:46:05 2013 -0400 Update to pax-linux-3.8.5-test14.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/moduleloader.h | 4 +- tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 47 deletions(-) commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 01e1d503fd2220adaaec0b92ea19441bdff73555 Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit cd5ff114d958470f471c63775278e8c05e774630 Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 295ba16cc53df2375261accbedd6575ea327770a Merge: 18340f1 278a989 Author: Brad Spengler Date: Fri Mar 29 17:36:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/exec.c include/linux/thread_info.h commit 278a989c831d62193c7b3d119fe2302babd45d12 Author: Brad Spengler Date: Fri Mar 29 17:34:34 2013 -0400 Resync with pax-linux-3.8.5-test13.patch arch/arm/include/asm/pgtable.h | 3 ++- arch/arm/lib/delay.c | 1 + fs/exec.c | 8 ++++---- include/linux/compiler.h | 1 + include/linux/proc_fs.h | 2 +- include/linux/thread_info.h | 6 +++--- include/linux/zlib.h | 3 ++- init/main.c | 4 ++-- kernel/user_namespace.c | 2 +- lib/list_debug.c | 4 ++-- mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 1 + net/core/sysctl_net_core.c | 3 +-- tools/gcc/constify_plugin.c | 1 + 15 files changed, 24 insertions(+), 17 deletions(-) commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 Merge: 05f01ae e8cfeae Author: Brad Spengler Date: Fri Mar 29 17:30:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 Merge: b461cb7 aa4cfde Author: Brad Spengler Date: Fri Mar 29 17:30:44 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/nfsd/vfs.c commit 05f01ae4c3479541586a2387f916a6620889c479 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eea6ade59490784e83e08ec67322288fcf14cb31 Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e Merge: c3dc9a6 b461cb7 Author: Brad Spengler Date: Thu Mar 28 20:54:24 2013 -0400 Merge branch 'pax-test' into grsec-test commit b461cb7b1d85490430ef7896c247794af72c3749 Author: Brad Spengler Date: Thu Mar 28 20:54:11 2013 -0400 Add structleak plugin tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 270 insertions(+), 0 deletions(-) commit c3dc9a6ef10782894bb11fd088fd712db44d8062 Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e Merge: d8503a3 74bec16 Author: Brad Spengler Date: Thu Mar 28 20:47:10 2013 -0400 Merge branch 'pax-test' into grsec-test commit 74bec16b657147a5575b1f14f4423a717ba317a6 Author: Brad Spengler Date: Thu Mar 28 20:46:13 2013 -0400 Update to pax-linux-3.8.4-test13.patch: - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Makefile | 5 +++- arch/x86/include/asm/compat.h | 2 +- arch/x86/mm/fault.c | 3 +- fs/binfmt_elf.c | 2 +- include/linux/compiler.h | 42 ++++++++++++++-------------------------- security/Kconfig | 16 +++++++++++++++ tools/gcc/Makefile | 2 + tools/gcc/constify_plugin.c | 7 +++++- 8 files changed, 47 insertions(+), 32 deletions(-) commit d8503a3a35d68b9ba1615d29335aef3f70d51465 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 0b1c6223105a05d5a84e39a5e951868e37610e1c Merge: 93ff726 0deb54c Author: Brad Spengler Date: Mon Mar 25 18:35:15 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 Author: Brad Spengler Date: Mon Mar 25 18:35:05 2013 -0400 fix typo arch/x86/mm/ioremap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 Merge: be9f8b8 f95e53a Author: Brad Spengler Date: Mon Mar 25 18:30:06 2013 -0400 Merge branch 'pax-test' into grsec-test commit f95e53abadb6e4665866e4502ff9f518514193e1 Author: Brad Spengler Date: Mon Mar 25 18:29:25 2013 -0400 Update to pax-linux-3.8.4-test12.patch: - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by mcp - last fix for aslr gap accounting, promise (thanks to spender) arch/x86/mm/ioremap.c | 3 +++ fs/binfmt_elf.c | 5 ++--- mm/mmap.c | 2 +- net/sctp/socket.c | 19 +++++++++++++++---- tools/perf/util/include/linux/compiler.h | 8 ++++++++ 5 files changed, 29 insertions(+), 8 deletions(-) commit be9f8b82b0d8a21d7515fb6e44a907623381c5df Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee Author: Linus Torvalds Date: Fri Mar 22 11:44:04 2013 -0700 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 vfs,proc: guarantee unique inodes in /proc Dave Jones found another /proc issue with his Trinity tool: thanks to the namespace model, we can have multiple /proc dentries that point to the same inode, aliasing directories in /proc//net/ for example. This ends up being a total disaster, because it acts like hardlinked directories, and causes locking problems. We rely on the topological sort of the inodes pointed to by dentries, and if we have aliased directories, that odering becomes unreliable. In short: don't do this. Multiple dentries with the same (directory) inode is just a bad idea, and the namespace code should never have exposed things this way. But we're kind of stuck with it. This solves things by just always allocating a new inode during /proc dentry lookup, instead of using "iget_locked()" to look up existing inodes by superblock and number. That actually simplies the code a bit, at the cost of potentially doing more inode [de]allocations. That said, the inode lookup wasn't free either (and did a lot of locking of inodes), so it is probably not that noticeable. We could easily keep the old lookup model for non-directory entries, but rather than try to be excessively clever this just implements the minimal and simplest workaround for the problem. Reported-and-tested-by: Dave Jones Analyzed-by: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/proc/inode.c fs/proc/inode.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb Author: Vladimir Davydov Date: Fri Mar 22 15:04:51 2013 -0700 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only mnt_drop_write() must be called only if mnt_want_write() succeeded, otherwise the mnt_writers counter will diverge. mnt_writers counters are used to check if remounting FS as read-only is OK, so after an extra mnt_drop_write() call, it would be impossible to remount mqueue FS as read-only. Besides, on umount a warning would be printed like this one: ===================================== [ BUG: bad unlock balance detected! ] 3.9.0-rc3 #5 Not tainted ------------------------------------- a.out/12486 is trying to release lock (sb_writers) at: mnt_drop_write+0x1f/0x30 but there are no more locks to release! Signed-off-by: Vladimir Davydov Cc: Doug Ledford Cc: KOSAKI Motohiro Cc: "Eric W. Biederman" Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e Author: Brad Spengler Date: Sat Mar 23 13:02:32 2013 -0400 Don't use constify plugin if not enabled in config, reported by Alexey Vlasov Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afb82e020593249ac394e9859397c3e0ef5341c Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 Author: Brad Spengler Date: Sat Mar 23 12:13:12 2013 -0400 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak drivers/gpu/drm/i915/i915_debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44cb11a9470f72157601d0ad4d572d111f90f504 Author: Brad Spengler Date: Fri Mar 22 18:11:42 2013 -0400 use VM_DONTDUMP fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fd5f0d92b0fbec02029dad124501a9c80e527a32 Author: Brad Spengler Date: Fri Mar 22 17:08:48 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit b49ab1c73edb6442eec609b26bba4d850b3111b6 Merge: 5e9a707 783ade9 Author: Brad Spengler Date: Thu Mar 21 21:56:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 Author: Brad Spengler Date: Thu Mar 21 21:55:31 2013 -0400 Update to pax-linux-3.8.3-test11.patch: - rewrote the ASLR gap accounting code once again - fixed ptrace compat bug found by the size overflow plugin fs/binfmt_elf.c | 25 ++++++++++++------------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 5 +++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 32 insertions(+), 26 deletions(-) commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a Author: Brad Spengler Date: Thu Mar 21 19:37:33 2013 -0400 Make the constify plugin usage actually depend on the introduced config option (it was still forced on) tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1974b4f58d9d729c80ac1987785446115304a54c Author: Brad Spengler Date: Thu Mar 21 16:12:38 2013 -0400 fix failed merge arch/arm/mm/fault.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit 675a8ab4a8fe8315df348735a37a302a7535224c Author: Brad Spengler Date: Wed Mar 20 23:36:14 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 Author: Andy Honig Date: Wed Feb 20 14:48:10 2013 -0800 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- 2 files changed, 22 insertions(+), 29 deletions(-) commit 0bcac31b57c381001feb69fd6ec8069e61e03432 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695c59887e4ec10b0b695ab4f645d1226c433be0 Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e Merge: aec3cd4 c522e3a Author: Brad Spengler Date: Wed Mar 20 19:38:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 Merge: c57d855 405acc3 Author: Brad Spengler Date: Wed Mar 20 19:38:11 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 Author: Brad Spengler Date: Tue Mar 19 19:56:04 2013 -0400 include linux/compiler.h include/linux/zlib.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit dd65c05cd24faf8946d4941434a553ee285c35a3 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit e297b4f150b769efdc4c547d3caf1e3c0f24735f Author: Brad Spengler Date: Tue Mar 19 18:33:45 2013 -0400 Fix size_overflow false positive reported by slashbeast include/linux/zlib.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be Author: Brad Spengler Date: Tue Mar 19 17:35:36 2013 -0400 fix up failed merge arch/arm/mm/fault.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f00195c633f91cfbd8c1f530d2c371b713026e20 Author: Brad Spengler Date: Mon Mar 18 22:27:33 2013 -0400 Fix compile error reported by KDE on the forums kernel/user_namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 Merge: 0949569 c57d855 Author: Brad Spengler Date: Mon Mar 18 22:20:46 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 Author: Brad Spengler Date: Mon Mar 18 21:22:03 2013 -0400 Update to pax-linux-3.8.2-test9.patch: arm changes from spender - removed userland access to the vectors page - removed obsolete sigreturn trampoline handling - added emulation for __kuser_get_tls - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) - fixed recent sysfs/power_supply attr breakage reported by Steven Allen - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. arch/arm/kernel/process.c | 5 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/traps.c | 7 - arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 23 +- arch/arm/mm/mmu.c | 2 +- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/mm/fault.c | 4 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/power/power_supply_core.c | 1 + drivers/usb/core/message.c | 2 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 5 +- fs/exec.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/linux/compat.h | 4 +- include/linux/completion.h | 6 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/err.h | 4 +- include/linux/math64.h | 6 +- include/linux/sched.h | 2 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/uapi/linux/byteorder/little_endian.h | 4 +- include/uapi/linux/swab.h | 6 +- kernel/sched/core.c | 6 +- kernel/signal.c | 3 + kernel/time.c | 2 +- kernel/timer.c | 2 +- lib/div64.c | 4 +- mm/page-writeback.c | 2 +- net/socket.c | 2 + scripts/package/builddeb | 1 + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- tools/gcc/size_overflow_plugin.c | 1072 ++-- 53 files changed, 6227 insertions(+), 3951 deletions(-) commit 09495691bb31f11ec14d9127429f9a0f3f716f22 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deb85b00d0f9f886e264e116313f298401ec5c59 Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2126421f123513f604ceef2b23ba9ed516de7e58 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 Author: Brad Spengler Date: Sat Mar 16 16:43:45 2013 -0400 add user_arg_ptr back to exec.c fs/exec.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 3 +++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 16 insertions(+), 15 deletions(-) commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1cd623d11a462d151ea8a5cace4521e1724911a3 Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc Merge: 9cdf9bc db4cb92 Author: Brad Spengler Date: Thu Mar 14 20:23:14 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/keys/compat.c commit db4cb924546e3fec3a59f78d056f48176eaf7100 Author: Brad Spengler Date: Thu Mar 14 20:22:24 2013 -0400 Update to pax-linux-3.8.2-test8.patch arch/arm/include/asm/cache.h | 2 ++ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- arch/arm/mach-omap2/omap_device.c | 4 ++-- arch/arm/mach-omap2/omap_device.h | 4 ++-- arch/arm/plat-orion/include/plat/addr-map.h | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae Merge: 3c865f9 1a45c31 Author: Brad Spengler Date: Thu Mar 14 20:20:54 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/arm/include/asm/delay.h arch/arm/include/asm/pgtable.h arch/arm/lib/delay.c security/keys/compat.c commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 79b130c4b11c7940daf2b33d653a17666331c634 Merge: 6480ce9 3c865f9 Author: Brad Spengler Date: Sun Mar 10 20:04:03 2013 -0400 Merge branch 'pax-test' into grsec-test commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d Author: Brad Spengler Date: Sun Mar 10 20:03:12 2013 -0400 Update to pax-linux-3.8.2-test7.patch: - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) fs/binfmt_elf.c | 3 ++- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- init/main.c | 4 ++-- mm/mmap.c | 2 +- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 7 files changed, 18 insertions(+), 11 deletions(-) commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 Merge: 4a5305e 25b3569 Author: Brad Spengler Date: Sun Mar 10 10:41:16 2013 -0400 Merge branch 'pax-test' into grsec-test commit 25b356980568bed9958315bb5a551fdc610055ed Author: Brad Spengler Date: Sun Mar 10 10:40:48 2013 -0400 Update to pax-linux-3.8.2-test6.patch: - fixed a KERNEXEC false positive on arm reported by Gu1 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - added fix from spender for some namespace breakage reported by zakalwe - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot Documentation/kernel-parameters.txt | 5 +++++ arch/arm/kernel/patch.c | 2 ++ arch/x86/kernel/sys_i386_32.c | 5 +++-- drivers/acpi/blacklist.c | 2 +- drivers/video/aty/mach64_cursor.c | 1 + init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ net/ipv4/ip_fragment.c | 2 +- security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 10 files changed, 50 insertions(+), 10 deletions(-) commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause net/bridge/br_mdb.c | 4 ++++ net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 8 ++++++++ 3 files changed, 13 insertions(+), 0 deletions(-) commit 601dd446f896e3a362f706943df18a68d50420a1 Author: Brad Spengler Date: Sat Mar 9 09:35:25 2013 -0500 add open/close wrappers in __patch_text() as reported by Gu1 on IRC arch/arm/kernel/patch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ae39966fd85a493e9079b357e3faa62245a41222 Author: Peter Hurley Date: Fri Mar 8 12:43:27 2013 -0800 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 ipc: don't allocate a copy larger than max When MSG_COPY is set, a duplicate message must be allocated for the copy before locking the queue. However, the copy could not be larger than was sent which is limited to msg_ctlmax. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msg.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 61240e99650ea3e540a03a3e994349c5086f166b Author: Peter Hurley Date: Fri Mar 8 12:43:26 2013 -0800 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 ipc: fix potential oops when src msg > 4k w/ MSG_COPY If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msgutil.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 51727f602a267f34fb2e0dc9557f1714028d51a2 Author: Brad Spengler Date: Fri Mar 8 22:14:06 2013 -0500 add missing 'else' in recent constify fixups net/ipv4/ip_fragment.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a38c1a640729b3d8e584d1ab98e908c221bc12cf Merge: 1580bb3 47c3f47 Author: Brad Spengler Date: Fri Mar 8 18:18:37 2013 -0500 Merge branch 'pax-test' into grsec-test commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe Author: Brad Spengler Date: Fri Mar 8 18:17:22 2013 -0500 Update to pax-linux-3.8.2-test5.patch: - fixed some fallout after the last round of constification changes, reported by several people arch/arm/common/gic.c | 4 ++-- arch/arm/include/asm/hardware/gic.h | 3 ++- arch/x86/include/asm/nmi.h | 2 +- arch/x86/kernel/nmi.c | 2 +- arch/x86/pci/irq.c | 2 +- drivers/base/power/domain.c | 4 ++-- drivers/cpufreq/cpufreq_governor.c | 4 ++-- drivers/mfd/twl4030-irq.c | 1 + drivers/video/vesafb.c | 7 +++++-- include/linux/irq.h | 1 + include/linux/pm_domain.h | 2 +- kernel/sched/core.c | 4 ++++ lib/Kconfig.debug | 4 ++-- net/core/sysctl_net_core.c | 2 +- net/decnet/af_decnet.c | 1 + net/ipv4/devinet.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/route.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- scripts/sortextable.h | 6 +++--- 22 files changed, 36 insertions(+), 25 deletions(-) commit 1580bb38b4db0bf2a46316599815e8b234edad81 Author: Brad Spengler Date: Thu Mar 7 22:02:59 2013 -0500 add an additional open/close wrapper kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 21622672d28d58e0d93a805cd1f9650a894a752a Author: Brad Spengler Date: Thu Mar 7 21:58:24 2013 -0500 fix oops at shutdown with new constify code kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec Author: Brad Spengler Date: Thu Mar 7 21:18:44 2013 -0500 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally it currently conflicts with some lock debugging options, so made as an option to allow for debugging when necessary Makefile | 2 -- lib/Kconfig.debug | 6 +++--- security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) commit 0885b00b8373a1597b69c38032a0c9eee279303b Author: Brad Spengler Date: Thu Mar 7 20:55:19 2013 -0500 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8a2617165e7127a54f293cbf57d22d50dd83abd Author: Brad Spengler Date: Thu Mar 7 20:30:41 2013 -0500 Fix error: drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object with cast and proper kernexec accessors drivers/video/vesafb.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 Author: Brad Spengler Date: Thu Mar 7 20:20:28 2013 -0500 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 Author: Brad Spengler Date: Thu Mar 7 20:12:17 2013 -0500 fix compilation error -- no reason for task_pid_nr to not take a const task ptr include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ac6014ded57101e3e608941555ff507e20c1ece3 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 98a9a5f981f5deda4059a255c1196886f2f27e2f Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 4295a024e812f903fc580c81de5e81cc149503fa Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33edd486a9899a145a15586d7134636b0300aaee Merge: 4eeeaf3 a2a2094 Author: Brad Spengler Date: Thu Mar 7 17:53:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/include/asm/domain.h commit a2a20947f5e1332e474160a39af520738b3c8c19 Author: Brad Spengler Date: Thu Mar 7 17:51:04 2013 -0500 Update to pax-linux-3.8.2-test4.patch: fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) Documentation/dontdiff | 2 + arch/arm/include/asm/domain.h | 1 + arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/nmi.h | 4 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 10 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/base/bus.c | 4 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 ++- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 26 ++- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/iommu/iommu.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/mfd/twl4030-irq.c | 8 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/vxlan.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 6 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 4 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 ++- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- fs/exec.c | 6 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drmP.h | 12 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/iommu.h | 2 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/rculist.h | 16 ++ include/linux/sched.h | 2 +- include/linux/sock_diag.h | 2 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/xattr.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/pid_namespace.c | 2 +- kernel/rcutree_plugin.h | 2 +- kernel/sched/core.c | 39 ++-- kernel/smpboot.c | 4 +- kernel/softirq.c | 2 +- kernel/sysctl.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 2 +- lib/kobject.c | 4 +- lib/list_debug.c | 57 ++++- lib/swiotlb.c | 2 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/slab_common.c | 2 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 15 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 12 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 9 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipip.c | 4 +- net/ipv4/route.c | 14 +- net/ipv4/sysctl_net_ipv4.c | 43 ++-- net/ipv6/addrconf.c | 4 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 6 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/reassembly.c | 11 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/sysctl.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 ++- net/xfrm/xfrm_sysctl.c | 2 +- security/apparmor/lsm.c | 2 +- security/keys/key.c | 18 +- security/yama/yama_lsm.c | 22 +- tools/gcc/Makefile | 4 +- tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ tools/gcc/size_overflow_plugin.c | 7 +- 248 files changed, 994 insertions(+), 668 deletions(-) commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b Author: Brad Spengler Date: Wed Mar 6 12:58:21 2013 -0500 Make slab_state __read_only, it's only written to during init mm/slab_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a Author: Brad Spengler Date: Wed Mar 6 12:31:35 2013 -0500 Make two new helper functions: gr_is_global_root() and gr_is_global_nonroot() grsecurity/gracl.c | 10 +++++----- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_link.c | 4 ++-- grsecurity/grsec_sig.c | 10 +++++----- grsecurity/grsec_tpe.c | 6 +++--- include/linux/uidgid.h | 2 ++ 6 files changed, 18 insertions(+), 16 deletions(-) commit d45d88eddd4998b280b1e5b5384289ee11ca7088 Author: Brad Spengler Date: Wed Mar 6 12:14:41 2013 -0500 convert remaining task->pid to task_pid_nr(task) grsecurity/gracl.c | 22 +++++++++++----------- grsecurity/gracl_shm.c | 2 +- grsecurity/grsec_chroot.c | 4 ++-- grsecurity/grsec_sig.c | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) commit c877f2ece03ee2232dd281c1977ae59507297124 Author: Brad Spengler Date: Tue Mar 5 17:29:54 2013 -0500 compat-log is only used anymore by vm86-on-64bit and allows unlimited spamming of the kernel log buffer (and since it includes the changable process name, can avoid syslog log deduplication) Turn it off by default fs/compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c1964c4b7276889d7967bee70e46918cdca1b14 Author: Brad Spengler Date: Mon Mar 4 17:19:10 2013 -0500 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP is enabled, introduced with recent userns support init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 Author: Brad Spengler Date: Sun Mar 3 18:46:12 2013 -0500 Prevent TOMOYO from auto-loading modules by unprivileged users (Only reachable if TOMOYO is actually used) security/tomoyo/mount.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 79e142f9455b398759ff9d93d4963a21b98dddda Author: Brad Spengler Date: Sun Mar 3 18:28:45 2013 -0500 For now, don't permit any special access to /proc in a user namespace Later we can go back and allow a userns-uid0 special access to a /proc with a non-global pid namespace fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b91fb393049ce5f3c0a86f62247409853fd9700 Merge: d931eb8 603ef05 Author: Brad Spengler Date: Sun Mar 3 17:42:09 2013 -0500 Merge branch 'pax-test' into grsec-test commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b Author: Brad Spengler Date: Sun Mar 3 17:41:31 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/mach-omap2/wd_timer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b4c9ce81fdd7839a150c97873c710c479e788280 Author: Brad Spengler Date: Sun Mar 3 17:39:53 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d931eb81ab3da46896268fd61373a6aa7bbea930 Merge: bfa7f44 5948f93 Author: Brad Spengler Date: Sun Mar 3 17:34:36 2013 -0500 Merge branch 'pax-test' into grsec-test commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 Merge: ab30472 19b00d2 Author: Brad Spengler Date: Sun Mar 3 17:34:08 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. fs/exec.c | 6 +- fs/proc/base.c | 2 +- fs/proc/proc_net.c | 4 +- grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- grsecurity/gracl_cap.c | 4 +- grsecurity/gracl_ip.c | 16 +++--- grsecurity/gracl_segv.c | 12 +++- grsecurity/gracl_shm.c | 4 +- grsecurity/grsec_disabled.c | 10 ++-- grsecurity/grsec_fifo.c | 6 +- grsecurity/grsec_init.c | 24 ++++---- grsecurity/grsec_log.c | 3 - grsecurity/grsec_tpe.c | 6 +- include/linux/grinternal.h | 12 ++-- include/linux/grsecurity.h | 12 ++-- include/linux/uidgid.h | 3 + init/Kconfig | 2 - ipc/shm.c | 2 +- kernel/cred.c | 5 +- kernel/kallsyms.c | 2 +- kernel/kmod.c | 6 +- kernel/sys.c | 12 ++-- 22 files changed, 166 insertions(+), 115 deletions(-) commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit 5596211af754867ca825f58e6e0300a8439950fe Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7ca96db0817416fd40761e7437d1939fc0731380 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 idr: fix a subtle bug in idr_get_next() The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/idr.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 745362f28034f54242ba2e64eaa7374ab9869613 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit b53b3b14330920c6f7cfb74c8508a3026e1be620 Author: Brad Spengler Date: Thu Feb 28 18:29:26 2013 -0500 Fix bad git merge fs/namespace.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede Merge: 1cce1dd ab30472 Author: Brad Spengler Date: Thu Feb 28 17:45:14 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/core/sock_diag.c commit ab3047280e1dfb43f1b301a296123757b4ac4f6e Merge: 4b61d21 4c91a0e Author: Brad Spengler Date: Thu Feb 28 17:43:56 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 Author: Brad Spengler Date: Wed Feb 27 17:52:31 2013 -0500 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel kernel/printk.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 Author: Brad Spengler Date: Wed Feb 27 17:23:46 2013 -0500 Fix upstream vulnerability from addition of a /dev/kmsg device while neglecting to add the same set of existing permission checks from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. A temporary workaround without this patch would be to chmod 0600 /dev/kmsg (and is likely a good idea anyway). Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek Initially reported to Redhat bugzilla by Christian Kujau: https://bugzilla.redhat.com/show_bug.cgi?id=903192 kernel/printk.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 66c04806f5660988c3cb4855e60de294e77e3d0e Author: David Howells Date: Thu Feb 21 12:00:25 2013 +0000 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f KEYS: Revert one application of "Fix unreachable code" patch A patch to fix some unreachable code in search_my_process_keyrings() got applied twice by two different routes upstream as commits e67eab39bee2 and b010520ab3d2 (both "fix unreachable code"). Unfortunately, the second application removed something it shouldn't have and this wasn't detected by GIT. This is due to the patch not having sufficient lines of context to distinguish the two places of application. The effect of this is relatively minor: inside the kernel, the keyring search routines may search multiple keyrings and then prioritise the errors if no keys or negative keys are found in any of them. With the extra deletion, the presence of a negative key in the thread keyring (causing ENOKEY) is incorrectly overridden by an error searching the process keyring. So revert the second application of the patch. Signed-off-by: David Howells Cc: Jiri Kosina Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds security/keys/process_keys.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 954b0c8a95b08c09c3d15ec38106ce403bf714da Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 Author: Nicolas Pitre Date: Sun Feb 24 20:06:09 2013 -0500 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 tty vt: fix character insertion overflow Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") broke insert_char() in multiple ways. Then commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") partially fixed it. However, the buffer being moved is still too large and overflowing beyond the end of the current line, corrupting existing characters on the next line. Example test case: echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" Expected result: ab c de Current result: ab c e Needless to say that this is very annoying when inserting words in the middle of paragraphs with certain text editors. Signed-off-by: Nicolas Pitre Cc: Jean-François Moine Cc: Greg Kroah-Hartman Cc: Signed-off-by: Linus Torvalds drivers/tty/vt/vt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6cda35071669b4aabde081bd039e0ffea36f997a Author: Robin Holt Date: Fri Feb 22 16:35:34 2013 -0800 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. Additionally, the list traversal in __mmu_notifier_release() is not protected by the by the mmu_notifier_mm->hlist_lock which can result in callouts to the ->release() notifier from both mmu_notifier_unregister() and __mmu_notifier_release(). -stable suggestions: The stable trees prior to 3.7.y need commits 21a92735f660 and 70400303ce0c cherry-picked in that order prior to cherry-picking this commit. The 3.7.y tree already has those two commits. Signed-off-by: Robin Holt Cc: Andrea Arcangeli Cc: Wanpeng Li Cc: Xiao Guangrong Cc: Avi Kivity Cc: Hugh Dickins Cc: Marcelo Tosatti Cc: Sagi Grimberg Cc: Haggai Eran Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- 1 files changed, 42 insertions(+), 40 deletions(-) commit bf5167ed78ba6131c6874887f714bda50c2cab83 Author: Mike Galbraith Date: Mon Jan 28 12:19:25 2013 +0100 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 sched: Fix select_idle_sibling() bouncing cow syndrome If the previous CPU is cache affine and idle, select it. The current implementation simply traverses the sd_llc domain, taking the first idle CPU encountered, which walks buddy pairs hand in hand over the package, inflicting excruciating pain. 1 tbench pair (worst case) in a 10 core + SMT package: pre 15.22 MB/sec 1 procs post 252.01 MB/sec 1 procs Signed-off-by: Mike Galbraith Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 21 +++++++-------------- 1 files changed, 7 insertions(+), 14 deletions(-) commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c Author: Eric W. Biederman Date: Fri Dec 28 18:58:39 2012 -0800 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f userns: Avoid recursion in put_user_ns When freeing a deeply nested user namespace free_user_ns calls put_user_ns on it's parent which may in turn call free_user_ns again. When -fno-optimize-sibling-calls is passed to gcc one stack frame per user namespace is left on the stack, potentially overflowing the kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls so we can't count on gcc to optimize this code. Remove struct kref and use a plain atomic_t. Making the code more flexible and easier to comprehend. Make the loop in free_user_ns explict to guarantee that the stack does not overflow with CONFIG_FRAME_POINTER enabled. I have tested this fix with a simple program that uses unshare to create a deeply nested user namespace structure and then calls exit. With 1000 nesteuser namespaces before this change running my test program causes the kernel to die a horrible death. With 10,000,000 nested user namespaces after this change my test program runs to completion and causes no harm. Acked-by: Serge Hallyn Pointed-out-by: Vasily Kulikov Signed-off-by: "Eric W. Biederman" include/linux/user_namespace.h | 10 +++++----- kernel/user.c | 4 +--- kernel/user_namespace.c | 17 +++++++++-------- 3 files changed, 15 insertions(+), 16 deletions(-) commit 81501c7106ccc186c94806f4db954626295b5ebe Author: Brad Spengler Date: Tue Feb 26 17:12:30 2013 -0500 Pass the same flags to kern_path_create as the original function fs/namei.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a677c8eee35afe48868f92c7d6745bfe809cd481 Author: Al Viro Date: Fri Feb 22 22:45:42 2013 -0500 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 get rid of unprotected dereferencing of mnt->mnt_ns It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namespace.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 89298124d0c96dc34a60377e7a1308f8f532ff75 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 Author: Brad Spengler Date: Sat Feb 23 11:08:05 2013 -0500 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause net/core/sock_diag.c | 27 ++++++++++----------------- 1 files changed, 10 insertions(+), 17 deletions(-) commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 Author: Brad Spengler Date: Sat Feb 23 10:58:52 2013 -0500 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined arch/arm/include/asm/domain.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7b729586eb81f344fdedf0942fab0acc738a6725 Author: Brad Spengler Date: Fri Feb 22 19:02:51 2013 -0500 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. kernel/fork.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit fadc560d0c486af88da83177735f5515e88acdcc Author: Brad Spengler Date: Thu Feb 21 23:06:48 2013 -0500 put is_hugetlbfs_mnt inside ifdefs grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8252176922d405484f986eb2cc350b7cd3ae586e Author: Brad Spengler Date: Thu Feb 21 23:02:07 2013 -0500 remove unused label kernel/module.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dad4a980f0b625059e215d13da728aa7fd02a374 Author: Brad Spengler Date: Thu Feb 21 23:00:52 2013 -0500 compile fix fs/open.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 Author: Brad Spengler Date: Thu Feb 21 22:57:49 2013 -0500 remove kmalloc_array_error for the same reasons as kcalloc_error include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a Author: Brad Spengler Date: Thu Feb 21 22:49:35 2013 -0500 Initial port of grsecurity for Linux 3.8 Documentation/kernel-parameters.txt | 4 + Makefile | 10 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 14 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 27 +- arch/arm/mm/mmap.c | 6 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 3 +- arch/ia64/mm/hugetlbpage.c | 3 +- arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 3 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 19 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 6 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 3 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 3 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- crypto/ablkcipher.c | 12 +- crypto/aead.c | 9 +- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +- crypto/crypto_user.c | 38 +- crypto/pcompress.c | 3 +- crypto/rng.c | 2 +- crypto/shash.c | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 155 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 5 + fs/fs_struct.c | 26 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 269 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1021 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4017 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 384 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 357 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 174 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 329 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 ++ include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 257 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 66 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/vermagic.h | 9 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 5 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 109 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 80 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 38 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 62 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev.c | 9 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 19 + security/Kconfig | 320 ++- security/apparmor/lsm.c | 2 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/yama/Kconfig | 2 +- tools/gcc/Makefile | 2 +- 286 files changed, 15083 insertions(+), 2067 deletions(-) commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 Author: Brad Spengler Date: Wed Feb 20 21:00:42 2013 -0500 Initial import of pax-linux-3.8-test3.patch Documentation/dontdiff | 43 +- Documentation/kernel-parameters.txt | 7 + Makefile | 97 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 +++- arch/arm/include/asm/cache.h | 3 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/delay.h | 8 +- arch/arm/include/asm/domain.h | 32 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 10 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 20 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 14 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/fault.c | 78 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 186 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 28 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/uaccess.h | 142 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 +++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 12 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 ++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 65 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/io.h | 13 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 6 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 29 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 512 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/head_32.S | 237 ++- arch/x86/kernel/head_64.S | 158 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes-opt.c | 12 +- arch/x86/kernel/kprobes.c | 30 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 247 ++ arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 47 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 68 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 ++- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 555 +++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 92 +- arch/x86/mm/init_32.c | 122 +- arch/x86/mm/init_64.c | 48 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 12 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 18 +- drivers/block/loop.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 8 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_generic.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 6 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 9 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/ramster/tmem.c | 54 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 39 +- drivers/video/vesafb.c | 51 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 604 ++++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/relocation.c | 2 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 356 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 ++ include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 72 +- include/linux/cpu.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 3 + include/linux/mm.h | 91 +- include/linux/mm_types.h | 22 +- include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 55 +- include/linux/moduleloader.h | 18 +- include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/random.h | 5 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 64 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysrq.h | 2 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/gro_cells.h | 6 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 6 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/structs.h | 4 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 4 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 24 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/module.c | 333 ++- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 72 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 2 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/softirq.c | 16 +- kernel/srcu.c | 6 +- kernel/stop_machine.c | 2 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 +- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/list_debug.c | 89 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 54 + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 18 +- mm/memory.c | 404 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 573 +++- mm/mprotect.c | 138 +- mm/mremap.c | 44 +- mm/nommu.c | 11 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 104 +- mm/slab.h | 5 +- mm/slab_common.c | 9 +- mm/slob.c | 200 +- mm/slub.c | 98 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/sctp/socket.c | 2 + net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 4 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 654 ++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 43 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 359 +++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 +++ tools/gcc/latent_entropy_plugin.c | 321 ++ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 32 +- 1311 files changed, 26668 insertions(+), 6394 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c Merge: c3ccfb2 777e08c Author: Brad Spengler Date: Sun Sep 8 19:49:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 Author: Brad Spengler Date: Sun Sep 8 19:47:32 2013 -0400 Update to pax-linux-3.10.11-test26.patch: - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 14 +- tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- 3 files changed, 247 insertions(+), 194 deletions(-) commit 5c3161364270c842d901789faac731f79a9f9cd6 Merge: cf9c476 85cdabb Author: Brad Spengler Date: Sun Sep 8 19:24:25 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c3ccfb29794a03413095422100ce90d40ef7df0f Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit d260badf708d6aa16c44f56f54727532dcae826e Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 Author: Dan Carpenter Date: Thu Aug 29 11:47:00 2013 +0300 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 mISDN: return -EINVAL on error in dsp_control_req() If skb->len is too short then we should return an error. Otherwise we read beyond the end of skb->data for several bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/mISDN/dsp_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit da68dbcd96c617923a0aedb177d36b2701f9c858 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit ce0e893adc830ee110f97071cc17e661fb35ae3d Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd Merge: 7ee3899 cf9c476 Author: Brad Spengler Date: Sun Sep 1 13:56:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit cf9c47690fa0f3da590de766ea8c6a543984ee3c Author: Brad Spengler Date: Sun Sep 1 13:56:16 2013 -0400 Update to pax-linux-3.10.10-test25.patch: - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop block/blk-cgroup.c | 4 ++-- drivers/video/hyperv_fb.c | 4 ++-- fs/namespace.c | 4 ++-- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/output_core.c | 15 ++++++--------- net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- 7 files changed, 21 insertions(+), 27 deletions(-) commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa Merge: fd0338c 2bdeae7 Author: Brad Spengler Date: Sat Aug 31 22:07:38 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 Author: Brad Spengler Date: Sat Aug 31 22:06:55 2013 -0400 Update to pax-linux-3.10.10-test24.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users drivers/acpi/apei/ghes.c | 4 ++-- drivers/ata/libata-core.c | 4 ++-- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/block/drbd/drbd_nl.c | 4 ++-- drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/hv/hv_balloon.c | 18 +++++++++--------- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/input/misc/ims-pcu.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/v4l2-core/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/pci/hotplug/pciehp_hpc.c | 4 +--- drivers/regulator/core.c | 4 ++-- drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ drivers/staging/android/timed_output.c | 6 +++--- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/target/sbp/sbp_target.c | 4 ++-- drivers/tty/hvc/hvsi.c | 12 ++++++------ drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/btrfs/delayed-inode.c | 6 +++--- fs/btrfs/delayed-inode.h | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- net/ceph/messenger.c | 4 ++-- net/core/netpoll.c | 4 ++-- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 43 files changed, 93 insertions(+), 95 deletions(-) commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 Merge: 1bdf7ec 85099d2 Author: Brad Spengler Date: Sat Aug 31 21:07:29 2013 -0400 Merge branch 'pax-test' into grsec-test commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed Author: Brad Spengler Date: Sat Aug 31 21:06:55 2013 -0400 Update to pax-linux-3.10.10-test23.patch: - added the necessary atomic_unchecked_t conversion for mips - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/arm/kvm/arm.c | 8 ++++---- arch/arm/mm/context.c | 10 +++++----- arch/mips/kernel/irq.c | 6 +++--- arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- 8 files changed, 45 insertions(+), 45 deletions(-) commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 Merge: 995a168 38ee86c Author: Brad Spengler Date: Fri Aug 30 19:23:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 38ee86c05df0f8db582df8776b9f23f317d42bbb Author: Brad Spengler Date: Fri Aug 30 19:23:11 2013 -0400 Update to pax-linux-3.10.10-test22.patch: - fixed !REFCOUNT/mips compilation, by Corey Minyard - fixed a few more format strings arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- drivers/md/bcache/super.c | 2 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- drivers/pci/hotplug/pciehp_hpc.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- drivers/vfio/vfio.c | 4 ++-- fs/ntfs/super.c | 6 +++--- include/linux/workqueue.h | 6 +++--- net/mac80211/main.c | 2 +- sound/pci/hda/hda_codec.c | 8 ++------ 11 files changed, 32 insertions(+), 25 deletions(-) commit 995a16841e2097c3a9dfc652e856469679c4a0ba Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 Merge: be2497c 1052971 Author: Brad Spengler Date: Thu Aug 29 20:44:29 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/sched.h commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 Merge: e902dad 8bf3379 Author: Brad Spengler Date: Thu Aug 29 20:39:50 2013 -0400 Update to pax-linux-3.10.10-test21.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 Merge: 081c22b e902dad Author: Brad Spengler Date: Wed Aug 28 20:52:44 2013 -0400 Merge branch 'pax-test' into grsec-test commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 Author: Brad Spengler Date: Wed Aug 28 20:51:21 2013 -0400 Update to pax-linux-3.10.9-test21.patch: - removed unnecessary type cast in do_PrefetchAbort, noticed by spender - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov - fixed a REFCOUNT false positive in UHID - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network arch/arm/mm/fault.c | 2 +- arch/mips/kernel/traps.c | 2 -- drivers/hid/uhid.c | 6 +++--- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/usb/dwc3/gadget.c | 2 -- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- 10 files changed, 14 insertions(+), 16 deletions(-) commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 8044382257ec75a03f3d784ce048ef14e94b90ca Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 270ba9096ddecdc3cf6c4d76e6892184820116be Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 60115e8108e508060815bce5ef9504233c81898c Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38627769bb2b9a550e251b2caf1babda7566fb4a Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 813f51e0881e4ea6d221da828b1cced02ad9694d Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 95e3cfb5a995dabe45b98cafb77e59d074de151f Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 96a55ce1b2f3af376c400a02059174e79ce4399c Author: Brad Spengler Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit eb1106eef5f17bfda833ca3cf89e315919173257 Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 Author: Brad Spengler Date: Wed Aug 28 17:01:21 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 Author: Andy Lutomirski Date: Thu Aug 22 11:39:15 2013 -0700 Upstream commit: d661684cf6820331feae71146c35da83d794467e net: Check the correct namespace when spoofing pid over SCM_RIGHTS This is a security bug. The follow-up will fix nsproxy to discourage this type of issue from happening again. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/core/scm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 8333e0981469a226a47d0142ff31090a48db95a4 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 xen/events: initialize local per-cpu mask for all possible events The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk CC: stable@vger.kernel.org drivers/xen/events.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2a9a83768433937a2b7a97001ba1627156c0efed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit e6fe57dee152671afd618d6bc8cbf23155be6c34 Merge: cdc8f7d f2095a4 Author: Brad Spengler Date: Tue Aug 27 18:13:35 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c security/Kconfig commit f2095a4787f7d332e5919f0bd00f8de6021ad612 Author: Brad Spengler Date: Tue Aug 27 18:08:23 2013 -0400 Update to pax-linux-3.10.9-test20.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - added REFCOUNT support for mips, by Corey Minyard - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) arch/arm/mm/fault.c | 11 +- arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- arch/mips/kernel/traps.c | 14 +- arch/x86/include/asm/tlbflush.h | 4 + arch/x86/include/asm/uaccess_64.h | 2 +- fs/ntfs/file.c | 2 +- kernel/events/internal.h | 4 +- kernel/events/uprobes.c | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 +- security/Kconfig | 2 +- tools/gcc/kernexec_plugin.c | 18 +- tools/gcc/latent_entropy_plugin.c | 26 +- tools/gcc/size_overflow_plugin.c | 3 +- 14 files changed, 750 insertions(+), 70 deletions(-) commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 Merge: 5a9ae57 745975e Author: Brad Spengler Date: Mon Aug 26 20:27:33 2013 -0400 Merge branch 'pax-test' into grsec-test commit 745975e3b3b74b64e00e85778f9a22714d1274f2 Author: Brad Spengler Date: Mon Aug 26 20:26:33 2013 -0400 Fix compilation when UDEREF is enabled and KERNEXEC is disabled, as reported by fabled on the forums: http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 arch/arm/include/asm/pgtable.h | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 Merge: 486ec00 f68df21 Author: Brad Spengler Date: Tue Aug 20 20:15:20 2013 -0400 Merge branch 'pax-test' into grsec-test commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 Author: Brad Spengler Date: Tue Aug 20 20:14:50 2013 -0400 Update to pax-linux-3.10.9-test18.patch: - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) - forward port to 3.10.9 arch/x86/kernel/entry_64.S | 18 +++++++++--------- arch/x86/kernel/i386_ksyms_32.c | 4 ++++ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f Merge: f47a293 d8fed0e Author: Brad Spengler Date: Tue Aug 20 20:12:47 2013 -0400 Merge branch 'pax-test' into grsec-test commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 Merge: f6ace8e 0a4b6d4 Author: Brad Spengler Date: Tue Aug 20 20:12:33 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit f47a293a1440da2a3e2c239d43d636e37ca74f10 Merge: f1e8ec7 f6ace8e Author: Brad Spengler Date: Tue Aug 20 18:20:05 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/kernel/perf_event.c include/linux/sched.h commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 Merge: b4fa847 6f54059 Author: Brad Spengler Date: Tue Aug 20 18:18:02 2013 -0400 Update to pax-linux-3.10.8-test18.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca Merge: 6f88011 b4fa847 Author: Brad Spengler Date: Tue Aug 20 18:05:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 Author: Brad Spengler Date: Tue Aug 20 18:04:14 2013 -0400 Update to pax-linux-3.10.7-test18.patch: - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) - fixed a UDEREF resume regression due to the constification of clone_pgd_mask - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause arch/arm/kernel/process.c | 2 +- arch/x86/include/asm/processor.h | 25 ++----------------------- arch/x86/kernel/cpu/common.c | 4 ++++ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/staging/zcache/tmem.c | 4 ++-- drivers/staging/zcache/tmem.h | 6 ++---- 6 files changed, 47 insertions(+), 30 deletions(-) commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 Merge: 6eba999 5de93c8 Author: Brad Spengler Date: Sun Aug 18 22:03:19 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db Author: Brad Spengler Date: Sun Aug 18 22:02:47 2013 -0400 Update to pax-linux-3.10.7-test15.patch: - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) - fixed some new REFCOUNT false positives, caught by inspection arch/x86/kernel/cpu/common.c | 5 +++-- arch/x86/kernel/entry_64.S | 11 +++++++---- fs/ceph/super.c | 4 ++-- mm/backing-dev.c | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) commit 94c119587c76723c1072237b98fff9886ccb7689 Author: Brad Spengler Date: Sun Aug 18 20:49:39 2013 -0400 fix pipacs' DEMORGAN typo arch/x86/include/asm/tlbflush.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 Merge: df347f6 64a293e Author: Brad Spengler Date: Sun Aug 18 18:13:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 Author: Brad Spengler Date: Sun Aug 18 18:12:37 2013 -0400 Update to pax-linux-3.10.7-test14.patch: - fixed compile error introduced by the previous PCID change - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) arch/x86/include/asm/tlbflush.h | 2 +- kernel/posix-timers.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 Merge: d8efbc5 e11b314 Author: Brad Spengler Date: Sun Aug 18 08:15:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit e11b314734c5b7317f5468be75305ad812e78c2b Author: Brad Spengler Date: Sun Aug 18 08:14:26 2013 -0400 Update to pax-linux-3.10.7-test13.patch: - always enable the use of PCID and INVPCID when available in the CPU - kvm guest kernels can use these features even if the host kernel lacks UDEREF arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- 2 files changed, 70 insertions(+), 47 deletions(-) commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c8feffa95ce2db280160015027b52bb41a344c8 Merge: dbf6930 0bb1c2b Author: Brad Spengler Date: Sat Aug 17 11:57:50 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 Author: Brad Spengler Date: Sat Aug 17 11:56:43 2013 -0400 Update to pax-linux-3.10.7-test12.patch: - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause - fixed some arm compile problems arch/x86/include/asm/tlbflush.h | 2 +- drivers/clocksource/bcm_kona_timer.c | 2 +- kernel/signal.c | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) commit dbf69305ad4f8a037aae95af90f9201f556dcb48 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 Merge: 68bd16f f562e3e Author: Brad Spengler Date: Sat Aug 17 10:35:02 2013 -0400 Merge branch 'pax-test' into grsec-test commit f562e3ef7737ea8d80431a722479b36a12504ace Author: Brad Spengler Date: Sat Aug 17 10:34:51 2013 -0400 add uderef_64.c arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ 1 files changed, 37 insertions(+), 0 deletions(-) commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 Author: Asbjoern Sloth Toennesen Date: Mon Aug 12 16:30:09 2013 +0000 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by: Asbjoern Sloth Toennesen Reviewed-by: Vlad Yasevich Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c7bc5bafddddff55ed4687203a977e96f72540a Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb Author: Daniel Borkmann Date: Fri Aug 9 16:25:21 2013 +0200 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/transport.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3925eab5483946fd746575a46f97bee9d566bb77 Author: Stephane Grosjean Date: Fri Aug 9 11:44:06 2013 +0200 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e can: pcan_usb: fix wrong memcpy() bytes length Fix possibly wrong memcpy() bytes length since some CAN records received from PCAN-USB could define a DLC field in range [9..15]. In that case, the real DLC value MUST be used to move forward the record pointer but, only 8 bytes max. MUST be copied into the data field of the struct can_frame object of the skb given to the network core. Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c1ac6642baae4a400d1f87115024d1bb1ef53598 Author: Linus Lüssing Date: Tue Aug 6 20:21:15 2013 +0200 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 batman-adv: fix potential kernel paging errors for unicast transmissions There are several functions which might reallocate skb data. Currently some places keep reusing their old ethhdr pointer regardless of whether they became invalid after such a reallocation or not. This potentially leads to kernel paging errors. This patch fixes these by refetching the ethdr pointer after the potential reallocations. Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli net/batman-adv/bridge_loop_avoidance.c | 2 ++ net/batman-adv/gateway_client.c | 13 ++++++++++++- net/batman-adv/gateway_client.h | 3 +-- net/batman-adv/soft-interface.c | 9 ++++++++- net/batman-adv/unicast.c | 13 ++++++++++--- 5 files changed, 33 insertions(+), 7 deletions(-) commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue_core.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f Author: Pablo Neira Ayuso Date: Thu Jul 25 10:46:46 2013 +0200 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 netfilter: xt_TCPOPTSTRIP: fix possible off by one access Fix a possible off by one access since optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen that stores the TCP header length, to save some cycles. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 4634def261cf5f635bc60afe8a6ad436b3ec151e Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 Author: Dave Jones Date: Fri Aug 9 11:16:34 2013 -0700 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e 8139cp: Fix skb leak in rx_status_loop failure path. Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 ("8139cp: Add dma_mapping_error checking") Signed-off-by: Dave Jones Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 227b279491a0bbcc70ca3654f34903282c378600 Author: Timo Teräs Date: Tue Aug 6 13:45:43 2013 +0300 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b ip_gre: fix ipgre_header to return correct offset Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar Signed-off-by: Timo Teräs Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit f02bce292d1c2fe610be509c96593e70b3de387b Author: Julia Lawall Date: Mon Aug 5 16:47:38 2013 +0200 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 net/vmw_vsock/af_vsock.c: drop unneeded semicolon Drop the semicolon at the end of the list_for_each_entry loop header. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 Author: Tiger Yang Date: Tue Aug 13 16:00:58 2013 -0700 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as the struct file pointer, it finally result in a null pointer dereference in ocfs2_duplicate_clusters_by_page. This patch replace file pointer with inode pointer in cow_duplicate_clusters to fix this issue. [jeff.liu@oracle.com: rebased patch against linux-next tree] Signed-off-by: Tiger Yang Signed-off-by: Jie Liu Cc: Joel Becker Cc: Mark Fasheh Acked-by: Tao Ma Tested-by: David Weber Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 2 +- fs/ocfs2/file.c | 6 ++-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- fs/ocfs2/refcounttree.h | 6 ++-- 5 files changed, 16 insertions(+), 53 deletions(-) commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 Author: Dan Carpenter Date: Thu Aug 15 15:52:57 2013 +0300 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 26ad267ddda451919357965a0cf271ca24d1bcf2 Author: Weiping Pan Date: Tue Aug 13 21:46:56 2013 +0800 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 tun: compare with 0 instead of total_len Since we set "len = total_len" in the beginning of tun_get_user(), so we should compare the new len with 0, instead of total_len, or the if statement always returns false. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller drivers/net/tun.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 Author: Guenter Roeck Date: Fri Aug 16 20:50:55 2013 -0700 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 s390: Fix broken build Fix this build error: In file included from fs/exec.c:61:0: arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range invalidation corner cases"). Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] Signed-off-by: Linus Torvalds arch/s390/include/asm/tlb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4e57312c2de2a25ddb181d129dafbc0251062c33 Author: Linus Torvalds Date: Thu Aug 15 11:42:25 2013 -0700 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce Fix TLB gather virtual address range invalidation corner cases Ben Tebulin reported: "Since v3.7.2 on two independent machines a very specific Git repository fails in 9/10 cases on git-fsck due to an SHA1/memory failures. This only occurs on a very specific repository and can be reproduced stably on two independent laptops. Git mailing list ran out of ideas and for me this looks like some very exotic kernel issue" and bisected the failure to the backport of commit 53a59fc67f97 ("mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). That commit itself is not actually buggy, but what it does is to make it much more likely to hit the partial TLB invalidation case, since it introduces a new case in tlb_next_batch() that previously only ever happened when running out of memory. The real bug is that the TLB gather virtual memory range setup is subtly buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: enable tlb flush range in generic mmu_gather"), and the range handling was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots"), but that fix was not complete. The problem with the TLB gather virtual address range is that it isn't set up by the initial tlb_gather_mmu() initialization (which didn't get the TLB range information), but it is set up ad-hoc later by the functions that actually flush the TLB. And so any such case that forgot to update the TLB range entries would potentially miss TLB invalidates. Rather than try to figure out exactly which particular ad-hoc range setup was missing (I personally suspect it's the hugetlb case in zap_huge_pmd(), which didn't have the same logic as zap_pte_range() did), this patch just gets rid of the problem at the source: make the TLB range information available to tlb_gather_mmu(), and initialize it when initializing all the other tlb gather fields. This makes the patch larger, but conceptually much simpler. And the end result is much more understandable; even if you want to play games with partial ranges when invalidating the TLB contents in chunks, now the range information is always there, and anybody who doesn't want to bother with it won't introduce subtle bugs. Ben verified that this fixes his problem. Reported-bisected-and-tested-by: Ben Tebulin Build-testing-by: Stephen Rothwell Build-testing-by: Richard Weinberger Reviewed-by: Michal Hocko Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/arm/include/asm/tlb.h | 7 +++++-- arch/arm64/include/asm/tlb.h | 7 +++++-- arch/ia64/include/asm/tlb.h | 9 ++++++--- arch/s390/include/asm/tlb.h | 8 ++++++-- arch/sh/include/asm/tlb.h | 6 ++++-- arch/um/include/asm/tlb.h | 6 ++++-- fs/exec.c | 4 ++-- include/asm-generic/tlb.h | 2 +- mm/hugetlb.c | 2 +- mm/memory.c | 36 +++++++++++++++++++++--------------- mm/mmap.c | 4 ++-- 11 files changed, 57 insertions(+), 34 deletions(-) commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 Merge: 5568c80 ffceabf Author: Brad Spengler Date: Sat Aug 17 09:11:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit ffceabfcc65c60109ba5fca694d78d4dc7047809 Author: Brad Spengler Date: Sat Aug 17 09:10:44 2013 -0400 Update to pax-linux-3.10.7-test11.patch: - simplified some arm code - disabled preemption when calling show_regs, reported by Corey Minyard - added PCID based support for UDEREF on amd64 (blog will have more details) - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc - nopcid turns it off - by default a strong form of UDEREF is used under PCID - pax_weakuderef switches to the older, less secure UDEREF - fixed several bugs that would also have manifested under SMAP - INVPCID is used when available (Haswell) - added a few more return insn instrumentation in new amd64 crypto code Documentation/kernel-parameters.txt | 7 + arch/arm/include/asm/uaccess.h | 3 + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ arch/x86/ia32/ia32_signal.c | 2 +- arch/x86/ia32/ia32entry.S | 24 ++++- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/fpu-internal.h | 2 + arch/x86/include/asm/futex.h | 4 + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- arch/x86/include/asm/pgtable.h | 10 +- arch/x86/include/asm/processor.h | 15 +++- arch/x86/include/asm/segment.h | 5 +- arch/x86/include/asm/smap.h | 64 +++++++++++- arch/x86/include/asm/tlbflush.h | 63 +++++++++-- arch/x86/include/asm/uaccess.h | 18 +++- arch/x86/include/asm/xsave.h | 4 + arch/x86/kernel/cpu/common.c | 38 +++++++ arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- arch/x86/kernel/head_32.S | 2 +- arch/x86/kernel/head_64.S | 8 +- arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/setup.c | 8 +- arch/x86/kernel/signal.c | 4 +- arch/x86/kernel/smpboot.c | 15 ++- arch/x86/lib/copy_user_64.S | 50 +-------- arch/x86/lib/copy_user_nocache_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 11 ++- arch/x86/lib/memcpy_64.S | 4 +- arch/x86/lib/memmove_64.S | 2 +- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/usercopy_64.c | 5 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/fault.c | 29 ++++-- arch/x86/mm/init.c | 7 +- arch/x86/mm/init_64.c | 9 ++- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 3 + arch/x86/platform/efi/efi_32.c | 2 +- arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/realmode/rm/trampoline_64.S | 1 + fs/exec.c | 2 + include/asm-generic/uaccess.h | 8 ++ include/linux/compat.h | 1 + include/linux/preempt.h | 19 +++ include/linux/signal.h | 1 + include/linux/smp.h | 2 + init/main.c | 14 ++- kernel/signal.c | 16 +++ security/Kconfig | 5 + tools/lib/lk/Makefile | 2 +- tools/perf/Makefile | 2 +- 64 files changed, 673 insertions(+), 136 deletions(-) commit 5568c8059e78d6d002815409df4e90c83b3b08a8 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 Author: Brad Spengler Date: Fri Aug 16 22:55:24 2013 -0400 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b arch/arm/kernel/perf_event.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3637bc893b57a227b01852fe34685ab237285b10 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 11802e1f961a088c39af58d1c1b14d861eedfb35 Author: Brad Spengler Date: Fri Aug 16 22:53:30 2013 -0400 More ARM backports arch/arm/kernel/entry-armv.S | 3 ++- arch/arm/kernel/fiq.c | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0a3dac834746de241c10d4978bf61b4f146ba89d Merge: dc19474 e12de30 Author: Brad Spengler Date: Fri Aug 16 17:39:01 2013 -0400 Merge branch 'pax-test' into grsec-test commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 Author: Brad Spengler Date: Fri Aug 16 17:34:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch: - Emese fixed a size overflow false positive reported by Sven Vermeulen - fixed some arm compile problems reported by spender - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard eventually we'll have full REFCOUNT support on mips arch/arm/kernel/process.c | 5 ++- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 3 ++ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ mm/internal.h | 2 +- 5 files changed, 65 insertions(+), 4 deletions(-) commit dc19474d0ea6ea3c939544ae5f906067b1784a10 Merge: 51b78c0 82266f9 Author: Brad Spengler Date: Thu Aug 15 21:47:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 82266f90a3f87ab5017329fb539aebf94c42253a Author: Brad Spengler Date: Thu Aug 15 21:14:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch arch/arm/kernel/process.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 51b78c06d1f41614f593cd36456b4af559e9d7fa Merge: e32d904 cb77ead Author: Brad Spengler Date: Thu Aug 15 20:53:45 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit cb77ead0eccb5abb75f7e437a3725d0254558ccd Merge: 13675b8 519be45 Author: Brad Spengler Date: Thu Aug 15 20:50:47 2013 -0400 Update to pax-linux-3.10.7-test8.patch Merge branch 'linux-3.10.y' into pax-test commit e32d904b87292288e74e2637b900fd1115687b8e Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c Author: Oleg Nesterov Date: Thu Aug 8 18:55:32 2013 +0200 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 another local DoS found in reaction to the one I reported, we don't allow unpriv user ns use so this doesn't matter much to us userns: limit the maximum depth of user_namespace->parent chain Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/user_namespace.h | 1 + kernel/user_namespace.c | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) commit 223ac007ef18bf3a5095ba0a56675c1f16200149 Merge: 1c92de4 13675b8 Author: Brad Spengler Date: Thu Aug 8 20:45:24 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 13675b848cf02bffd26924b2b84d927095bc253d Author: Brad Spengler Date: Thu Aug 8 20:43:52 2013 -0400 Update to pax-linux-3.10.5-test8.patch: - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard arch/arm/include/asm/pgtable-2level.h | 4 +++- arch/arm/mm/proc-v7-2level.S | 3 --- arch/mips/mm/fault.c | 8 ++++++++ arch/x86/include/asm/processor.h | 3 ++- include/linux/math64.h | 2 +- security/Kconfig | 2 -- 6 files changed, 14 insertions(+), 8 deletions(-) commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 Merge: e65aa3d 1660f49 Author: Brad Spengler Date: Mon Aug 5 18:50:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 1660f496848b8400d263f7920989dae15e72185a Merge: 7f91ba1 dc51cd2 Author: Brad Spengler Date: Mon Aug 5 18:50:12 2013 -0400 Update to pax-linux-3.10.5-test7.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/head_64.S mm/mempolicy.c commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 50d20ebce56b6e0b9622685930e007e46c7c04bb Author: Daniel Borkmann Date: Fri Aug 2 11:32:43 2013 +0200 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by: Daniel Borkmann Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/devinet.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 Author: Himanshu Madhani Date: Fri Aug 2 23:15:56 2013 -0400 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 qlcnic: Free up memory in error path. Signed-off-by: Himanshu Madhani Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a Author: Shahed Shaikh Date: Fri Aug 2 23:15:54 2013 -0400 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f qlcnic: Fix MAC address filter issue on 82xx adapter Driver was passing the address of a pointer instead of the pointer itself. Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 24 ++++++++++++++++++++++-- 2 files changed, 22 insertions(+), 19 deletions(-) commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b8966a5d577e9220fbc63306eee978f819f24e2e Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1704c23fdc55b68f512dc9927940e72237f3f43e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit faf81c100c8565524e21c9af780a0ad2ce3fd925 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c Merge: 65019c9 7f91ba1 Author: Brad Spengler Date: Wed Jul 31 17:47:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 65019c9bd05f860437071cbf00e2027fd2d68615 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 Author: Brad Spengler Date: Wed Jul 31 17:46:00 2013 -0400 Update to pax-linux-3.10.4-test7.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - fixed a UDEREF/i386 regression, __get_user_8 would always fail arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/lib/getuser.S | 4 +- arch/x86/xen/smp.c | 2 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- fs/exec.c | 50 +++++++++++++-------------- include/linux/sched.h | 2 + 14 files changed, 88 insertions(+), 47 deletions(-) commit 043130da54cb7cc8dc44e0ce889d426e889a0532 Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ed0a195abd4e41c2449a020a53a19c74dc866d78 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit e75b3f504692b97960a7530ad0855d91441d79c0 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e5abbaf95313066a724e1a843d4fc902a9a6450e Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 877d6c2f8b3518ff39601084560bb33c58d35a1f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 23278a1ee1c7738dd1e7005241394d32b82196e4 Author: Brad Spengler Date: Tue Jul 30 19:48:58 2013 -0400 revert recent PaX change that causes boot failures with 32bit userland arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit ec27f71a813656fea8ab37faecb2b485fe99d08e Merge: 3a11bcf 05f0a61 Author: Brad Spengler Date: Tue Jul 30 19:42:21 2013 -0400 Merge branch 'pax-test' into grsec-test commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 Author: Brad Spengler Date: Tue Jul 30 19:41:44 2013 -0400 Update to pax-linux-3.10.4-test6.patch: - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender include/linux/syscalls.h | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8b744005f8bae565e24c1fd88af77e6e619b9434 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b93b829afcc98b6108b18d99ff63c53642d0b951 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit ac695a081d1124fb28bec46814535d34c5e40611 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 82631f451cc7432b6c5578cf8d24155473feb25c Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 84c4a433dfb096e4a1162ee5e68025122c70b421 Merge: c9d3ed3 9fe5897 Author: Brad Spengler Date: Mon Jul 29 17:08:56 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9fe58978938e357642885866ca48090a7753d403 Merge: 8f693ad 6f7bb6b Author: Brad Spengler Date: Mon Jul 29 17:08:43 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 Merge: d5e5bfd 8f693ad Author: Brad Spengler Date: Sun Jul 28 10:03:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8f693ade9b3e448f92706d34148b00a087637f70 Author: Brad Spengler Date: Sun Jul 28 10:02:16 2013 -0400 Update to pax-linux-3.10.3-test5.patch: - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) - fixed handling of faulting userland accesses for UDEREF/arm, from spender - updated the size overflow hash table, from Emese arch/arm/kernel/entry-armv.S | 3 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- 7 files changed, 513 insertions(+), 55 deletions(-) commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 Merge: 19e077b 8a8a0d0 Author: Brad Spengler Date: Thu Jul 25 21:05:18 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 Author: Brad Spengler Date: Thu Jul 25 21:04:09 2013 -0400 Update to pax-linux-3.10.3-test4.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 ++++ fs/buffer.c | 2 +- fs/dcache.c | 3 ++- include/linux/slab.h | 7 +++++++ include/linux/slab_def.h | 4 ++++ kernel/fork.c | 2 +- mm/rmap.c | 6 ++++-- mm/slab.c | 27 +++++++++++++++++++++++++++ mm/slab.h | 12 +++++++++++- mm/slab_common.c | 14 ++++++++++++++ mm/slob.c | 5 +++++ mm/slub.c | 11 +++++++++++ net/core/skbuff.c | 6 ++++-- security/Kconfig | 23 +++++++++++++++++------ 14 files changed, 112 insertions(+), 14 deletions(-) commit 19e077bfff54ca211d0142c07cb6dd88069a390c Merge: 960ec51 c8f7f51 Author: Brad Spengler Date: Thu Jul 25 19:53:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit c8f7f51591207b82530214300e86277028919286 Merge: d5142e3 81a4648 Author: Brad Spengler Date: Thu Jul 25 19:52:29 2013 -0400 Update to pax-linux-3.10.3-test3.patch: - fixed some compile issues reported by Michael Tremer and spender - fixed an i386 regression with the lower address space gap on i386, reported by cnu Merge branch 'linux-3.10.y' into pax-test Conflicts: kernel/time/tick-broadcast.c commit 960ec51ab2142544fbae563d4fd5744775408965 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 Merge: ab95b58 d5142e3 Author: Brad Spengler Date: Sun Jul 21 22:47:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit d5142e31785f8c32c7338c51fcc27313bdd4a84e Merge: f36ae8c 0f4a56e Author: Brad Spengler Date: Sun Jul 21 22:47:34 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit ab95b5842899d61ff5c30f4582e72029b3155be8 Author: Brad Spengler Date: Sun Jul 21 22:28:40 2013 -0400 compile fix with constification reported by Michael Tremer drivers/gpu/host1x/drm/dc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 817cd2d1e7a55720326599dd8f542578eef30927 Author: Hannes Frederic Sowa Date: Fri Jul 12 23:46:33 2013 +0200 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 ipv6: only static routes qualify for equal cost multipathing Static routes in this case are non-expiring routes which did not get configured by autoconf or by icmpv6 redirects. To make sure we actually get an ecmp route while searching for the first one in this fib6_node's leafs, also make sure it matches the ecmp route assumptions. v2: a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF already ensures that this route, even if added again without RTF_EXPIRES (in case of a RA announcement with infinite timeout), does not cause the rt6i_nsiblings logic to go wrong if a later RA updates the expiration time later. v3: a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, because an pmtu event could update the RTF_EXPIRES flag and we would not count this route, if another route joins this set. We now filter only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that don't get changed after rt6_info construction. Cc: Nicolas Dichtel Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_fib.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) commit 77db8196d51b043e2e2d124094da101b0f01bccb Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 926473317fd7953137ef97835edd36dabc584b01 Author: Brad Spengler Date: Wed Jul 17 21:29:02 2013 -0400 add missing asm/pgtable.h include, reported by Michael Tremer drivers/clk/socfpga/clk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c592ae0001b31932ef1491784dfa374058797c66 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 Merge: 9c96441 f36ae8c Author: Brad Spengler Date: Sun Jul 14 19:23:13 2013 -0400 Merge branch 'pax-test' into grsec-test commit f36ae8c741ae32b1caff10825be12c327792c925 Author: Brad Spengler Date: Sun Jul 14 19:22:15 2013 -0400 Update to pax-linux-3.10-test2.patch: - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer - spender fixed an madvise regression, reported by Peter Keel - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) - fixed a headers_install regression, reported by Mathias Krause - fixed a SLOB compile regression, reported by Mathias Krause arch/arm/include/asm/uaccess.h | 4 ++-- arch/arm/mm/mmu.c | 15 +++++++++++++-- drivers/clk/socfpga/clk.c | 6 ++++-- mm/madvise.c | 4 ++-- mm/slab.c | 4 ++-- mm/slob.c | 4 ++-- scripts/headers_install.sh | 2 +- 7 files changed, 26 insertions(+), 13 deletions(-) commit 9c9644156a49637050741d9165df79174e59b0ef Author: Brad Spengler Date: Sun Jul 14 19:19:54 2013 -0400 Fix sparc64 compilation, reported by Blake Self arch/sparc/kernel/sys_sparc_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error mm/madvise.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a10e377d0eddd37e8a3665b135e546ab03d9d171 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 08c5adca34d408772255b313f90d82c250c1d967 Author: Brad Spengler Date: Sun Jul 14 11:26:34 2013 -0400 don't make high vector mapping non-present on old ARM architectures, no point in emulating some vector entries when the processor doesn't even support XN arch/arm/mm/mmu.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 2b40781d4197a89a003616af584884e36361c5b2 Author: Brad Spengler Date: Sun Jul 14 09:51:58 2013 -0400 Temporary compile fix for code incorrectly modifying const data Wrap a cast version of the code with open/close Thanks to Michael Tremer for the report drivers/clk/socfpga/clk.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a8258c1b4098c396cd4ea719e20858182feac1c1 Author: Brad Spengler Date: Sun Jul 14 09:41:16 2013 -0400 Fix missing right parens in pipacs' "improvement" of my ARM code ;) Thanks to Michael Tremer for reporting arch/arm/include/asm/uaccess.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8542e1e973be7cc9a009d2ada8033576b2890e6f Merge: 86f446e 2577f8e Author: Brad Spengler Date: Sat Jul 13 20:46:58 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/memcontrol.c commit 2577f8e4ec41efb347706a59c6838de20f0c90da Merge: 75a36f0 cb5d8be Author: Brad Spengler Date: Sat Jul 13 20:43:42 2013 -0400 Merge branch 'linux-3.10.y' into pax-test Conflicts: crypto/algapi.c drivers/block/nbd.c commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 Author: Brad Spengler Date: Fri Jul 12 23:02:11 2013 -0400 we always want the vector page to be noaccess for userland therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY which turns into supervisor rwx, userland rx, we instead omit that entirely, leaving it as supervisor rwx only Fixes booting on ARMv5 and earlier, which need to write directly to the high vector mapping via set_tls when context switching Thanks to Michael Tremer for the bugreport arch/arm/mm/mmu.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 90cd0827eef656ec884f19c977873fefe2f2e47d Author: Cong Wang Date: Sat Jun 29 12:02:59 2013 +0800 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 gre: fix a regression in ioctl When testing GRE tunnel, I got: # ip tunnel show get tunnel gre0 failed: Invalid argument get tunnel gre1 failed: Invalid argument This is a regression introduced by commit c54419321455631079c7d ("GRE: Refactor GRE tunneling code.") because previously we only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the check is moved for all commands. So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. After this patch I got: # ip tunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit Cc: Pravin B Shelar Cc: "David S. Miller" Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 Author: Cong Wang Date: Sat Jun 29 13:00:57 2013 +0800 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 vti: remove duplicated code to fix a memory leak vti module allocates dev->tstats twice: in vti_fb_tunnel_init() and in vti_tunnel_init(), this lead to a memory leak of dev->tstats. Just remove the duplicated operations in vti_fb_tunnel_init(). (candidate for -stable) Cc: Stephen Hemminger Cc: Saurabh Mohan Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd Author: Michal Schmidt Date: Mon Jul 1 17:23:05 2013 +0200 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a bnx2x: remove zeroing of dump data buffer There is no need to initialize the dump data with zeros. data is allocated with vzalloc, so it's already zero-filled. More importantly, the memset is harmful, because dump->len (the length requested by userspace) can be bigger than the allocated buffer (whose size is determined by asking the driver's .get_dump_flag method). Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c771072b72c261f9bddd6734dca6979c1b96e7df Author: Michal Schmidt Date: Mon Jul 1 17:23:06 2013 +0200 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 bnx2x: fix dump flag handling bnx2x interprets the dump flag as an index of a register preset. It is important to validate the index to avoid out of bounds memory accesses. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ 2 files changed, 5 insertions(+), 0 deletions(-) commit aed315c8fad9b2044143b46b239574b1b72135ce Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit 5c57991e66216e386dcc875d34c33f0edd038569 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit cd83094a85d9bbd5a67332156407d53cf8835432 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c Author: Michael S. Tsirkin Date: Sun Jul 7 14:26:53 2013 +0300 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 vhost-net: fix use-after-free in vhost_net_flush vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 088806db74ac2f08c106202bc5498585a9ee529f Author: Michal Hocko Date: Mon Jul 8 16:00:29 2013 -0700 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b memcg, kmem: fix reference count handling on the error path mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. This is not correct because only memcg_propagate_kmem takes an additional reference while mem_cgroup_sockets_init is allowed to fail as well (although no current implementation fails) but it doesn't take any reference. This all suggests that it should be memcg_propagate_kmem that should clean up after itself so this patch moves mem_cgroup_put over there. Unfortunately this is not that easy (as pointed out by Li Zefan) because memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if memcg_propagate_kmem fails so the additional reference is dropped in that case in kmem_cgroup_destroy which means that the reference would be dropped two times. The easiest way then would be to simply remove mem_cgrroup_put from mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right thing. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.8] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 08bfb6e700d13886ed722c2236e1ec10f03a95df Author: Michal Hocko Date: Mon Jul 8 16:00:27 2013 -0700 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Revert "memcg: avoid dangling reference count in creation failure" This reverts commit e4715f01be697a. mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops an additional reference from all parents so the additional mem_cgrroup_put(parent) potentially causes use-after-free. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 3267ec559f48327a1836eccecd53215afc5810d0 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit cdfeb4049e7cb38702215b2c356ce0407974ac79 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08c87e049c8a50707908785d950fd48c334f4c09 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 Author: Brad Spengler Date: Fri Jul 12 20:38:45 2013 -0400 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums Unlike slub, slab can initally create two of the kmalloc_caches which will be used later for generic kmallocs of their particular aligned size (since the later loop in the unified allocator code skips any already-existing kmalloc_caches) mm/slab.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit e2d027c7e0f106be683c0c72482b8285daefcbe6 Author: Brad Spengler Date: Tue Jul 9 20:58:40 2013 -0400 commit successful merges Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 129 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 4 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/mwave/tp3780i.c | 1 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/resize.c | 17 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 234 ++- fs/namespace.c | 16 + fs/notify/fanotify/fanotify_user.c | 1 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 70 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 343 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 ++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 242 files changed, 4385 insertions(+), 2042 deletions(-) commit 043a378c0f72ed92cc30182c48abce39867ac93f Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 Author: Brad Spengler Date: Tue Jul 9 17:35:47 2013 -0400 Initial import of pax-linux-3.10-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 14 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 122 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 33 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 28 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 +- arch/x86/kernel/entry_64.S | 548 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 143 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 2 + arch/x86/kernel/setup.c | 21 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 13 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 98 +- arch/x86/mm/init_32.c | 113 +- arch/x86/mm/init_64.c | 38 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 11 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/algapi.c | 2 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/nbd.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 45 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 6 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/output.c | 2 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 607 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/lockd/svc.c | 2 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 10 +- fs/nfs/callback.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 40 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 65 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 42 +- include/linux/slab_def.h | 28 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 10 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 83 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 10 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 11 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 22 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 6 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 15 +- mm/mmap.c | 606 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 79 +- mm/slab.h | 5 +- mm/slab_common.c | 46 +- mm/slob.c | 201 +- mm/slub.c | 79 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_core.c | 8 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 6 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 676 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 +++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1607 files changed, 30734 insertions(+), 7318 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40d67e38a42d4e94b43b3d7400addc662b9857dc Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit a1fff2c95162314626dd96bec71d951a8c1c4708 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00131c458eea5200971c8fc326e90fdb6c2d0baa Merge: 37b97a9 47beb61 Author: Brad Spengler Date: Thu Jul 4 15:02:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 Author: Brad Spengler Date: Thu Jul 4 15:01:37 2013 -0400 Update to pax-linux-3.9.9-test13.patch: - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/entry-armv.S | 4 ++-- arch/arm/mm/Kconfig | 2 +- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/page.h | 1 + arch/x86/kernel/entry_32.S | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- arch/x86/kernel/head64.c | 12 ++++++------ arch/x86/kernel/head_64.S | 16 ++++++++++++---- arch/x86/mm/init.c | 8 ++++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ 15 files changed, 64 insertions(+), 44 deletions(-) commit 89085d2d0643813a62f23d1199a335dc1e129bc0 Merge: 963af7f 0adf2e7 Author: Brad Spengler Date: Thu Jul 4 14:55:44 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 Author: Brad Spengler Date: Thu Jul 4 13:29:51 2013 -0400 update log arguments grsecurity/grsec_sig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 3 +-- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit ef808866c070aa1901bd2224521baaf5d145a3a7 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 Author: Brad Spengler Date: Wed Jul 3 16:14:09 2013 -0400 fix renamed export of csum_partial_copy_from_user, as reported by fabled on the forums arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 318235973c2a548c3d25562645d6b69f66e85934 Author: Brad Spengler Date: Wed Jul 3 16:09:16 2013 -0400 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error reported on the forums by fabled arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b569a7f60fab7a522d8c142765c8b847bbce8a1e Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- 1 files changed, 27 insertions(+), 3 deletions(-) commit c22280b85088978bd8b45bd23096879459b48008 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 Author: Brad Spengler Date: Sat Jun 29 13:10:02 2013 -0400 on context switch, make sure we switch DACR when domain support and KERNEXEC is disabled but UDEREF is enabled arch/arm/kernel/entry-armv.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08d017fa51370921694ce087b28c96fec92993d4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be Author: Michael S. Tsirkin Date: Sun Jun 23 17:19:03 2013 +0300 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 tun: fix recovery from gup errors get user pages might fail partially in tun zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 Author: Balazs Peter Odor Date: Sat Jun 22 19:24:43 2013 +0200 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 netfilter: nf_nat_sip: fix mangling In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) there were some missing brackets around the logging information, thus always returning drop. Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 Signed-off-by: Balazs Peter Odor Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_sip.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b0471b6c1160858fc646d8e94628fd1299f61692 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Bluetooth: Fix invalid length check in l2cap_information_rsp() The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Cc: stable@vger.kernel.org Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan net/bluetooth/l2cap_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4184af98c360d825e638b268b1a9847232e8d299 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 1fe6f23c9acd14d832d056909ff326bde418e645 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 4d4464407611527ef6b6b5475cfcab6121b3da66 Merge: 59571a9 963af7f Author: Brad Spengler Date: Thu Jun 27 18:54:52 2013 -0400 Merge branch 'pax-test' into grsec-test commit 963af7f7f591759b731ce6325ceb583a72fcf423 Merge: c51e25a 55db48a Author: Brad Spengler Date: Thu Jun 27 18:54:42 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 59571a9db7485f530a1e865a13cacc4c991ec41f Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 Author: Brad Spengler Date: Wed Jun 26 18:33:06 2013 -0400 update rand_threadstack code to continue the search for a gap if the first choice doesn't have enough space, instead of returning ENOMEM mm/mmap.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 87020d4a4d83038d65ff1fd519938840f6888b9e Merge: 2682346 c51e25a Author: Brad Spengler Date: Wed Jun 26 18:25:32 2013 -0400 Merge branch 'pax-test' into grsec-test commit c51e25a23f30a1198076bd085f19b2073caf164d Author: Brad Spengler Date: Wed Jun 26 18:24:54 2013 -0400 Update to pax-linux-3.9.7-test12.patch: - fixed a regression on PARAVIRT/amd64 kernels - simplified the recent vm_unmapped_area_info based change arch/x86/kernel/entry_64.S | 8 ++++---- mm/mmap.c | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) commit 26823469a08e59cb67bea18d448d9e8c65f82e08 Author: Brad Spengler Date: Tue Jun 25 21:26:51 2013 -0400 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX vm_unmapped_area code is complete arch/x86/kernel/sys_i386_32.c | 5 +++++ grsecurity/Kconfig | 2 +- mm/mmap.c | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 Merge: e58fe8c c4e0704 Author: Brad Spengler Date: Tue Jun 25 19:08:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/sys_i386_32.c commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 Author: Brad Spengler Date: Tue Jun 25 19:05:39 2013 -0400 Update to pax-linux-3.9.7-test11.patch: - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure - fixed the recent nested nmi related fixes some more - fixed a regression in kernel memory initialization on relocatable i386 kernels - empty_zero_page can be read-only on amd64 as well arch/arm/mm/mmap.c | 6 -- arch/x86/kernel/entry_64.S | 8 +-- arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/setup.c | 2 +- arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- drivers/lguest/core.c | 2 +- include/linux/mm.h | 6 +- include/linux/vmalloc.h | 2 +- mm/mmap.c | 30 +++++++- 9 files changed, 83 insertions(+), 134 deletions(-) commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f Author: Brad Spengler Date: Sun Jun 23 14:36:35 2013 -0400 compile fix, reported by KDE on forums kernel/printk.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 1fc9a5e2e267205d28302e1e86ca0da434561111 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d x86/efi: Fix dummy variable buffer allocation 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Matt Fleming arch/x86/platform/efi/efi.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 Author: Dave Kleikamp Date: Tue Jun 18 09:05:36 2013 -0500 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 sparc: tsb must be flushed before tlb This fixes a race where a cpu may re-load a tlb from a stale tsb right after it has been flushed by a remote function call. I still see some instability when stressing the system with parallel kernel builds while creating memory pressure by writing to /proc/sys/vm/nr_hugepages, but this patch improves the stability significantly. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d93b62f6485db9aadda34322a6867868db07f56f Merge: 4ef62f5 71d83e9 Author: Brad Spengler Date: Fri Jun 21 16:52:55 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 71d83e97c936563913bcfb5a25c45b2021a331eb Author: Brad Spengler Date: Fri Jun 21 16:48:42 2013 -0400 Update to pax-linux-3.9.7-test10.patch: - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - fixed a locking issue with track_exec_limit reported by spender - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 2 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/iommu/irq_remapping.c | 2 +- drivers/video/output.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/nfs/callback.c | 4 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfscache.c | 3 +- init/initramfs.c | 2 +- kernel/rcutree.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mmap.c | 4 +- mm/slub.c | 2 +- mm/vmalloc.c | 15 +++---- net/bluetooth/hci_core.c | 8 ++-- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- 40 files changed, 116 insertions(+), 111 deletions(-) commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c Merge: 39efd8f 256eff7 Author: Brad Spengler Date: Fri Jun 21 16:45:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/printk.c commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 Merge: e6e3059 485f25f Author: Brad Spengler Date: Thu Jun 20 22:14:24 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d Author: Brad Spengler Date: Tue Jun 18 17:20:18 2013 -0400 add apparmor compat patch security/apparmor/Kconfig | 9 ++ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 0 deletions(-) commit 49bee3c5341687504669bf62becf4a419a226ba0 Author: Brad Spengler Date: Mon Jun 17 18:48:04 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) commit 5a450f1c46f0c84379518aee878993d3f4a331b6 Author: Theodore Ts'o Date: Thu Jun 6 11:14:31 2013 -0400 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 ext4: verify group number in verify_group_input() before using it Check the group number for sanity earilier, before calling routines such as ext4_bg_has_super() or ext4_group_overhead_blocks(). Reported-by: Jonathan Salwan Signed-off-by: "Theodore Ts'o" fs/ext4/resize.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e13515ad7a9c7634599a105b2527752e527a905d Author: Saurabh Mohan Date: Mon Jun 10 17:45:10 2013 -0700 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 net/ipv4: ip_vti clear skb cb before tunneling. If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af361b412e816e894fb42ddff7a0545b7def64c0 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1f43aca088c35dda35abf76e08544e534c71fed4 Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f Author: Andy Lutomirski Date: Wed Jun 5 19:38:26 2013 +0000 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab net: Unbreak compat_sys_{send,recv}msg I broke them in this commit: commit 1be374a0518a288147c6a7398792583200a67261 Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It also reverts some unnecessary checks in sys_socketcall. Apparently I was suffering from underscore blindness the first time around. Signed-off-by: Andy Lutomirski Tested-by: Eric Dumazet Signed-off-by: David S. Miller include/linux/socket.h | 3 ++ net/compat.c | 13 +++++++- net/socket.c | 72 ++++++++++++++++++++++-------------------------- 3 files changed, 47 insertions(+), 41 deletions(-) commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 Upstream commit: 1be374a0518a288147c6a7398792583200a67261 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. Miller" Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Cc: David S. Miller Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller net/socket.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb67a67049ace7b94ad7e2febfac69816d50d85 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 Author: Johan Hedberg Date: Tue May 28 13:46:30 2013 +0300 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 Bluetooth: Fix missing length checks for L2CAP signalling PDUs There has been code in place to check that the L2CAP length header matches the amount of data received, but many PDU handlers have not been checking that the data received actually matches that expected by the specific PDU. This patch adds passing the length header to the specific handler functions and ensures that those functions fail cleanly in the case of an incorrect amount of data. Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- 1 files changed, 52 insertions(+), 18 deletions(-) commit 628be2427afb241b5a1aa24bc5907d05287e1f25 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 066d9226bc6c569d5f420c978b758e0bddd23444 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 94e2a91600b07d39825e7059195f35eb611a39a2 Merge: 20cc761 e6e3059 Author: Brad Spengler Date: Thu Jun 13 16:23:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a Merge: c6aadb1 4b73feb Author: Brad Spengler Date: Thu Jun 13 16:23:39 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 20cc7613e38cde07adc73179a91d6c15292e8d43 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 386ba837978cc8a1111440bdcd8600f2df4634a4 Author: Brad Spengler Date: Wed Jun 12 20:37:48 2013 -0400 fix deadlock when booting i386 kernel without NX mm/mmap.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc43377e1e757cd37a06be0187884a42af718aab Merge: 3cdea63 c6aadb1 Author: Brad Spengler Date: Tue Jun 11 18:50:39 2013 -0400 Merge branch 'pax-test' into grsec-test commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 Author: Brad Spengler Date: Tue Jun 11 18:49:36 2013 -0400 Update to pax-linux-3.9.4-test9.patch: - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort arch/x86/kernel/setup.c | 2 +- mm/mlock.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 3cdea63e90607d8d55820b101854091623feedb8 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 373a2b5df78f82b9d3db72bd6577e29a71591323 Author: Brad Spengler Date: Mon Jun 10 21:16:46 2013 -0400 Backport infoleak fix by Dan Carpenter in cpqarray: https://lkml.org/lkml/2013/6/3/131 drivers/block/cpqarray.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 251e84b9b05e063981b20be154c9389862f94759 Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 383d89bf95818b05a485a6e8b118963b5bcbc83e Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1c590aa70c95ebd76ba9672aa23d800b81780615 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 Merge: 4e85539 117c3fa Author: Brad Spengler Date: Sun Jun 9 17:30:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit 117c3fa8d26c3806103123560f807d99071b60b6 Merge: ed9b427 5dd2e98 Author: Brad Spengler Date: Sun Jun 9 17:30:00 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5771263fe368cd384127dd17d7596a7e1a4e2eec Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c01c9af268cb066f240aec53454b8b74d8d01688 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 Author: Timo Teräs Date: Wed May 22 01:40:47 2013 +0000 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 xfrm: properly handle invalid states as an error The error exit path needs err explicitly set. Otherwise it returns success and the only caller, xfrm_output_resume(), would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is NULL. Bug introduced in commit bb65a9cb (xfrm: removes a superfluous check and add a statistic). Signed-off-by: Timo Teräs Cc: Li RongQing Cc: Steffen Klassert Signed-off-by: David S. Miller net/xfrm/xfrm_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit c18cef940310c06bdf86d64d8cb227e56e165300 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c47de62893a9f269be0a272c2840aac1e2a35c68 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce869e6f799f95fcac340420ba3612503df80dbf Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5dc65cd34d442783118a17c518e2daedb90a31d0 Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit 84619a3501fd38285a72d9e963f58d1827beedd6 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e Author: Brad Spengler Date: Sat Jun 1 13:43:26 2013 -0400 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" Applying upstream fix instead This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings drivers/usb/atm/cxacru.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 Author: Brad Spengler Date: Sat Jun 1 11:30:17 2013 -0400 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 8578566969d91678a3d7d5251b4eafc6d7775314 Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 Merge: 643b294 ed9b427 Author: Brad Spengler Date: Wed May 29 19:19:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit ed9b4276488528d0c3803df1dc0df804238241e0 Author: Brad Spengler Date: Wed May 29 19:18:45 2013 -0400 Updated to pax-linux-3.9.4-test8.patch: - fixed some fallout detected by the checker plugin arch/x86/kernel/crash_dump_64.c | 2 +- drivers/base/devtmpfs.c | 6 +++--- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/mem.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- drivers/i2c/i2c-dev.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 4 ++-- fs/compat_ioctl.c | 4 ++-- fs/exec.c | 2 +- fs/namespace.c | 8 ++++---- fs/proc/vmcore.c | 12 ++++++++---- fs/read_write.c | 2 +- include/linux/syscalls.h | 8 ++++---- init/do_mounts_initrd.c | 8 ++++---- init/main.c | 4 ++-- kernel/events/core.c | 2 +- kernel/events/internal.h | 10 +++++----- mm/page_io.c | 2 +- security/keys/internal.h | 2 +- tools/gcc/checker_plugin.c | 1 + 24 files changed, 63 insertions(+), 54 deletions(-) commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 Author: Brad Spengler Date: Wed May 29 18:51:31 2013 -0400 eliminate gcc warning fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 Author: Brad Spengler Date: Wed May 29 18:30:20 2013 -0400 use BUILD_BUG() instead of BUILD_BUG_ON(1) arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5343410354267368e5809f3ad8d9a264f141be18 Author: Brad Spengler Date: Wed May 29 17:57:41 2013 -0400 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON for unknown opcodes arch/x86/net/bpf_jit_comp.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- 1 files changed, 39 insertions(+), 40 deletions(-) commit 163a5539b36247865d39b2bcfa8efc03a62124a6 Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 3e54faf888d324d5f362dcba16173ea7bba61e8a Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 2d74639040ba6ce47f57ec010714ec06529c4b42 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 65d05c7ea468c23c175105526dd4f163302a92cf Merge: 1a98d0a 6ce3a135 Author: Brad Spengler Date: Sat May 25 07:48:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/vm86_32.c commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 Merge: 79bdd65 0bfd8ff Author: Brad Spengler Date: Sat May 25 07:46:55 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 Author: Brad Spengler Date: Thu May 23 18:42:23 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2b80ef8586061e32e986b31608717c25d1e7c54 Merge: cb45fbd 79bdd65 Author: Brad Spengler Date: Thu May 23 17:58:53 2013 -0400 Merge branch 'pax-test' into grsec-test commit 79bdd65dac68267bc1b201c6b4a99966a373c305 Author: Brad Spengler Date: Thu May 23 17:57:46 2013 -0400 Update to pax-linux-3.9.3-test7.patch: - fixed some size overflow related warnings (hash table, attributes) - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/page_64.h | 2 +- arch/x86/kernel/head64.c | 2 +- tools/gcc/constify_plugin.c | 48 ++- tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ 4 files changed, 651 insertions(+), 592 deletions(-) commit cb45fbda4967b1b544a754fbdc92d73283379522 Merge: 62588fa 57c11b8 Author: Brad Spengler Date: Mon May 20 17:32:17 2013 -0400 Merge branch 'pax-test' into grsec-test commit 57c11b85acd841a088aa4df8e60be337880df8cd Merge: 0598b37 4bb0869 Author: Brad Spengler Date: Mon May 20 17:32:08 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 Merge: e261c7b 0598b37 Author: Brad Spengler Date: Fri May 17 22:57:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 Author: Brad Spengler Date: Fri May 17 22:57:07 2013 -0400 Update to pax-linux-3.9.2-test6.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado arch/x86/include/asm/pgtable.h | 9 +++++++-- tools/gcc/structleak_plugin.c | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit e261c7bc611e9127bbb7bd95cddd51524bf255ae Author: Brad Spengler Date: Thu May 16 22:54:12 2013 -0400 add offset to topdown check, fixes compilation arch/x86/kernel/sys_x86_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 Author: Brad Spengler Date: Thu May 16 20:57:41 2013 -0400 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, reported by lulzh3ad on irc security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d4593e84707cdf6deb6b925c18c676a476b1613 Merge: 43cd0c0 39a877f Author: Brad Spengler Date: Thu May 16 20:39:11 2013 -0400 Merge branch 'pax-test' into grsec-test commit 39a877f192ed305d88edac10a14a9e8e1e161f3f Author: Brad Spengler Date: Thu May 16 20:37:35 2013 -0400 Update to pax-linux-3.9.2-test105.patch: - fixed !EFI boot problem, reported by spender - fixed a few compile warnings - fixed some more compile errors due to constification - fixed some arm fallout, reported by Michael Tremer arch/arm/include/asm/psci.h | 2 +- arch/arm/kernel/psci.c | 2 +- arch/x86/kernel/sys_x86_64.c | 3 +-- arch/x86/realmode/init.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- drivers/irqchip/irq-gic.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- drivers/platform/x86/chromeos_laptop.c | 2 +- fs/jfs/super.c | 4 ++-- include/linux/irqchip/arm-gic.h | 2 ++ include/sound/compress_driver.h | 2 +- net/mac80211/cfg.c | 4 ++-- sound/soc/fsl/fsl_ssi.c | 2 +- 14 files changed, 31 insertions(+), 22 deletions(-) commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 Author: Brad Spengler Date: Thu May 16 20:35:22 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 56a166129d817f6634c8c230e6ec497669bdfaca Author: Amerigo Wang Date: Thu May 9 21:56:37 2013 +0000 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f ipv6,gre: do not leak info to user-space There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d6f50dae2653ad912952da40417a8ccbd59c7699 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 01322c6951bed4eedefbd2178dbd99292b365d99 Author: Brad Spengler Date: Mon May 13 17:19:57 2013 -0400 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its existing stack-heap gap code for the new unified vm_unmapped_area grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 Author: Brad Spengler Date: Mon May 13 15:40:32 2013 -0400 fix NX fault on early boot arch/x86/realmode/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 Author: Brad Spengler Date: Mon May 13 10:48:13 2013 -0400 compile fix, we weren't using %pa anyway and it's now being used by upstream for physical address printing lib/vsprintf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d Author: Brad Spengler Date: Mon May 13 10:39:52 2013 -0400 compile fix grsecurity/grsec_chroot.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b Author: Brad Spengler Date: Mon May 13 10:35:36 2013 -0400 compile fixes grsecurity/grsec_chroot.c | 2 +- include/linux/grinternal.h | 8 ++++---- include/linux/grsecurity.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 Author: Brad Spengler Date: Mon May 13 10:27:18 2013 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 Author: Brad Spengler Date: Mon May 13 10:23:17 2013 -0400 Initial port of grsecurity for 3.9.2 Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 6 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 181 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 241 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1031 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 387 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 187 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 + include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 242 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 68 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/net/secure_seq.h | 1 + include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 13 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 64 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/8021q/vlan.c | 7 + net/core/dev_ioctl.c | 4 + net/core/net-procfs.c | 5 + net/core/secure_seq.c | 4 +- net/core/sock_diag.c | 7 + net/ipv4/af_inet.c | 5 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 2 +- net/sctp/probe.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/tipc/link.c | 11 +- net/unix/af_unix.c | 31 +- security/Kconfig | 342 ++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 291 files changed, 15221 insertions(+), 2052 deletions(-) commit 88854c350c899bceca4a94598c42bed44d0dc91b Author: Brad Spengler Date: Mon May 13 07:37:47 2013 -0400 Initial import of pax-linux-3.9.2-test2.patch Documentation/dontdiff | 45 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 6 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 15 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/kernel/us3_cpufreq.c | 69 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 21 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 6 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page_64.h | 2 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 113 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 530 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 1 - arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 120 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 19 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 248 + arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 57 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 +- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 90 +- arch/x86/mm/init_32.c | 119 +- arch/x86/mm/init_64.c | 44 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 2 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 10 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 605 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/super.c | 2 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 6 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compat.h | 6 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 110 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 2 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 68 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 8 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 6 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 576 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 105 +- mm/slab.h | 5 +- mm/slab_common.c | 11 +- mm/slob.c | 201 +- mm/slub.c | 99 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 14 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 6 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.pl | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 675 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 518 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 ++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 276 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1555 files changed, 30474 insertions(+), 7126 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 Merge: 814820a 3a59a59 Author: Brad Spengler Date: Sun May 12 21:51:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f Author: Brad Spengler Date: Sun May 12 21:50:07 2013 -0400 Update to pax-linux-3.8.13-test24.patch: - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/arm/kernel/vmlinux.lds.S | 4 ++-- arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes-opt.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- kernel/trace/trace.h | 2 +- net/socket.c | 2 +- security/Kconfig | 2 +- 22 files changed, 67 insertions(+), 34 deletions(-) commit 814820abfe5b9a34401d838b2510431a4cd92be9 Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ed0428c4ef6c5498870772f212ac651216eb8d0c Merge: 2452d8d dbf932a Author: Brad Spengler Date: Sun May 12 21:18:25 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/cpu/perf_event_intel_uncore.c arch/x86/mm/init.c commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 Author: Brad Spengler Date: Sun May 12 20:24:01 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit c75e4664fe4d20da1639f70d9def097c4f20856b Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04638852588cf243f865f5a73aa9dab94fab53b7 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff Merge: 539fff0 2452d8d Author: Brad Spengler Date: Wed May 8 18:13:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a Merge: 6c850d8 9c9ab76 Author: Brad Spengler Date: Wed May 8 18:13:31 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/irq.c kernel/trace/trace_stack.c commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a Author: Brad Spengler Date: Tue May 7 21:43:00 2013 -0400 turn counter into a flag grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 418102925c0cfb0de51b0a021abaa575e28fafa6 Author: Peter Zijlstra Date: Fri May 3 14:11:25 2013 +0200 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL We should always have proper privileges when requesting kernel data. Signed-off-by: Peter Zijlstra Cc: Cc: Andi Kleen Cc: eranian@google.com Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] Signed-off-by: Ingo Molnar Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f Author: Brad Spengler Date: Wed May 1 18:30:48 2013 -0400 remove references to CONFIG_X86_WP_WORKS_OK arch/um/defconfig | 1 - security/Kconfig | 2 +- 2 files changed, 1 insertions(+), 2 deletions(-) commit 408da6791f93ffe00d26bfe919f1b2218fe0804d Merge: a8dbe8e 6c850d8 Author: Brad Spengler Date: Wed May 1 18:28:44 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/mm/ultra.S drivers/tty/tty_io.c commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf Merge: cdbcbef 9fa1d01 Author: Brad Spengler Date: Wed May 1 18:25:18 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 55eba82aca97aa56378e000840c48965557721e8 Author: Brad Spengler Date: Mon Apr 29 18:43:03 2013 -0400 compilation fix kernel/trace/trace.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3bf912b54af6df7fbebc68b5999554562056c5c Merge: 5b72e37 cdbcbef Author: Brad Spengler Date: Mon Apr 29 18:34:42 2013 -0400 Merge branch 'pax-test' into grsec-test commit cdbcbef45c4f003cbee11e10668a35d424c17c60 Author: Brad Spengler Date: Mon Apr 29 18:33:35 2013 -0400 Update to pax-linux-3.8.10-test21.patch: - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) - reverted the nested NMI fix in search for a real one - simplified the arm_delay_ops constification arch/arm/include/asm/delay.h | 8 ++++---- arch/arm/lib/delay.c | 17 +++++------------ arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 11 files changed, 34 insertions(+), 26 deletions(-) commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 5344a24e2320d61dbdb88aae04922f0799deefd0 Author: Zhao Hongjiang Date: Fri Apr 26 11:03:53 2013 +0800 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad aio: fix possible invalid memory access when DEBUG is enabled dprintk() shouldn't access @ring after it's unmapped. Signed-off-by: Zhao Hongjiang Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 Merge: ba54c97 4d05084 Author: Brad Spengler Date: Fri Apr 26 18:17:20 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kvm/x86.c include/linux/capability.h commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 Merge: c664779 bb8dd67 Author: Brad Spengler Date: Fri Apr 26 18:15:45 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 Author: David S. Miller Date: Wed Apr 24 16:52:18 2013 -0700 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. Reported-by: Meelis Roos Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 Author: David S. Miller Date: Fri Apr 19 17:26:26 2013 -0400 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 sparc64: Fix race in TLB batch processing. As reported by Dave Kleikamp, when we emit cross calls to do batched TLB flush processing we have a race because we do not synchronize on the sibling cpus completing the cross call. So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) and either flushes are missed or flushes will flush the wrong addresses. Fix this by using generic infrastructure to synchonize on the completion of the cross call. This first required getting the flush_tlb_pending() call out from switch_to() which operates with locks held and interrupts disabled. The problem is that smp_call_function_many() cannot be invoked with IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). We get the batch processing outside of locked IRQ disabled sections by using some ideas from the powerpc port. Namely, we only batch inside of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a region, we flush TLBs synchronously. 1) Get rid of xcall_flush_tlb_pending and per-cpu type implementations. 2) Do TLB batch cross calls instead via: smp_call_function_many() tlb_pending_func() __flush_tlb_pending() 3) Batch only in lazy mmu sequences: a) Add 'active' member to struct tlb_batch b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE c) Set 'active' in arch_enter_lazy_mmu_mode() d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() e) Check 'active' in tlb_batch_add_one() and do a synchronous flush if it's clear. 4) Add infrastructure for synchronous TLB page flushes. a) Implement __flush_tlb_page and per-cpu variants, patch as needed. b) Likewise for xcall_flush_tlb_page. c) Implement smp_flush_tlb_page() to invoke the cross-call. d) Wire up global_flush_tlb_page() to the right routine based upon CONFIG_SMP 5) It turns out that singleton batches are very common, 2 out of every 3 batch flushes have only a single entry in them. The batch flush waiting is very expensive, both because of the poll on sibling cpu completeion, as well as because passing the tlb batch pointer to the sibling cpus invokes a shared memory dereference. Therefore, in flush_tlb_pending(), if there is only one entry in the batch perform a completely asynchronous global_flush_tlb_page() instead. Reported-by: Dave Kleikamp Signed-off-by: David S. Miller Acked-by: Dave Kleikamp arch/sparc/include/asm/pgtable_64.h | 1 + arch/sparc/include/asm/switch_to_64.h | 3 +- arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- arch/sparc/kernel/smp_64.c | 41 ++++++++++- arch/sparc/mm/tlb.c | 38 +++++++++- arch/sparc/mm/tsb.c | 57 ++++++++++++---- arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- 7 files changed, 241 insertions(+), 55 deletions(-) commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 Author: Linus Torvalds Date: Fri Apr 19 15:32:32 2013 +0000 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 net: fix incorrect credentials passing Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/net/scm.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98ad6adbc48759e4f9eae435d3e51ba487155685 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3600395e8fef3ae712e72f9b68c3609639616df8 Author: Thomas Graf Date: Thu Apr 11 10:57:18 2013 +0000 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 tcp: Reallocate headroom if it would overflow csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. Verify if the acking and collapsing resulted in a headroom exceeding what csum_start can cover and reallocate the headroom if so. A big thank you to Jim Foraker and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker Signed-off-by: Thomas Graf Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 Author: Ivan Vecera Date: Fri Apr 12 16:49:24 2013 +0200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f be2net: take care of __vlan_put_tag return value The driver should use return value of __vlan_put_tag with appropriate NULL-check instead of old skb pointer. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 Author: Wei Yongjun Date: Fri Apr 12 03:17:12 2013 +0000 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 tuntap: fix error return code in tun_set_iff() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. [ Bug added in linux-3.8 , commit 4008e97f866db665 ("tuntap: fix ambigious multiqueue API") ] Signed-off-by: Wei Yongjun Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2b45b5f52c2a8930f80c62de392a62516c83e225 Author: Bjørn Mork Date: Tue Apr 16 00:17:07 2013 +0000 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 net: cdc_mbim: remove bogus sizeof() The intention was to test against the constant, not the size of the constant. Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 17d7408795519037a5a1272c7888238e20830bfe Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text fs/exec.c | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) commit 3cb37d0c0c77dc3928ff8417f982139f95366eba Merge: e87c19f c664779 Author: Brad Spengler Date: Wed Apr 17 20:06:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit c664779987cb0c27a242029f0e0db812e3236203 Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e87c19f8312355b8658e5138c16bfa6043a379c8 Merge: 802d119 d0c636c Author: Brad Spengler Date: Wed Apr 17 16:57:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit d0c636ceaaf406e606898ce3e770e32fb043ea8a Merge: bc88628 2396403 Author: Brad Spengler Date: Wed Apr 17 16:57:01 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/paravirt.c commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b Author: Brad Spengler Date: Sun Apr 14 21:39:51 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1a860d7d67051559ab2e6d10f9888649c92904e6 Author: Brad Spengler Date: Sun Apr 14 21:34:46 2013 -0400 A denied setfsuid by the RBAC system would result in an abort_creds() being called with an uninitalized pointer, introduced by a bad forward-port kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 Merge: c38d142 bc88628 Author: Brad Spengler Date: Sun Apr 14 21:28:33 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit bc88628a6a8fcccaabb90908640809b0540df225 Author: Brad Spengler Date: Sun Apr 14 21:26:41 2013 -0400 Update to pax-linux-3.8.7-test20.patch: - fixed KERNEXEC and NMI nesting problem reported by stef&hunger - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- security/Kconfig | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) commit c38d142744489fc4d9be80188b6435a278438fd9 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93019624b80ba59798393942798d7f6ed0c1dbc6 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 5277b052b5fab36729e1255fb3b12f47a4b12867 Author: Dave Hansen Date: Fri Apr 12 16:23:54 2013 -0700 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables This patch attempts to fix: https://bugzilla.kernel.org/show_bug.cgi?id=56461 The symptom is a crash and messages like this: chrome: Corrupted page table at address 34a03000 *pdpt = 0000000000000000 *pde = 0000000000000000 Bad pagetable: 000f [#1] PREEMPT SMP Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: enable tlb flush range support for x86") since that code started to free unused pagetables. On x86-32 PAE kernels, that new code has the potential to free an entire PMD page and will clear one of the four page-directory-pointer-table (aka pgd_t entries). The hardware aggressively "caches" these top-level entries and invlpg does not actually affect the CPU's copy. If we clear one we *HAVE* to do a full TLB flush, otherwise we might continue using a freed pmd page. (note, we do this properly on the population side in pud_populate()). This patch tracks whenever we clear one of these entries in the 'struct mmu_gather', and ensures that we follow up with a full tlb flush. BTW, I disassembled and checked that: if (tlb->fullmm == 0) and if (!tlb->fullmm && !tlb->need_flush_all) generate essentially the same code, so there should be zero impact there to the !PAE case. Signed-off-by: Dave Hansen Cc: Peter Anvin Cc: Ingo Molnar Cc: Artem S Tashkinov Signed-off-by: Linus Torvalds arch/x86/include/asm/tlb.h | 2 +- arch/x86/mm/pgtable.c | 7 +++++++ include/asm-generic/tlb.h | 7 ++++++- mm/memory.c | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) commit 521e573fc77d1783c1d4636dfbb4617a922f043d Merge: 032f626 f807619 Author: Brad Spengler Date: Fri Apr 12 19:29:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit f80761993b85df96fc142dfc3a317cadc0f8eae5 Author: Brad Spengler Date: Fri Apr 12 19:28:21 2013 -0400 Update to pax-linux-3.8.7-test19.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) - fixed the structleak plugin to compile for gcc 4.5-4.6 as well Makefile | 2 +- arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 Merge: a3a770e 89886f5 Author: Brad Spengler Date: Fri Apr 12 18:38:40 2013 -0400 Merge branch 'pax-test' into grsec-test commit 89886f561cc0d1c42a99624ec8c3704711088155 Merge: 9123489 531ec28 Author: Brad Spengler Date: Fri Apr 12 18:38:30 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a3a770e18578841e4fbe2aa0831a22811b4812cf Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 Author: Konrad Rzeszutek Wilk Date: Fri Mar 29 10:20:56 2013 -0400 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/mmu.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb Author: Neil Horman Date: Tue Apr 9 23:19:00 2013 +0000 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 e100: Add dma mapping error check e100 uses pci_map_single, but fails to check for a dma mapping error after its use, resulting in a stack trace: [ 46.656594] ------------[ cut here ]------------ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() [ 46.657004] Hardware name: To Be Filled By O.E.M. [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] [ 46.657004] Modules linked in: [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core sata_promise crc_itu_t [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 [ 46.657004] Call Trace: [ 46.657004] [] warn_slowpath_common+0x70/0xa0 [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 [ 46.657004] [] check_unmap+0x47b/0x950 [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] [ 46.657004] [] ? net_rx_action+0xa1/0x370 [ 46.657004] [] net_rx_action+0x172/0x370 [ 46.657004] [] __do_softirq+0xef/0x3d0 [ 46.657004] [] call_softirq+0x1c/0x30 [ 46.657004] [] do_softirq+0x85/0xc0 [ 46.657004] [] irq_exit+0xd5/0xe0 [ 46.657004] [] do_IRQ+0x56/0xc0 [ 46.657004] [] common_interrupt+0x72/0x72 [ 46.657004] [] ? _raw_spin_unlock_irqrestore+0x3b/0x70 [ 46.657004] [] __slab_free+0x58/0x38b [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 [ 46.657004] [] ? kmem_cache_free+0x97/0x320 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] kmem_cache_free+0x312/0x320 [ 46.657004] [] sock_destroy_inode+0x34/0x40 [ 46.657004] [] destroy_inode+0x38/0x60 [ 46.657004] [] evict+0x10e/0x1a0 [ 46.657004] [] iput+0xf5/0x180 [ 46.657004] [] dput+0x248/0x310 [ 46.657004] [] __fput+0x171/0x240 [ 46.657004] [] ____fput+0xe/0x10 [ 46.657004] [] task_work_run+0xac/0xe0 [ 46.657004] [] do_exit+0x26d/0xc30 [ 46.657004] [] ? finish_task_switch+0x7c/0x120 [ 46.657004] [] ? retint_swapgs+0x13/0x1b [ 46.657004] [] do_group_exit+0x49/0xc0 [ 46.657004] [] sys_exit_group+0x14/0x20 [ 46.657004] [] system_call_fastpath+0x16/0x1b [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- [ 46.657004] Mapped at: [ 46.657004] [] debug_dma_map_page+0x91/0x140 [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the dma_mapping_error check in the obvious place This was reported previously here: http://article.gmane.org/gmane.linux.network/257893 But nobody stepped up and fixed it. CC: Josh Boyer CC: e1000-devel@lists.sourceforge.net Signed-off-by: Neil Horman Reported-by: Michal Jaegermann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- 1 files changed, 25 insertions(+), 11 deletions(-) commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 Author: Trond Myklebust Date: Wed Apr 10 12:44:18 2013 -0400 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Make sure that we set the status to 0 on success. Missed in testing because it never appears when doing multiple mounts to _different_ servers. Signed-off-by: Trond Myklebust Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list fs/nfs/nfs4client.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea Author: Yuval Mintz Date: Wed Apr 10 13:34:39 2013 +0300 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b bnx2x: Prevent null pointer dereference in AFEX mode The cnic module is responsible for initializing various bnx2x structs via callbacks provided by the bnx2x module. One such struct is the queue object for the FCoE queue. If a device is working in AFEX mode and its configuration allows FCoE yet the cnic module is not loaded, it's very likely a null pointer dereference will occur, as the bnx2x will erroneously access the FCoE's queue object. Prevent said access until cnic properly registers itself. Signed-off-by: Yuval Mintz Signed-off-by: Ariel Elior Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2908830232725db624aaa052f7ad38d1f98bf541 Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit d40b572e845a5fb561e3c4a80cc306cd38888a4e Author: Christoph Paasch Date: Sun Apr 7 04:53:15 2013 +0000 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd ipv6/tcp: Stop processing ICMPv6 redirect messages Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske Signed-off-by: Christoph Paasch Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c7d5c2524456ef3ea9194840e7a9a75069a46824 Author: Brad Spengler Date: Wed Apr 10 20:32:54 2013 -0400 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit acac2380fd97acee4367d2aa24c74322dcf1d22b Author: Trond Myklebust Date: Fri Apr 5 16:11:11 2013 -0400 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list It is unsafe to use list_for_each_entry_safe() here, because when we drop the nn->nfs_client_lock, we pin the _current_ list entry and ensure that it stays in the list, but we don't do the same for the _next_ list entry. Use of list_for_each_entry() is therefore the correct thing to do. Also fix the refcounting in nfs41_walk_client_list(). Finally, ensure that the nfs_client has finished being initialised and, in the case of NFSv4.1, that the session is set up. Signed-off-by: Trond Myklebust Cc: Chuck Lever Cc: Bryan Schumaker Cc: stable@vger.kernel.org [>= 3.7] fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) commit a6cf5f387b882ac0ce655b75f623f86c075517be Author: Chuck Lever Date: Fri Mar 22 12:52:59 2013 -0400 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e SUNRPC: Remove extra xprt_put() While testing error cases where rpc_new_client() fails, I saw some oopses. If rpc_new_client() fails, it already invokes xprt_put(). Thus __rpc_clone_client() does not need to invoke it again. Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" Fri Sep 14, 2012. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org [>=3.7] Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9529169b8c405874fd543b785f53c74fa0501c2a Author: Christopher Harvey Date: Fri Apr 5 10:51:15 2013 -0400 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. This change properly enables the "requester" in G200ER cards that is responsible for getting pixels out of memory and clocking them out to the screen. Signed-off-by: Christopher Harvey Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- 1 files changed, 3 insertions(+), 10 deletions(-) commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a Author: Al Viro Date: Thu Mar 28 13:30:23 2013 -0400 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee ecryptfs: close rmmod race Signed-off-by: Al Viro fs/ecryptfs/miscdev.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83280e384ae3ceadad30369ced111dc7d4b46085 Author: Andrey Vagin Date: Tue Apr 9 17:33:29 2013 +0400 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 mnt: release locks on error path in do_loopback do_loopback calls lock_mount(path) and forget to unlock_mount if clone_mnt or copy_mnt fails. [ 77.661566] ================================================ [ 77.662939] [ BUG: lock held when returning to user space! ] [ 77.664104] 3.9.0-rc5+ #17 Not tainted [ 77.664982] ------------------------------------------------ [ 77.666488] mount/514 is leaving the kernel with locks still held! [ 77.668027] 2 locks held by mount/514: [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 Signed-off-by: Andrey Vagin Signed-off-by: Al Viro fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 679e536b9d9536d804f049fe942367a596253e6d Author: Alex Williamson Date: Tue Mar 26 11:33:16 2013 -0600 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson drivers/vfio/pci/vfio_pci.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5261a6384ee42499b29495aaae40b271e77d394 Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 Merge: 97bca88 9123489 Author: Brad Spengler Date: Tue Apr 9 17:18:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9123489428c58668a89f316db6619739cbdd2c2a Author: Brad Spengler Date: Tue Apr 9 17:17:46 2013 -0400 Update to pax-linux-3.8.6-test18.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 97bca8889e0f1e853f16b7026c39c6729a8587ab Merge: 675a41e e9d6073 Author: Brad Spengler Date: Mon Apr 8 21:32:59 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/us3_cpufreq.c commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef Author: Brad Spengler Date: Mon Apr 8 21:19:03 2013 -0400 Update to pax-linux-3.8.6-test17.patch: - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/sparc/include/asm/uaccess.h | 7 ---- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- tools/gcc/structleak_plugin.c | 15 ++++---- 6 files changed, 28 insertions(+), 69 deletions(-) commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5a216624a06429488f24ce47db093da042f90e48 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit e476ca18d21788898cd3acd1b57049971a2fb70f Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 Author: Johannes Berg Date: Tue Mar 19 20:26:57 2013 +0100 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d cfg80211: fix wdev tracing crash Arend reported a crash in tracing if the driver returns an ERR_PTR() value from the add_virtual_intf() callback. This is due to the tracing then still attempting to dereference the "pointer", fix this by using IS_ERR_OR_NULL(). Reported-by: Arend van Spriel Tested-by: Arend van Spriel Signed-off-by: Johannes Berg net/wireless/trace.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd Author: Johannes Berg Date: Mon Mar 25 11:51:14 2013 +0100 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b mac80211: fix remain-on-channel cancel crash If a ROC item is canceled just as it expires, the work struct may be scheduled while it is running (and waiting for the mutex). This results in it being run after being freed, which obviously crashes. To fix this don't free it when aborting is requested but instead mark it as "to be freed", which makes the work a no-op and allows freeing it outside. Cc: stable@vger.kernel.org [3.6+] Reported-by: Jouni Malinen Tested-by: Jouni Malinen Signed-off-by: Johannes Berg net/mac80211/cfg.c | 6 ++++-- net/mac80211/ieee80211_i.h | 3 ++- net/mac80211/offchannel.c | 23 +++++++++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 Author: Stone Piao Date: Fri Mar 29 19:21:21 2013 -0700 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f mwifiex: limit channel number not to overflow memory Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: # 3.5+ Signed-off-by: Stone Piao Signed-off-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 207c411512bdaf0e4271f93ecac6ca26588da36f Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f Author: Wei Yongjun Date: Fri Mar 22 01:28:18 2013 +0000 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_queue_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a79feb7d3251eca577d83d7f69eee2b961ab2924 Author: Pablo Neira Ayuso Date: Sat Mar 23 16:57:59 2013 +0100 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 netfilter: nfnetlink_acct: return -EINVAL if object name is empty If user-space tries to create accounting object with an empty name, then return -EINVAL. Reported-by: Michael Zintakis Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 Author: Matthias Schiffer Date: Sat Mar 30 10:23:12 2013 +0000 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: Matthias Schiffer Signed-off-by: Pablo Neira Ayuso net/ipv6/netfilter/ip6t_NPT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d12cae44a9d12441d81c489178803237219d403d Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f Author: Cong Wang Date: Fri Mar 22 19:14:07 2013 +0000 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb 8021q: fix a potential use-after-free vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/8021q/vlan.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit fff29c277024a39845d4b535083c8dafc21b45d9 Author: Hong zhi guo Date: Sat Mar 23 02:27:50 2013 +0000 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 bridge: fix crash when set mac address of br interface When I tried to set mac address of a bridge interface to a mac address which already learned on this bridge, I got system hang. The cause is straight forward: function br_fdb_change_mac_address calls fdb_insert with NULL source nbp. Then an fdb lookup is performed. If an fdb entry is found and it's local, it's OK. But if it's not local, source is dereferenced for printk without NULL check. Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller net/bridge/br_fdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 Author: Kumar Amit Mehta Date: Sat Mar 23 20:10:25 2013 +0000 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a bnx2x: fix assignment of signed expression to unsigned variable fix for incorrect assignment of signed expression to unsigned variable. Signed-off-by: Kumar Amit Mehta Acked-by: Dmitry Kravkov Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b964e1e61f0f0ccaa380be3342f956c604054bdc Author: Eric W. Biederman Date: Thu Mar 21 02:30:41 2013 -0700 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 yama: Better permission check for ptraceme Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" security/yama/yama_lsm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit b94e71c7b6abe75989edff18aca2781233fa143b Author: Stanislav Kinsbursky Date: Mon Apr 1 11:40:51 2013 +0400 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d ipc: set msg back to -EAGAIN if copy wasn't performed Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Linus Torvalds ipc/msg.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f07957378e0f55abb81da8e23b124a608fbe1cc Author: Paul Bolle Date: Wed Apr 3 12:24:45 2013 +0100 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 ARM: 7690/1: mm: fix CONFIG_LPAE typos CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix up the two typos under arch/arm/. The fix to head.S is slightly scary, but this is just for setting up an early io-mapping for the serial port when running on a big-endian, LPAE system. Since these systems don't exist in the wild (at least, I have no access to one outside of kvmtool, which doesn't provide a serial port suitable for earlyprintk), then we can revisit the code later if it causes any problems. Signed-off-by: Paul Bolle Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/kernel/head.S | 2 +- arch/arm/kernel/setup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 984ba346b2d8f158473e9723ba145031368431ed Author: Catalin Marinas Date: Tue Mar 26 23:35:04 2013 +0100 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down all use of the old entries. This patch implements the erratum workaround which consists of: 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. 2. Send IPI to the CPUs that are running the same mm (and ASID) as the one being invalidated (or all the online CPUs for global pages). 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception return code already). Signed-off-by: Catalin Marinas Signed-off-by: Russell King Conflicts: arch/arm/include/asm/tlbflush.h arch/arm/kernel/smp_tlb.c arch/arm/mm/context.c arch/arm/Kconfig | 10 +++++ arch/arm/include/asm/highmem.h | 7 ++++ arch/arm/include/asm/mmu_context.h | 2 + arch/arm/include/asm/tlbflush.h | 15 ++++++++ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ arch/arm/mm/context.c | 6 ++- 6 files changed, 104 insertions(+), 2 deletions(-) commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 53f5096daa14967938bc154e6c41f9119863fb36 Merge: e988d7c 0a45285 Author: Brad Spengler Date: Fri Apr 5 17:32:31 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 0a452855444d02502df6eb21ef3083cf303f71e1 Merge: 0277fa1 00cfbb8 Author: Brad Spengler Date: Fri Apr 5 17:31:15 2013 -0400 Update to pax-linux-3.8.6-test16.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/intel_display.c commit e988d7c8d946c816a2cb97f0d38048a1584966b8 Merge: baec40e 0277fa1 Author: Brad Spengler Date: Wed Apr 3 22:05:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0277fa123b486cf11420967e4568d7653e225fd3 Author: Brad Spengler Date: Wed Apr 3 22:04:48 2013 -0400 Update to pax-linux-3.8.5-test15.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) drivers/media/pci/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) commit baec40e6708fd5ae2000cad6c70c5980c998b91c Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 Merge: 6b69c35 0db9d15 Author: Brad Spengler Date: Tue Apr 2 17:47:27 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0db9d156826bdd50510086fde837648a3dfd370e Author: Brad Spengler Date: Tue Apr 2 17:46:05 2013 -0400 Update to pax-linux-3.8.5-test14.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/moduleloader.h | 4 +- tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 47 deletions(-) commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 01e1d503fd2220adaaec0b92ea19441bdff73555 Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit cd5ff114d958470f471c63775278e8c05e774630 Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 295ba16cc53df2375261accbedd6575ea327770a Merge: 18340f1 278a989 Author: Brad Spengler Date: Fri Mar 29 17:36:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/exec.c include/linux/thread_info.h commit 278a989c831d62193c7b3d119fe2302babd45d12 Author: Brad Spengler Date: Fri Mar 29 17:34:34 2013 -0400 Resync with pax-linux-3.8.5-test13.patch arch/arm/include/asm/pgtable.h | 3 ++- arch/arm/lib/delay.c | 1 + fs/exec.c | 8 ++++---- include/linux/compiler.h | 1 + include/linux/proc_fs.h | 2 +- include/linux/thread_info.h | 6 +++--- include/linux/zlib.h | 3 ++- init/main.c | 4 ++-- kernel/user_namespace.c | 2 +- lib/list_debug.c | 4 ++-- mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 1 + net/core/sysctl_net_core.c | 3 +-- tools/gcc/constify_plugin.c | 1 + 15 files changed, 24 insertions(+), 17 deletions(-) commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 Merge: 05f01ae e8cfeae Author: Brad Spengler Date: Fri Mar 29 17:30:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 Merge: b461cb7 aa4cfde Author: Brad Spengler Date: Fri Mar 29 17:30:44 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/nfsd/vfs.c commit 05f01ae4c3479541586a2387f916a6620889c479 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eea6ade59490784e83e08ec67322288fcf14cb31 Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e Merge: c3dc9a6 b461cb7 Author: Brad Spengler Date: Thu Mar 28 20:54:24 2013 -0400 Merge branch 'pax-test' into grsec-test commit b461cb7b1d85490430ef7896c247794af72c3749 Author: Brad Spengler Date: Thu Mar 28 20:54:11 2013 -0400 Add structleak plugin tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 270 insertions(+), 0 deletions(-) commit c3dc9a6ef10782894bb11fd088fd712db44d8062 Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e Merge: d8503a3 74bec16 Author: Brad Spengler Date: Thu Mar 28 20:47:10 2013 -0400 Merge branch 'pax-test' into grsec-test commit 74bec16b657147a5575b1f14f4423a717ba317a6 Author: Brad Spengler Date: Thu Mar 28 20:46:13 2013 -0400 Update to pax-linux-3.8.4-test13.patch: - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Makefile | 5 +++- arch/x86/include/asm/compat.h | 2 +- arch/x86/mm/fault.c | 3 +- fs/binfmt_elf.c | 2 +- include/linux/compiler.h | 42 ++++++++++++++-------------------------- security/Kconfig | 16 +++++++++++++++ tools/gcc/Makefile | 2 + tools/gcc/constify_plugin.c | 7 +++++- 8 files changed, 47 insertions(+), 32 deletions(-) commit d8503a3a35d68b9ba1615d29335aef3f70d51465 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 0b1c6223105a05d5a84e39a5e951868e37610e1c Merge: 93ff726 0deb54c Author: Brad Spengler Date: Mon Mar 25 18:35:15 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 Author: Brad Spengler Date: Mon Mar 25 18:35:05 2013 -0400 fix typo arch/x86/mm/ioremap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 Merge: be9f8b8 f95e53a Author: Brad Spengler Date: Mon Mar 25 18:30:06 2013 -0400 Merge branch 'pax-test' into grsec-test commit f95e53abadb6e4665866e4502ff9f518514193e1 Author: Brad Spengler Date: Mon Mar 25 18:29:25 2013 -0400 Update to pax-linux-3.8.4-test12.patch: - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by mcp - last fix for aslr gap accounting, promise (thanks to spender) arch/x86/mm/ioremap.c | 3 +++ fs/binfmt_elf.c | 5 ++--- mm/mmap.c | 2 +- net/sctp/socket.c | 19 +++++++++++++++---- tools/perf/util/include/linux/compiler.h | 8 ++++++++ 5 files changed, 29 insertions(+), 8 deletions(-) commit be9f8b82b0d8a21d7515fb6e44a907623381c5df Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee Author: Linus Torvalds Date: Fri Mar 22 11:44:04 2013 -0700 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 vfs,proc: guarantee unique inodes in /proc Dave Jones found another /proc issue with his Trinity tool: thanks to the namespace model, we can have multiple /proc dentries that point to the same inode, aliasing directories in /proc//net/ for example. This ends up being a total disaster, because it acts like hardlinked directories, and causes locking problems. We rely on the topological sort of the inodes pointed to by dentries, and if we have aliased directories, that odering becomes unreliable. In short: don't do this. Multiple dentries with the same (directory) inode is just a bad idea, and the namespace code should never have exposed things this way. But we're kind of stuck with it. This solves things by just always allocating a new inode during /proc dentry lookup, instead of using "iget_locked()" to look up existing inodes by superblock and number. That actually simplies the code a bit, at the cost of potentially doing more inode [de]allocations. That said, the inode lookup wasn't free either (and did a lot of locking of inodes), so it is probably not that noticeable. We could easily keep the old lookup model for non-directory entries, but rather than try to be excessively clever this just implements the minimal and simplest workaround for the problem. Reported-and-tested-by: Dave Jones Analyzed-by: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/proc/inode.c fs/proc/inode.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb Author: Vladimir Davydov Date: Fri Mar 22 15:04:51 2013 -0700 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only mnt_drop_write() must be called only if mnt_want_write() succeeded, otherwise the mnt_writers counter will diverge. mnt_writers counters are used to check if remounting FS as read-only is OK, so after an extra mnt_drop_write() call, it would be impossible to remount mqueue FS as read-only. Besides, on umount a warning would be printed like this one: ===================================== [ BUG: bad unlock balance detected! ] 3.9.0-rc3 #5 Not tainted ------------------------------------- a.out/12486 is trying to release lock (sb_writers) at: mnt_drop_write+0x1f/0x30 but there are no more locks to release! Signed-off-by: Vladimir Davydov Cc: Doug Ledford Cc: KOSAKI Motohiro Cc: "Eric W. Biederman" Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e Author: Brad Spengler Date: Sat Mar 23 13:02:32 2013 -0400 Don't use constify plugin if not enabled in config, reported by Alexey Vlasov Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afb82e020593249ac394e9859397c3e0ef5341c Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 Author: Brad Spengler Date: Sat Mar 23 12:13:12 2013 -0400 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak drivers/gpu/drm/i915/i915_debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44cb11a9470f72157601d0ad4d572d111f90f504 Author: Brad Spengler Date: Fri Mar 22 18:11:42 2013 -0400 use VM_DONTDUMP fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fd5f0d92b0fbec02029dad124501a9c80e527a32 Author: Brad Spengler Date: Fri Mar 22 17:08:48 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit b49ab1c73edb6442eec609b26bba4d850b3111b6 Merge: 5e9a707 783ade9 Author: Brad Spengler Date: Thu Mar 21 21:56:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 Author: Brad Spengler Date: Thu Mar 21 21:55:31 2013 -0400 Update to pax-linux-3.8.3-test11.patch: - rewrote the ASLR gap accounting code once again - fixed ptrace compat bug found by the size overflow plugin fs/binfmt_elf.c | 25 ++++++++++++------------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 5 +++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 32 insertions(+), 26 deletions(-) commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a Author: Brad Spengler Date: Thu Mar 21 19:37:33 2013 -0400 Make the constify plugin usage actually depend on the introduced config option (it was still forced on) tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1974b4f58d9d729c80ac1987785446115304a54c Author: Brad Spengler Date: Thu Mar 21 16:12:38 2013 -0400 fix failed merge arch/arm/mm/fault.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit 675a8ab4a8fe8315df348735a37a302a7535224c Author: Brad Spengler Date: Wed Mar 20 23:36:14 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 Author: Andy Honig Date: Wed Feb 20 14:48:10 2013 -0800 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- 2 files changed, 22 insertions(+), 29 deletions(-) commit 0bcac31b57c381001feb69fd6ec8069e61e03432 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695c59887e4ec10b0b695ab4f645d1226c433be0 Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e Merge: aec3cd4 c522e3a Author: Brad Spengler Date: Wed Mar 20 19:38:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 Merge: c57d855 405acc3 Author: Brad Spengler Date: Wed Mar 20 19:38:11 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 Author: Brad Spengler Date: Tue Mar 19 19:56:04 2013 -0400 include linux/compiler.h include/linux/zlib.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit dd65c05cd24faf8946d4941434a553ee285c35a3 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit e297b4f150b769efdc4c547d3caf1e3c0f24735f Author: Brad Spengler Date: Tue Mar 19 18:33:45 2013 -0400 Fix size_overflow false positive reported by slashbeast include/linux/zlib.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be Author: Brad Spengler Date: Tue Mar 19 17:35:36 2013 -0400 fix up failed merge arch/arm/mm/fault.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f00195c633f91cfbd8c1f530d2c371b713026e20 Author: Brad Spengler Date: Mon Mar 18 22:27:33 2013 -0400 Fix compile error reported by KDE on the forums kernel/user_namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 Merge: 0949569 c57d855 Author: Brad Spengler Date: Mon Mar 18 22:20:46 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 Author: Brad Spengler Date: Mon Mar 18 21:22:03 2013 -0400 Update to pax-linux-3.8.2-test9.patch: arm changes from spender - removed userland access to the vectors page - removed obsolete sigreturn trampoline handling - added emulation for __kuser_get_tls - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) - fixed recent sysfs/power_supply attr breakage reported by Steven Allen - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. arch/arm/kernel/process.c | 5 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/traps.c | 7 - arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 23 +- arch/arm/mm/mmu.c | 2 +- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/mm/fault.c | 4 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/power/power_supply_core.c | 1 + drivers/usb/core/message.c | 2 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 5 +- fs/exec.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/linux/compat.h | 4 +- include/linux/completion.h | 6 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/err.h | 4 +- include/linux/math64.h | 6 +- include/linux/sched.h | 2 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/uapi/linux/byteorder/little_endian.h | 4 +- include/uapi/linux/swab.h | 6 +- kernel/sched/core.c | 6 +- kernel/signal.c | 3 + kernel/time.c | 2 +- kernel/timer.c | 2 +- lib/div64.c | 4 +- mm/page-writeback.c | 2 +- net/socket.c | 2 + scripts/package/builddeb | 1 + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- tools/gcc/size_overflow_plugin.c | 1072 ++-- 53 files changed, 6227 insertions(+), 3951 deletions(-) commit 09495691bb31f11ec14d9127429f9a0f3f716f22 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deb85b00d0f9f886e264e116313f298401ec5c59 Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2126421f123513f604ceef2b23ba9ed516de7e58 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 Author: Brad Spengler Date: Sat Mar 16 16:43:45 2013 -0400 add user_arg_ptr back to exec.c fs/exec.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 3 +++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 16 insertions(+), 15 deletions(-) commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1cd623d11a462d151ea8a5cace4521e1724911a3 Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc Merge: 9cdf9bc db4cb92 Author: Brad Spengler Date: Thu Mar 14 20:23:14 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/keys/compat.c commit db4cb924546e3fec3a59f78d056f48176eaf7100 Author: Brad Spengler Date: Thu Mar 14 20:22:24 2013 -0400 Update to pax-linux-3.8.2-test8.patch arch/arm/include/asm/cache.h | 2 ++ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- arch/arm/mach-omap2/omap_device.c | 4 ++-- arch/arm/mach-omap2/omap_device.h | 4 ++-- arch/arm/plat-orion/include/plat/addr-map.h | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae Merge: 3c865f9 1a45c31 Author: Brad Spengler Date: Thu Mar 14 20:20:54 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/arm/include/asm/delay.h arch/arm/include/asm/pgtable.h arch/arm/lib/delay.c security/keys/compat.c commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 79b130c4b11c7940daf2b33d653a17666331c634 Merge: 6480ce9 3c865f9 Author: Brad Spengler Date: Sun Mar 10 20:04:03 2013 -0400 Merge branch 'pax-test' into grsec-test commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d Author: Brad Spengler Date: Sun Mar 10 20:03:12 2013 -0400 Update to pax-linux-3.8.2-test7.patch: - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) fs/binfmt_elf.c | 3 ++- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- init/main.c | 4 ++-- mm/mmap.c | 2 +- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 7 files changed, 18 insertions(+), 11 deletions(-) commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 Merge: 4a5305e 25b3569 Author: Brad Spengler Date: Sun Mar 10 10:41:16 2013 -0400 Merge branch 'pax-test' into grsec-test commit 25b356980568bed9958315bb5a551fdc610055ed Author: Brad Spengler Date: Sun Mar 10 10:40:48 2013 -0400 Update to pax-linux-3.8.2-test6.patch: - fixed a KERNEXEC false positive on arm reported by Gu1 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - added fix from spender for some namespace breakage reported by zakalwe - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot Documentation/kernel-parameters.txt | 5 +++++ arch/arm/kernel/patch.c | 2 ++ arch/x86/kernel/sys_i386_32.c | 5 +++-- drivers/acpi/blacklist.c | 2 +- drivers/video/aty/mach64_cursor.c | 1 + init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ net/ipv4/ip_fragment.c | 2 +- security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 10 files changed, 50 insertions(+), 10 deletions(-) commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause net/bridge/br_mdb.c | 4 ++++ net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 8 ++++++++ 3 files changed, 13 insertions(+), 0 deletions(-) commit 601dd446f896e3a362f706943df18a68d50420a1 Author: Brad Spengler Date: Sat Mar 9 09:35:25 2013 -0500 add open/close wrappers in __patch_text() as reported by Gu1 on IRC arch/arm/kernel/patch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ae39966fd85a493e9079b357e3faa62245a41222 Author: Peter Hurley Date: Fri Mar 8 12:43:27 2013 -0800 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 ipc: don't allocate a copy larger than max When MSG_COPY is set, a duplicate message must be allocated for the copy before locking the queue. However, the copy could not be larger than was sent which is limited to msg_ctlmax. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msg.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 61240e99650ea3e540a03a3e994349c5086f166b Author: Peter Hurley Date: Fri Mar 8 12:43:26 2013 -0800 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 ipc: fix potential oops when src msg > 4k w/ MSG_COPY If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msgutil.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 51727f602a267f34fb2e0dc9557f1714028d51a2 Author: Brad Spengler Date: Fri Mar 8 22:14:06 2013 -0500 add missing 'else' in recent constify fixups net/ipv4/ip_fragment.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a38c1a640729b3d8e584d1ab98e908c221bc12cf Merge: 1580bb3 47c3f47 Author: Brad Spengler Date: Fri Mar 8 18:18:37 2013 -0500 Merge branch 'pax-test' into grsec-test commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe Author: Brad Spengler Date: Fri Mar 8 18:17:22 2013 -0500 Update to pax-linux-3.8.2-test5.patch: - fixed some fallout after the last round of constification changes, reported by several people arch/arm/common/gic.c | 4 ++-- arch/arm/include/asm/hardware/gic.h | 3 ++- arch/x86/include/asm/nmi.h | 2 +- arch/x86/kernel/nmi.c | 2 +- arch/x86/pci/irq.c | 2 +- drivers/base/power/domain.c | 4 ++-- drivers/cpufreq/cpufreq_governor.c | 4 ++-- drivers/mfd/twl4030-irq.c | 1 + drivers/video/vesafb.c | 7 +++++-- include/linux/irq.h | 1 + include/linux/pm_domain.h | 2 +- kernel/sched/core.c | 4 ++++ lib/Kconfig.debug | 4 ++-- net/core/sysctl_net_core.c | 2 +- net/decnet/af_decnet.c | 1 + net/ipv4/devinet.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/route.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- scripts/sortextable.h | 6 +++--- 22 files changed, 36 insertions(+), 25 deletions(-) commit 1580bb38b4db0bf2a46316599815e8b234edad81 Author: Brad Spengler Date: Thu Mar 7 22:02:59 2013 -0500 add an additional open/close wrapper kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 21622672d28d58e0d93a805cd1f9650a894a752a Author: Brad Spengler Date: Thu Mar 7 21:58:24 2013 -0500 fix oops at shutdown with new constify code kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec Author: Brad Spengler Date: Thu Mar 7 21:18:44 2013 -0500 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally it currently conflicts with some lock debugging options, so made as an option to allow for debugging when necessary Makefile | 2 -- lib/Kconfig.debug | 6 +++--- security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) commit 0885b00b8373a1597b69c38032a0c9eee279303b Author: Brad Spengler Date: Thu Mar 7 20:55:19 2013 -0500 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8a2617165e7127a54f293cbf57d22d50dd83abd Author: Brad Spengler Date: Thu Mar 7 20:30:41 2013 -0500 Fix error: drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object with cast and proper kernexec accessors drivers/video/vesafb.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 Author: Brad Spengler Date: Thu Mar 7 20:20:28 2013 -0500 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 Author: Brad Spengler Date: Thu Mar 7 20:12:17 2013 -0500 fix compilation error -- no reason for task_pid_nr to not take a const task ptr include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ac6014ded57101e3e608941555ff507e20c1ece3 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 98a9a5f981f5deda4059a255c1196886f2f27e2f Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 4295a024e812f903fc580c81de5e81cc149503fa Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33edd486a9899a145a15586d7134636b0300aaee Merge: 4eeeaf3 a2a2094 Author: Brad Spengler Date: Thu Mar 7 17:53:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/include/asm/domain.h commit a2a20947f5e1332e474160a39af520738b3c8c19 Author: Brad Spengler Date: Thu Mar 7 17:51:04 2013 -0500 Update to pax-linux-3.8.2-test4.patch: fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) Documentation/dontdiff | 2 + arch/arm/include/asm/domain.h | 1 + arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/nmi.h | 4 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 10 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/base/bus.c | 4 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 ++- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 26 ++- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/iommu/iommu.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/mfd/twl4030-irq.c | 8 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/vxlan.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 6 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 4 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 ++- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- fs/exec.c | 6 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drmP.h | 12 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/iommu.h | 2 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/rculist.h | 16 ++ include/linux/sched.h | 2 +- include/linux/sock_diag.h | 2 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/xattr.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/pid_namespace.c | 2 +- kernel/rcutree_plugin.h | 2 +- kernel/sched/core.c | 39 ++-- kernel/smpboot.c | 4 +- kernel/softirq.c | 2 +- kernel/sysctl.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 2 +- lib/kobject.c | 4 +- lib/list_debug.c | 57 ++++- lib/swiotlb.c | 2 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/slab_common.c | 2 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 15 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 12 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 9 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipip.c | 4 +- net/ipv4/route.c | 14 +- net/ipv4/sysctl_net_ipv4.c | 43 ++-- net/ipv6/addrconf.c | 4 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 6 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/reassembly.c | 11 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/sysctl.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 ++- net/xfrm/xfrm_sysctl.c | 2 +- security/apparmor/lsm.c | 2 +- security/keys/key.c | 18 +- security/yama/yama_lsm.c | 22 +- tools/gcc/Makefile | 4 +- tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ tools/gcc/size_overflow_plugin.c | 7 +- 248 files changed, 994 insertions(+), 668 deletions(-) commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b Author: Brad Spengler Date: Wed Mar 6 12:58:21 2013 -0500 Make slab_state __read_only, it's only written to during init mm/slab_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a Author: Brad Spengler Date: Wed Mar 6 12:31:35 2013 -0500 Make two new helper functions: gr_is_global_root() and gr_is_global_nonroot() grsecurity/gracl.c | 10 +++++----- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_link.c | 4 ++-- grsecurity/grsec_sig.c | 10 +++++----- grsecurity/grsec_tpe.c | 6 +++--- include/linux/uidgid.h | 2 ++ 6 files changed, 18 insertions(+), 16 deletions(-) commit d45d88eddd4998b280b1e5b5384289ee11ca7088 Author: Brad Spengler Date: Wed Mar 6 12:14:41 2013 -0500 convert remaining task->pid to task_pid_nr(task) grsecurity/gracl.c | 22 +++++++++++----------- grsecurity/gracl_shm.c | 2 +- grsecurity/grsec_chroot.c | 4 ++-- grsecurity/grsec_sig.c | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) commit c877f2ece03ee2232dd281c1977ae59507297124 Author: Brad Spengler Date: Tue Mar 5 17:29:54 2013 -0500 compat-log is only used anymore by vm86-on-64bit and allows unlimited spamming of the kernel log buffer (and since it includes the changable process name, can avoid syslog log deduplication) Turn it off by default fs/compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c1964c4b7276889d7967bee70e46918cdca1b14 Author: Brad Spengler Date: Mon Mar 4 17:19:10 2013 -0500 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP is enabled, introduced with recent userns support init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 Author: Brad Spengler Date: Sun Mar 3 18:46:12 2013 -0500 Prevent TOMOYO from auto-loading modules by unprivileged users (Only reachable if TOMOYO is actually used) security/tomoyo/mount.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 79e142f9455b398759ff9d93d4963a21b98dddda Author: Brad Spengler Date: Sun Mar 3 18:28:45 2013 -0500 For now, don't permit any special access to /proc in a user namespace Later we can go back and allow a userns-uid0 special access to a /proc with a non-global pid namespace fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b91fb393049ce5f3c0a86f62247409853fd9700 Merge: d931eb8 603ef05 Author: Brad Spengler Date: Sun Mar 3 17:42:09 2013 -0500 Merge branch 'pax-test' into grsec-test commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b Author: Brad Spengler Date: Sun Mar 3 17:41:31 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/mach-omap2/wd_timer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b4c9ce81fdd7839a150c97873c710c479e788280 Author: Brad Spengler Date: Sun Mar 3 17:39:53 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d931eb81ab3da46896268fd61373a6aa7bbea930 Merge: bfa7f44 5948f93 Author: Brad Spengler Date: Sun Mar 3 17:34:36 2013 -0500 Merge branch 'pax-test' into grsec-test commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 Merge: ab30472 19b00d2 Author: Brad Spengler Date: Sun Mar 3 17:34:08 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. fs/exec.c | 6 +- fs/proc/base.c | 2 +- fs/proc/proc_net.c | 4 +- grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- grsecurity/gracl_cap.c | 4 +- grsecurity/gracl_ip.c | 16 +++--- grsecurity/gracl_segv.c | 12 +++- grsecurity/gracl_shm.c | 4 +- grsecurity/grsec_disabled.c | 10 ++-- grsecurity/grsec_fifo.c | 6 +- grsecurity/grsec_init.c | 24 ++++---- grsecurity/grsec_log.c | 3 - grsecurity/grsec_tpe.c | 6 +- include/linux/grinternal.h | 12 ++-- include/linux/grsecurity.h | 12 ++-- include/linux/uidgid.h | 3 + init/Kconfig | 2 - ipc/shm.c | 2 +- kernel/cred.c | 5 +- kernel/kallsyms.c | 2 +- kernel/kmod.c | 6 +- kernel/sys.c | 12 ++-- 22 files changed, 166 insertions(+), 115 deletions(-) commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit 5596211af754867ca825f58e6e0300a8439950fe Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7ca96db0817416fd40761e7437d1939fc0731380 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 idr: fix a subtle bug in idr_get_next() The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/idr.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 745362f28034f54242ba2e64eaa7374ab9869613 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit b53b3b14330920c6f7cfb74c8508a3026e1be620 Author: Brad Spengler Date: Thu Feb 28 18:29:26 2013 -0500 Fix bad git merge fs/namespace.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede Merge: 1cce1dd ab30472 Author: Brad Spengler Date: Thu Feb 28 17:45:14 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/core/sock_diag.c commit ab3047280e1dfb43f1b301a296123757b4ac4f6e Merge: 4b61d21 4c91a0e Author: Brad Spengler Date: Thu Feb 28 17:43:56 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 Author: Brad Spengler Date: Wed Feb 27 17:52:31 2013 -0500 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel kernel/printk.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 Author: Brad Spengler Date: Wed Feb 27 17:23:46 2013 -0500 Fix upstream vulnerability from addition of a /dev/kmsg device while neglecting to add the same set of existing permission checks from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. A temporary workaround without this patch would be to chmod 0600 /dev/kmsg (and is likely a good idea anyway). Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek Initially reported to Redhat bugzilla by Christian Kujau: https://bugzilla.redhat.com/show_bug.cgi?id=903192 kernel/printk.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 66c04806f5660988c3cb4855e60de294e77e3d0e Author: David Howells Date: Thu Feb 21 12:00:25 2013 +0000 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f KEYS: Revert one application of "Fix unreachable code" patch A patch to fix some unreachable code in search_my_process_keyrings() got applied twice by two different routes upstream as commits e67eab39bee2 and b010520ab3d2 (both "fix unreachable code"). Unfortunately, the second application removed something it shouldn't have and this wasn't detected by GIT. This is due to the patch not having sufficient lines of context to distinguish the two places of application. The effect of this is relatively minor: inside the kernel, the keyring search routines may search multiple keyrings and then prioritise the errors if no keys or negative keys are found in any of them. With the extra deletion, the presence of a negative key in the thread keyring (causing ENOKEY) is incorrectly overridden by an error searching the process keyring. So revert the second application of the patch. Signed-off-by: David Howells Cc: Jiri Kosina Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds security/keys/process_keys.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 954b0c8a95b08c09c3d15ec38106ce403bf714da Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 Author: Nicolas Pitre Date: Sun Feb 24 20:06:09 2013 -0500 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 tty vt: fix character insertion overflow Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") broke insert_char() in multiple ways. Then commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") partially fixed it. However, the buffer being moved is still too large and overflowing beyond the end of the current line, corrupting existing characters on the next line. Example test case: echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" Expected result: ab c de Current result: ab c e Needless to say that this is very annoying when inserting words in the middle of paragraphs with certain text editors. Signed-off-by: Nicolas Pitre Cc: Jean-François Moine Cc: Greg Kroah-Hartman Cc: Signed-off-by: Linus Torvalds drivers/tty/vt/vt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6cda35071669b4aabde081bd039e0ffea36f997a Author: Robin Holt Date: Fri Feb 22 16:35:34 2013 -0800 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. Additionally, the list traversal in __mmu_notifier_release() is not protected by the by the mmu_notifier_mm->hlist_lock which can result in callouts to the ->release() notifier from both mmu_notifier_unregister() and __mmu_notifier_release(). -stable suggestions: The stable trees prior to 3.7.y need commits 21a92735f660 and 70400303ce0c cherry-picked in that order prior to cherry-picking this commit. The 3.7.y tree already has those two commits. Signed-off-by: Robin Holt Cc: Andrea Arcangeli Cc: Wanpeng Li Cc: Xiao Guangrong Cc: Avi Kivity Cc: Hugh Dickins Cc: Marcelo Tosatti Cc: Sagi Grimberg Cc: Haggai Eran Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- 1 files changed, 42 insertions(+), 40 deletions(-) commit bf5167ed78ba6131c6874887f714bda50c2cab83 Author: Mike Galbraith Date: Mon Jan 28 12:19:25 2013 +0100 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 sched: Fix select_idle_sibling() bouncing cow syndrome If the previous CPU is cache affine and idle, select it. The current implementation simply traverses the sd_llc domain, taking the first idle CPU encountered, which walks buddy pairs hand in hand over the package, inflicting excruciating pain. 1 tbench pair (worst case) in a 10 core + SMT package: pre 15.22 MB/sec 1 procs post 252.01 MB/sec 1 procs Signed-off-by: Mike Galbraith Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 21 +++++++-------------- 1 files changed, 7 insertions(+), 14 deletions(-) commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c Author: Eric W. Biederman Date: Fri Dec 28 18:58:39 2012 -0800 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f userns: Avoid recursion in put_user_ns When freeing a deeply nested user namespace free_user_ns calls put_user_ns on it's parent which may in turn call free_user_ns again. When -fno-optimize-sibling-calls is passed to gcc one stack frame per user namespace is left on the stack, potentially overflowing the kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls so we can't count on gcc to optimize this code. Remove struct kref and use a plain atomic_t. Making the code more flexible and easier to comprehend. Make the loop in free_user_ns explict to guarantee that the stack does not overflow with CONFIG_FRAME_POINTER enabled. I have tested this fix with a simple program that uses unshare to create a deeply nested user namespace structure and then calls exit. With 1000 nesteuser namespaces before this change running my test program causes the kernel to die a horrible death. With 10,000,000 nested user namespaces after this change my test program runs to completion and causes no harm. Acked-by: Serge Hallyn Pointed-out-by: Vasily Kulikov Signed-off-by: "Eric W. Biederman" include/linux/user_namespace.h | 10 +++++----- kernel/user.c | 4 +--- kernel/user_namespace.c | 17 +++++++++-------- 3 files changed, 15 insertions(+), 16 deletions(-) commit 81501c7106ccc186c94806f4db954626295b5ebe Author: Brad Spengler Date: Tue Feb 26 17:12:30 2013 -0500 Pass the same flags to kern_path_create as the original function fs/namei.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a677c8eee35afe48868f92c7d6745bfe809cd481 Author: Al Viro Date: Fri Feb 22 22:45:42 2013 -0500 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 get rid of unprotected dereferencing of mnt->mnt_ns It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namespace.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 89298124d0c96dc34a60377e7a1308f8f532ff75 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 Author: Brad Spengler Date: Sat Feb 23 11:08:05 2013 -0500 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause net/core/sock_diag.c | 27 ++++++++++----------------- 1 files changed, 10 insertions(+), 17 deletions(-) commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 Author: Brad Spengler Date: Sat Feb 23 10:58:52 2013 -0500 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined arch/arm/include/asm/domain.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7b729586eb81f344fdedf0942fab0acc738a6725 Author: Brad Spengler Date: Fri Feb 22 19:02:51 2013 -0500 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. kernel/fork.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit fadc560d0c486af88da83177735f5515e88acdcc Author: Brad Spengler Date: Thu Feb 21 23:06:48 2013 -0500 put is_hugetlbfs_mnt inside ifdefs grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8252176922d405484f986eb2cc350b7cd3ae586e Author: Brad Spengler Date: Thu Feb 21 23:02:07 2013 -0500 remove unused label kernel/module.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dad4a980f0b625059e215d13da728aa7fd02a374 Author: Brad Spengler Date: Thu Feb 21 23:00:52 2013 -0500 compile fix fs/open.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 Author: Brad Spengler Date: Thu Feb 21 22:57:49 2013 -0500 remove kmalloc_array_error for the same reasons as kcalloc_error include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a Author: Brad Spengler Date: Thu Feb 21 22:49:35 2013 -0500 Initial port of grsecurity for Linux 3.8 Documentation/kernel-parameters.txt | 4 + Makefile | 10 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 14 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 27 +- arch/arm/mm/mmap.c | 6 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 3 +- arch/ia64/mm/hugetlbpage.c | 3 +- arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 3 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 19 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 6 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 3 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 3 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- crypto/ablkcipher.c | 12 +- crypto/aead.c | 9 +- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +- crypto/crypto_user.c | 38 +- crypto/pcompress.c | 3 +- crypto/rng.c | 2 +- crypto/shash.c | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 155 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 5 + fs/fs_struct.c | 26 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 269 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1021 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4017 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 384 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 357 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 174 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 329 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 ++ include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 257 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 66 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/vermagic.h | 9 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 5 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 109 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 80 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 38 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 62 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev.c | 9 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 19 + security/Kconfig | 320 ++- security/apparmor/lsm.c | 2 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/yama/Kconfig | 2 +- tools/gcc/Makefile | 2 +- 286 files changed, 15083 insertions(+), 2067 deletions(-) commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 Author: Brad Spengler Date: Wed Feb 20 21:00:42 2013 -0500 Initial import of pax-linux-3.8-test3.patch Documentation/dontdiff | 43 +- Documentation/kernel-parameters.txt | 7 + Makefile | 97 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 +++- arch/arm/include/asm/cache.h | 3 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/delay.h | 8 +- arch/arm/include/asm/domain.h | 32 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 10 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 20 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 14 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/fault.c | 78 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 186 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 28 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/uaccess.h | 142 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 +++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 12 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 ++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 65 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/io.h | 13 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 6 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 29 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 512 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/head_32.S | 237 ++- arch/x86/kernel/head_64.S | 158 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes-opt.c | 12 +- arch/x86/kernel/kprobes.c | 30 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 247 ++ arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 47 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 68 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 ++- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 555 +++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 92 +- arch/x86/mm/init_32.c | 122 +- arch/x86/mm/init_64.c | 48 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 12 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 18 +- drivers/block/loop.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 8 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_generic.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 6 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 9 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/ramster/tmem.c | 54 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 39 +- drivers/video/vesafb.c | 51 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 604 ++++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/relocation.c | 2 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 356 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 ++ include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 72 +- include/linux/cpu.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 3 + include/linux/mm.h | 91 +- include/linux/mm_types.h | 22 +- include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 55 +- include/linux/moduleloader.h | 18 +- include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/random.h | 5 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 64 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysrq.h | 2 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/gro_cells.h | 6 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 6 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/structs.h | 4 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 4 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 24 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/module.c | 333 ++- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 72 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 2 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/softirq.c | 16 +- kernel/srcu.c | 6 +- kernel/stop_machine.c | 2 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 +- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/list_debug.c | 89 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 54 + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 18 +- mm/memory.c | 404 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 573 +++- mm/mprotect.c | 138 +- mm/mremap.c | 44 +- mm/nommu.c | 11 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 104 +- mm/slab.h | 5 +- mm/slab_common.c | 9 +- mm/slob.c | 200 +- mm/slub.c | 98 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/sctp/socket.c | 2 + net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 4 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 654 ++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 43 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 359 +++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 +++ tools/gcc/latent_entropy_plugin.c | 321 ++ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 32 +- 1311 files changed, 26668 insertions(+), 6394 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit e8658e072c00c4c4124383dba46d91f67a24cf97 Merge: b48043e f70f945 Author: Brad Spengler Date: Fri Apr 18 21:05:15 2014 -0400 Merge branch 'pax-test' into grsec-test commit f70f94597c07e3902709100b9e8b0ca88ee5be4d Author: Brad Spengler Date: Fri Apr 18 21:04:32 2014 -0400 Update to pax-linux-3.13.10-test20.patch: - forward port to 3.13.10 - temporarily reverted the previous fix of the overflow plugin as it triggers more problems than it solves tools/gcc/size_overflow_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b48043e1a01025db96cbbe3b9817a221c8dc154b Merge: 30ce675 0338ded Author: Brad Spengler Date: Thu Apr 17 17:55:02 2014 -0400 Merge branch 'pax-test' into grsec-test commit 0338dedbccd1d623ef78ccebd057893a8510905d Author: Brad Spengler Date: Thu Apr 17 17:54:33 2014 -0400 Update to pax-linux-3.13.9-test20.patch: - Emese fixed two size overflow false positives due to intentional overflows, reported by 7LL (https://forums.grsecurity.net/viewtopic.php?f=3&t=3940) and marcin1j (https://forums.grsecurity.net/viewtopic.php?f=3&t=3943) include/uapi/linux/bcache.h | 5 ++- tools/gcc/size_overflow_hash_aux.data | 9 +++++ tools/gcc/size_overflow_plugin.c | 58 ++++++++++++++++++++++++++++++++- 3 files changed, 69 insertions(+), 3 deletions(-) commit 30ce6750d8a1cd0484a19bb136baaec0f7780b09 Author: Brad Spengler Date: Thu Apr 17 17:12:50 2014 -0400 fix an off-by-one triggerable on 32bit kernels with PAX_USERCOPY on specific shmemfs reads that end up copying from empty_zero_page, which on 32bit x86 has the same address as _etext. Fix up some other harmless instances of this error as well Thanks to 'jy' from IRC for reporting this arch/x86/mm/init_32.c | 6 +++--- fs/exec.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) commit b3a6e7d392ea040b10b5d84e21ce3b25964ce6df Merge: 27bdf99 b377d16 Author: Brad Spengler Date: Mon Apr 14 16:49:55 2014 -0400 Merge branch 'pax-test' into grsec-test commit b377d16f0d5b072ef75635ca0d778e2807c20ae8 Merge: fc6d889 f994ec5 Author: Brad Spengler Date: Mon Apr 14 16:49:37 2014 -0400 Merge branch 'linux-3.13.y' into pax-test Conflicts: arch/x86/crypto/ghash-clmulni-intel_asm.S kernel/futex.c commit 27bdf99dcadbe3e4b185aea4f8574a6cadf3cc93 Author: Brad Spengler Date: Sun Apr 13 12:47:57 2014 -0400 From: Mathias Krause [PATCH net] filter: prevent nla extensions to peek beyond the end of the message The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check for a minimal message length before testing the supplied offset to be within the bounds of the message. This allows the subtraction of the nla header to underflow and therefore -- as the data type is unsigned -- allowing far to big offset and length values for the search of the netlink attribute. The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is also wrong. It has the minuend und subtrahend mixed up, therefore calculates a huge length value, allowing to overrun the end of the message while looking for the netlink attribute. The following three BPF snippets will trigger the bugs when attached to a UNIX datagram socket and parsing a message with length 1, 2 or 3. ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]-- | ld #0x87654321 | ldx #42 | ld #nla | ret a `--- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]-- | ld #0x87654321 | ldx #42 | ld #nlan | ret a `--- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]-- | ; (needs a fake netlink header at offset 0) | ld #0 | ldx #42 | ld #nlan | ret a `--- Fix the first issue by ensuring the message length fulfills the minimal size constrains of a nla header. Fix the second bug by getting the math for the remainder calculation right. Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction") Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..") Cc: Patrick McHardy Cc: Pablo Neira Ayuso Signed-off-by: Mathias Krause net/core/filter.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 397ff885e5d3da96d0f115caa9d4c697895b3281 Author: Pablo Neira Ayuso Date: Mon Mar 31 12:26:39 2014 +0200 Upstream commit: 2fec6bb6f484b1a88b4a325724234d6cfd08c918 netfilter: nf_tables: fix wrong format in request_module() The intended format in request_module is %.*s instead of %*.s. Reported-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 4d8b1faffb7cfe526eb20b717cb0b6d59f348108 Author: Pablo Neira Ayuso Date: Mon Mar 24 15:10:37 2014 +0100 Upstream commit: a9bdd8365684810e3de804f8c51e52c26a5eccbb netfilter: nf_tables: set names cannot be larger than 15 bytes Currently, nf_tables trims off the set name if it exceeeds 15 bytes, so explicitly reject set names that are too large. Reported-by: Giuseppe Longo Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_api.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a99a10ea229b7ae7f6af473949ff5138aef76209 Author: Brad Spengler Date: Fri Apr 11 17:33:00 2014 -0400 Upstream commit: 5678de3f15010b9022ee45673f33bcfc71d47b60 KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi (CVE-2014-0155) QE reported that they got the BUG_ON in ioapic_service to trigger. I cannot reproduce it, but there are two reasons why this could happen. The less likely but also easiest one, is when kvm_irq_delivery_to_apic does not deliver to any APIC and returns -1. Because irqe.shorthand == 0, the kvm_for_each_vcpu loop in that function is never reached. However, you can target the similar loop in kvm_irq_delivery_to_apic_fast; just program a zero logical destination address into the IOAPIC, or an out-of-range physical destination address. Signed-off-by: Paolo Bonzini virt/kvm/ioapic.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c522310c240fa3b1e671066def9fcab1f232f3b Author: Dan Carpenter Date: Tue Apr 8 12:23:09 2014 +0300 Upstream commit: 7563487cbf865284dcd35e9ef5a95380da046737 isdnloop: several buffer overflows There are three buffer overflows addressed in this patch. 1) In isdnloop_fake_err() we add an 'E' to a 60 character string and then copy it into a 60 character buffer. I have made the destination buffer 64 characters and I'm changed the sprintf() to a snprintf(). 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 character buffer so we have 54 characters. The ->eazlist[] is 11 characters long. I have modified the code to return if the source buffer is too long. 3) In isdnloop_command() the cbuf[] array was 60 characters long but the max length of the string then can be up to 79 characters. I made the cbuf array 80 characters long and changed the sprintf() to snprintf(). I also removed the temporary "dial" buffer and changed it to use "p" directly. Unfortunately, we pass the "cbuf" string from isdnloop_command() to isdnloop_writecmd() which truncates anything over 60 characters to make it fit in card->omsg[]. (It can accept values up to 255 characters so long as there is a '\n' character every 60 characters). For now I have just fixed the memory corruption bug and left the other problems in this driver alone. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit 9b011cba3d245a48139ab05099e6a825956f8056 Author: Andrey Vagin Date: Fri Mar 28 13:54:32 2014 +0400 Upstream commit: 223b02d923ecd7c84cf9780bb3686f455d279279 netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len "len" contains sizeof(nf_ct_ext) and size of extensions. In a worst case it can contain all extensions. Bellow you can find sizes for all types of extensions. Their sum is definitely bigger than 256. nf_ct_ext_types[0]->len = 24 nf_ct_ext_types[1]->len = 32 nf_ct_ext_types[2]->len = 24 nf_ct_ext_types[3]->len = 32 nf_ct_ext_types[4]->len = 152 nf_ct_ext_types[5]->len = 2 nf_ct_ext_types[6]->len = 16 nf_ct_ext_types[7]->len = 8 I have seen "len" up to 280 and my host has crashes w/o this patch. The right way to fix this problem is reducing the size of the ecache extension (4) and Florian is going to do this, but these changes will be quite large to be appropriate for a stable tree. Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable) Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Cc: "David S. Miller" Signed-off-by: Andrey Vagin Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_conntrack_extend.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c323aca3431ec956221a0333826a0aebcad6182c Author: Trond Myklebust Date: Wed Mar 26 13:24:37 2014 -0700 Upstream commit: e911b8158ee1def8153849b1641b736026b036e0 NFSv4: Fix a use-after-free problem in open() If we interrupt the nfs4_wait_for_completion_rpc_task() call in nfs4_run_open_task(), then we don't prevent the RPC call from completing. So freeing up the opendata->f_attr.mdsthreshold in the error path in _nfs4_do_open() leads to a use-after-free when the XDR decoder tries to decode the mdsthreshold information from the server. Fixes: 82be417aa37c0 (NFSv4.1 cache mdsthreshold values on OPEN) Tested-by: Steve Dickson Cc: stable@vger.kernel.org # 3.5+ Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 19 ++++++++++--------- 1 files changed, 10 insertions(+), 9 deletions(-) commit afbc7281d89c10419bcaf9cd8f2a34fa1f0dc74a Author: Brad Spengler Date: Fri Apr 11 16:57:17 2014 -0400 Apply: https://lkml.org/lkml/2014/4/10/736 PAX_REFCOUNT makes this unexploitable, turning it into a harmless memleak net/ipv4/ping.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 64688b956632b3165fd8aabb9b143f4d365ba382 Author: H. Peter Anvin Date: Sun Mar 16 15:31:54 2014 -0700 Upstream commit: b3b42ac2cbae1f3cecbb6229964a4d48af31d382 x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels The IRET instruction, when returning to a 16-bit segment, only restores the bottom 16 bits of the user space stack pointer. We have a software workaround for that ("espfix") for the 32-bit kernel, but it relies on a nonzero stack segment base which is not available in 32-bit mode. Since 16-bit support is somewhat crippled anyway on a 64-bit kernel (no V86 mode), and most (if not quite all) 64-bit processors support virtualization for the users who really need it, simply reject attempts at creating a 16-bit segment when running on top of a 64-bit kernel. Cc: Linus Torvalds Signed-off-by: H. Peter Anvin Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org Cc: Conflicts: arch/x86/kernel/ldt.c arch/x86/kernel/ldt.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 027b8db0f3266f307c6324f52d19c9425e01a95b Author: Brad Spengler Date: Mon Apr 7 18:41:45 2014 -0400 Update GRKERNSEC_IO documentation grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4ffae780ca4045f1e00c3695a1c67fa7b83e842a Author: Brad Spengler Date: Sun Apr 6 18:59:00 2014 -0400 add compiler.h to path.h include/linux/path.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 697d5a873545a0ee00e2bffbf74ba5faae55c286 Author: Brad Spengler Date: Sun Apr 6 18:37:18 2014 -0400 fix typo security/tomoyo/tomoyo.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit d1a22c83e7a3175d894b8ceb0f01b77fe499db28 Author: Brad Spengler Date: Sun Apr 6 17:58:39 2014 -0400 fix tomoyo compilation with RANDSTRUCT Conflicts: security/tomoyo/tomoyo.c security/tomoyo/tomoyo.c | 27 ++++++++++++++++----------- 1 files changed, 16 insertions(+), 11 deletions(-) commit 96785c664a95a149773214bed1d7463ffad0441f Author: Brad Spengler Date: Sun Apr 6 17:50:38 2014 -0400 fix tomoyo compilation with RANDSTRUCT security/tomoyo/file.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 25475ea5ba7ec539347edb25d8d15eac6a9e65d1 Author: Brad Spengler Date: Sun Apr 6 17:43:47 2014 -0400 Fix tomoyo compilation with RANDSTRUCT security/tomoyo/file.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit bd744926b9496053982db351f2b087725e931ce2 Author: Brad Spengler Date: Sun Apr 6 17:23:09 2014 -0400 fix apparmor compilation with RANDSTRUCT security/apparmor/file.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 6a70a4ca3f2f5b2f9f2f1c500a3b39813f980091 Author: Brad Spengler Date: Sun Apr 6 17:11:40 2014 -0400 fix apparmor compilation with RANDSTRUCT security/apparmor/lsm.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 6d5c843ec117929962b0b5e36b6efe36d7008489 Author: Brad Spengler Date: Sun Apr 6 16:58:35 2014 -0400 add __randomize_layout to more important structures Conflicts: include/linux/filter.h include/net/af_unix.h include/net/sock.h include/linux/binfmts.h | 4 ++-- include/linux/path.h | 2 +- include/linux/security.h | 2 +- include/linux/tty_driver.h | 2 +- include/net/af_unix.h | 2 +- include/net/sock.h | 4 ++-- 6 files changed, 8 insertions(+), 8 deletions(-) commit 2d58b7af7d974cf11c9b6fcaafc098f68925b28d Merge: f7886f6 fc6d889 Author: Brad Spengler Date: Sun Apr 6 09:10:40 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: tools/gcc/Makefile commit fc6d8892f8370cc6b246aab23dfe3ce472da9058 Author: Brad Spengler Date: Sun Apr 6 09:06:24 2014 -0400 Update to pax-linux-3.13.9-test19.patch: - updated the hash database for external modules, by Emese - fixed regression in gcc plugin compilation when compiling with ccache, reported by ncopa - proper fix for 309944be296efbb3ca4737d12ef49d2ba97cbecc upstream - fixed plugin compilation under gcc 4.5, reported by Emese Revfy - Emese added support for out-of-tree modules for the size overflow plugin, fixes https://bugs.gentoo.org/show_bug.cgi?id=505594 arch/x86/boot/compressed/misc.c | 7 +- drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- scripts/gcc-plugin.sh | 4 +- tools/gcc/Makefile | 12 ++- tools/gcc/gcc-common.h | 1 + tools/gcc/generate_size_overflow_hash.sh | 5 +- tools/gcc/size_overflow_hash_aux.data | 83 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 25 ++++-- 8 files changed, 123 insertions(+), 18 deletions(-) commit f7886f6633822747782b7206b371ea521eee3f0b Author: Brad Spengler Date: Sun Apr 6 08:34:08 2014 -0400 This reverts commit 31dee23268ac47eaaafacb186229bc14fb84fa9b. net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0f1d45357477cb7658e7dc361c7ac67678d7a9b9 Merge: ca30500 6bf7e1d Author: Brad Spengler Date: Sat Apr 5 18:09:10 2014 -0400 Merge branch 'pax-test' into grsec-test commit 6bf7e1df5475a7244d717546bd5c0569acdf8215 Merge: 20f0a08 bf061ff Author: Brad Spengler Date: Sat Apr 5 18:08:56 2014 -0400 Merge branch 'linux-3.13.y' into pax-test commit ca305006c767819ee7924d7ea952a8f9c817d2a7 Author: Pablo Neira Date: Tue Apr 1 19:38:44 2014 +0200 Upstream commit: 8b7b932434f5eee495b91a2804f5b64ebb2bc835 netlink: don't compare the nul-termination in nla_strcmp nla_strcmp compares the string length plus one, so it's implicitly including the nul-termination in the comparison. int nla_strcmp(const struct nlattr *nla, const char *str) { int len = strlen(str) + 1; ... d = memcmp(nla_data(nla), str, len); However, if NLA_STRING is used, userspace can send us a string without the nul-termination. This is a problem since the string comparison will not match as the last byte may be not the nul-termination. Fix this by skipping the comparison of the nul-termination if the attribute data is nul-terminated. Suggested by Thomas Graf. Cc: Florian Westphal Cc: Thomas Graf Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller lib/nlattr.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 4676a42ce0a63b9713d315c715d6f863d6388bf2 Author: Oleg Nesterov Date: Wed Apr 2 17:45:05 2014 +0200 Upstream commit: d23082257d83e4bc89727d5aedee197e907999d2 pid_namespace: pidns_get() should check task_active_pid_ns() != NULL pidns_get()->get_pid_ns() can hit ns == NULL. This task_struct can't go away, but task_active_pid_ns(task) is NULL if release_task(task) was already called. Alternatively we could change get_pid_ns(ns) to check ns != NULL, but it seems that other callers are fine. Signed-off-by: Oleg Nesterov Cc: Eric W. Biederman ebiederm@xmission.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds kernel/pid_namespace.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit b2c5c8d231e1749fe42698c6be31a49b46b8eb7e Author: YOSHIFUJI Hideaki / 吉藤英明 Date: Wed Apr 2 12:48:42 2014 +0900 Upstream commit: 77bc6bed7121936bb2e019a8c336075f4c8eef62 isdnloop: Validate NUL-terminated strings from user. Return -EINVAL unless all of user-given strings are correctly NUL-terminated. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit abceea2065cb053917751b02a02e87134d5af5b0 Author: Wei Liu Date: Tue Apr 1 12:46:12 2014 +0100 Upstream commit: e9d8b2c2968499c1f96563e6522c56958d5a1d0d xen-netback: disable rogue vif in kthread context When netback discovers frontend is sending malformed packet it will disables the interface which serves that frontend. However disabling a network interface involving taking a mutex which cannot be done in softirq context, so we need to defer this process to kthread context. This patch does the following: 1. introduce a flag to indicate the interface is disabled. 2. check that flag in TX path, don't do any work if it's true. 3. check that flag in RX path, turn off that interface if it's true. The reason to disable it in RX path is because RX uses kthread. After this change the behavior of netback is still consistent -- it won't do any TX work for a rogue frontend, and the interface will be eventually turned off. Also change a "continue" to "break" after xenvif_fatal_tx_err, as it doesn't make sense to continue processing packets if frontend is rogue. This is a fix for XSA-90. Reported-by: Török Edwin Signed-off-by: Wei Liu Cc: Ian Campbell Reviewed-by: David Vrabel Acked-by: Ian Campbell Signed-off-by: David S. Miller drivers/net/xen-netback/common.h | 5 +++++ drivers/net/xen-netback/interface.c | 11 +++++++++++ drivers/net/xen-netback/netback.c | 16 ++++++++++++++-- 3 files changed, 30 insertions(+), 2 deletions(-) commit ff438506da3cf85c07f3f3c80429f87138502d82 Author: Brad Spengler Date: Thu Apr 3 11:34:13 2014 -0400 revert last change net/core/filter.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit aed17226225c496cea10f90db89cb5f505ce5c3a Author: Brad Spengler Date: Thu Apr 3 10:38:55 2014 -0400 harden non-JIT socket filters against memory corruption occuring after check time net/core/filter.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) commit 8153c4335a8c655d0dc51fb547bf257339faabe3 Author: Brad Spengler Date: Thu Apr 3 11:01:13 2014 -0400 add additional checking, convert WARN to a BUG since we should be able to filter out any invalid ops at filter install time -- finding them during runtime is a sign of memory corruption Conflicts: net/core/filter.c net/core/filter.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit cf4164083c37d1f301ab28f5cf102b875c6a3057 Author: Brad Spengler Date: Thu Apr 3 07:39:34 2014 -0400 Update documentation on chroot to notify users that chrooting to a bind mount of the root filesystem provides no security benefits and will not trigger the chroot protections. grsecurity/Kconfig | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 809c33c81db39b5e0a2f8b8953f156d3ae2bc9d4 Merge: b224936 20f0a08 Author: Brad Spengler Date: Tue Apr 1 18:41:17 2014 -0400 Merge branch 'pax-test' into grsec-test commit 20f0a08510a47d6d31c29da6ff3bd093a62cfdd1 Merge: 6b71ad0 5366635 Author: Brad Spengler Date: Tue Apr 1 18:41:02 2014 -0400 Merge branch 'linux-3.13.y' into pax-test commit b224936088e49229a37e4a3b17567598161bb1c0 Author: Sasha Levin Date: Fri Mar 28 17:38:42 2014 +0100 Upstream commit: 05efa8c943b1d5d90fa8c8147571837573338bb6 random32: avoid attempt to late reseed if in the middle of seeding Commit 4af712e8df ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") has added a late reseed stage that happens as soon as the nonblocking pool is marked as initialized. This fails in the case that the nonblocking pool gets initialized during __prandom_reseed()'s call to get_random_bytes(). In that case we'd double back into __prandom_reseed() in an attempt to do a late reseed - deadlocking on 'lock' early on in the boot process. Instead, just avoid even waiting to do a reseed if a reseed is already occuring. Fixes: 4af712e8df99 ("random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized") Signed-off-by: Sasha Levin Acked-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller lib/random32.c | 13 ++++++++++++- 1 files changed, 12 insertions(+), 1 deletions(-) commit 9aa441e0e5aa2480ca073e33fcf6a9f5cdaabc81 Author: Michael S. Tsirkin Date: Thu Mar 27 12:00:26 2014 +0200 Upstream commit: d8316f3991d207fe32881a9ac20241be8fa2bad0 vhost: fix total length when packets are too short When mergeable buffers are disabled, and the incoming packet is too large for the rx buffer, get_rx_bufs returns success. This was intentional in order for make recvmsg truncate the packet and then handle_rx would detect err != sock_len and drop it. Unfortunately we pass the original sock_len to recvmsg - which means we use parts of iov not fully validated. Fix this up by detecting this overrun and doing packet drop immediately. CVE-2014-0077 Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 14 ++++++++++++++ 1 files changed, 14 insertions(+), 0 deletions(-) commit 43ee74030403a780a1e9418ab825f4d675ccdb47 Merge: 9987cd5 6b71ad0 Author: Brad Spengler Date: Sun Mar 30 13:28:35 2014 -0400 Merge branch 'pax-test' into grsec-test commit 6b71ad024068595a2e4caa3393fbb4d531197e27 Author: Brad Spengler Date: Sun Mar 30 13:27:44 2014 -0400 Update to pax-linux-3.13.7-test17.patch: - fixed a regression in the previous latent entropy plugin change, reported by spender - fixed a regression in gcc-plugin.sh that could make cross-compilation fail, reported by Aniem - hardened the hyper-v hypercall page access rights (rwx -> r-x), reported and tested by Hunger drivers/hv/hv.c | 2 +- scripts/gcc-plugin.sh | 4 ++-- tools/gcc/latent_entropy_plugin.c | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) commit 9987cd5663f69ecc4d8bdfe80e46775ec081512c Author: Wei Liu Date: Sat Mar 15 16:11:47 2014 +0000 Upstream commit: 09ed3d5ba06137913960f9c9385f71fc384193ab xen/balloon: flush persistent kmaps in correct position Xen balloon driver will update ballooned out pages' P2M entries to point to scratch page for PV guests. In 24f69373e2 ("xen/balloon: don't alloc page while non-preemptible", kmap_flush_unused was moved after updating P2M table. In that case for 32 bit PV guest we might end up with P2M X -----> S (S is mfn of balloon scratch page) M2P Y -----> X (Y is mfn in persistent kmap entry) kmap_flush_unused() iterates through all the PTEs in the kmap address space, using pte_to_page() to obtain the page. If the p2m and the m2p are inconsistent the incorrect page is returned. This will clear page->address on the wrong page which may cause subsequent oopses if that page is currently kmap'ed. Move the flush back between get_page and __set_phys_to_machine to fix this. Signed-off-by: Wei Liu Signed-off-by: David Vrabel Cc: stable@vger.kernel.org # 3.12+ drivers/xen/balloon.c | 24 ++++++++++++++++++------ 1 files changed, 18 insertions(+), 6 deletions(-) commit f6481e295cb69c34218b694ba5fca6315cc90b71 Author: David Vrabel Date: Tue Mar 25 10:38:37 2014 +0000 Upstream commit: 5926f87fdaad4be3ed10cec563bf357915e55a86 Revert "xen: properly account for _PAGE_NUMA during xen pte translations" This reverts commit a9c8e4beeeb64c22b84c803747487857fe424b68. PTEs in Xen PV guests must contain machine addresses if _PAGE_PRESENT is set and pseudo-physical addresses is _PAGE_PRESENT is clear. This is because during a domain save/restore (migration) the page table entries are "canonicalised" and uncanonicalised". i.e., MFNs are converted to PFNs during domain save so that on a restore the page table entries may be rewritten with the new MFNs on the destination. This canonicalisation is only done for PTEs that are present. This change resulted in writing PTEs with MFNs if _PAGE_PROTNONE (or _PAGE_NUMA) was set but _PAGE_PRESENT was clear. These PTEs would be migrated as-is which would result in unexpected behaviour in the destination domain. Either a) the MFN would be translated to the wrong PFN/page; b) setting the _PAGE_PRESENT bit would clear the PTE because the MFN is no longer owned by the domain; or c) the present bit would not get set. Symptoms include "Bad page" reports when munmapping after migrating a domain. Signed-off-by: David Vrabel Acked-by: Konrad Rzeszutek Wilk Cc: [3.12+] arch/x86/include/asm/pgtable.h | 14 ++------------ arch/x86/xen/mmu.c | 4 ++-- 2 files changed, 4 insertions(+), 14 deletions(-) commit 29e56c3fdd2ff43c43f31e74bccc164c38ec96b2 Author: Daniel Vetter Date: Wed Mar 26 20:10:09 2014 +0100 Upstream commit: 8ee661b505613ef2747b350ca2871a31b3781bee drm/i915: Undo gtt scratch pte unmapping again It apparently blows up on some machines. This functionally reverts commit 828c79087cec61eaf4c76bb32c222fbe35ac3930 Author: Ben Widawsky Date: Wed Oct 16 09:21:30 2013 -0700 drm/i915: Disable GGTT PTEs on GEN6+ suspend Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=64841 Reported-and-Tested-by: Brad Jackson Cc: stable@vger.kernel.org Cc: Takashi Iwai Cc: Paulo Zanoni Cc: Todd Previte Signed-off-by: Daniel Vetter Signed-off-by: Dave Airlie drivers/gpu/drm/i915/i915_gem_gtt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f5fd5843a87569cfd8de8e8843ccb13e9e35afd5 Author: Jan Kara Date: Wed Mar 26 06:20:14 2014 +0100 Upstream commit: 75c5a52da3fc2a06abb6c6192bdf5d680e56d37d vfs: Allocate anon_inode_inode in anon_inode_init() Currently we allocated anon_inode_inode in anon_inodefs_mount. This is somewhat fragile as if that function ever gets called again, it will overwrite anon_inode_inode pointer. So move the initialization of anon_inode_inode to anon_inode_init(). Signed-off-by: Jan Kara [ Further simplified on suggestion from Dave Jones ] Signed-off-by: Linus Torvalds fs/anon_inodes.c | 30 ++++++++---------------------- 1 files changed, 8 insertions(+), 22 deletions(-) commit da2cc3c610141a5f41bd382b5ee7729893e3db12 Author: Brad Spengler Date: Thu Mar 27 21:54:11 2014 -0400 ignore noreturn functions for now in the latent_entropy plugin tools/gcc/latent_entropy_plugin.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 0d1e588588bc19f449d667b69ac76bad0584752d Author: Brad Spengler Date: Thu Mar 27 21:27:56 2014 -0400 update config help for GRKERNSEC_KMEM to reflect recent change to only deny writes to /dev/cpu/*/msr instead of denying access entirely, allows powertop etc to continue to work while denying/logging the malicious activity grsecurity/Kconfig | 12 +++++------- 1 files changed, 5 insertions(+), 7 deletions(-) commit 4ad2f9fd7429c81e3b2115227685af06830d05c4 Author: Brad Spengler Date: Thu Mar 27 21:24:58 2014 -0400 Revert "Upstream commit: 2c4a33aba5f9ea3a28f2e40351f078d95f00786b" This reverts commit b6ab67fc7a47b542601dd116f934d255c9c2c372. kernel/trace/trace.c | 27 ++------------------------- 1 files changed, 2 insertions(+), 25 deletions(-) commit 1a70975ec716c68b37758fbba95ab9b7b6165c8a Author: Linus Torvalds Date: Tue Mar 25 17:43:34 2014 -0700 Upstream commit: fce7fc79c8f7188dfc5eafa1b937bcc3c5a4c2f5 fs: remove now stale label in anon_inode_init() The previous commit removed the register_filesystem() call and the associated error handling, but left the label for the error path that no longer exists. Remove that too. Signed-off-by: Linus Torvalds fs/anon_inodes.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 6c1ec97bac84bc22b1a37008193643b9bcab1a46 Author: Jan Kara Date: Tue Mar 25 21:37:09 2014 +0100 Upstream commit: d6f2589ad561aa5fa39f347eca6942668b7560a1 fs: Avoid userspace mounting anon_inodefs filesystem anon_inodefs filesystem is a kernel internal filesystem userspace shouldn't mess with. Remove registration of it so userspace cannot even try to mount it (which would fail anyway because the filesystem is MS_NOUSER). This fixes an oops triggered by trinity when it tried mounting anon_inodefs which overwrote anon_inode_inode pointer while other CPU has been in anon_inode_getfile() between ihold() and d_instantiate(). Thus effectively creating dentry pointing to an inode without holding a reference to it. Reported-by: Sasha Levin Signed-off-by: Jan Kara Signed-off-by: Linus Torvalds fs/anon_inodes.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 1e03cd2f178d167cc13e29836c1cb040aeea8d0f Author: Al Viro Date: Sun Mar 23 00:28:40 2014 -0400 Upstream commit: e825196d48d2b89a6ec3a8eff280098d2a78207e make prepend_name() work correctly when called with negative *buflen In all callchains leading to prepend_name(), the value left in *buflen is eventually discarded unused if prepend_name() has returned a negative. So we are free to do what prepend() does, and subtract from *buflen *before* checking for underflow (which turns into checking the sign of subtraction result, of course). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8c174b004c6eed3d46e9888385207f454599aa23 Author: Al Viro Date: Thu Mar 20 15:18:22 2014 -0400 Upstream commit: b37199e626b31e1175fb06764c5d1d687723aac2 rcuwalk: recheck mount_lock after mountpoint crossing attempts We can get false negative from __lookup_mnt() if an unrelated vfsmount gets moved. In that case legitimize_mnt() is guaranteed to fail, and we will fall back to non-RCU walk... unless we end up running into a hard error on a filesystem object we wouldn't have reached if not for that false negative. IOW, delaying that check until the end of pathname resolution is wrong - we should recheck right after we attempt to cross the mountpoint. We don't need to recheck unless we see d_mountpoint() being true - in that case even if we have just raced with mount/umount, we can simply go on as if we'd come at the moment when the sucker wasn't a mountpoint; if we run into a hard error as the result, it was a legitimate outcome. __lookup_mnt() returning NULL is different in that respect, since it might've happened due to operation on completely unrelated mountpoint. Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namei.c | 29 +++++++++++++---------------- 1 files changed, 13 insertions(+), 16 deletions(-) commit b6ab67fc7a47b542601dd116f934d255c9c2c372 Author: Steven Rostedt (Red Hat) Date: Tue Mar 25 23:39:41 2014 -0400 Upstream commit: 2c4a33aba5f9ea3a28f2e40351f078d95f00786b tracing: Fix traceon trigger condition to actually turn tracing on While working on my tutorial for 2014 Linux Collaboration Summit I found that the traceon trigger did not work when conditions were used. The other triggers worked fine though. Looking into it, it is because of the way the triggers use the ring buffer to store the fields it will use for the condition. But if tracing is off, nothing is stored in the buffer, and the tracepoint exits before calling the trigger to test the condition. This is fine for all the triggers that only work when tracing is on, but for traceon trigger that is to work when tracing is off, nothing happens. The fix is simple, just use a temp ring buffer to record the event if tracing is off and the event has a trace event conditional trigger enabled. The rest of the tracepoint code will work just fine, but the tracepoint wont be recorded in the other buffers. Cc: Tom Zanussi Signed-off-by: Steven Rostedt kernel/trace/trace.c | 27 +++++++++++++++++++++++++-- 1 files changed, 25 insertions(+), 2 deletions(-) commit 3b8aebe0c4cffda5d5bfc738e7a02fd320184b06 Author: Eric Dumazet Date: Tue Mar 25 18:42:27 2014 -0700 Upstream commit: de1443916791d75fdd26becb116898277bb0273f net: unix: non blocking recvmsg() should not return -EINTR Some applications didn't expect recvmsg() on a non blocking socket could return -EINTR. This possibility was added as a side effect of commit b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines"). To hit this bug, you need to be a bit unlucky, as the u->readlock mutex is usually held for very small periods. Fixes: b3ca9b02b00704 ("net: fix multithreaded signal handling in unix recv routines") Signed-off-by: Eric Dumazet Cc: Rainer Weikusat Signed-off-by: David S. Miller net/unix/af_unix.c | 17 ++++++++++++----- 1 files changed, 12 insertions(+), 5 deletions(-) commit 1bb09af0e99a5b3f3006e4fedf9bba1c3ed3d9d4 Merge: 5473ce5 0a11cb5 Author: Brad Spengler Date: Thu Mar 27 20:00:42 2014 -0400 Merge branch 'pax-test' into grsec-test commit 0a11cb57b4afce8c08851aef512f873bdb3d9943 Author: Brad Spengler Date: Thu Mar 27 20:00:02 2014 -0400 Update to pax-linux-3.13.7-test16.patch: - updated the size overflow hast table, by spender - fixed the gcc plugin capability detector script for gcc 4.9 - fixed the latent entropy plugin to use the intended successor blocks instead of what happens to be next in the block list - changed the initial task's and the idle tasks' starting stack address to be consistent with the other stacks (top 2 slots are unused) - removed the pointless retaddr instrumentation from the low level kernel relocator code arch/x86/kernel/head_64.S | 2 +- arch/x86/kernel/relocate_kernel_64.S | 2 -- arch/x86/kernel/smpboot.c | 2 +- scripts/gcc-plugin.sh | 17 ++++++++--------- tools/gcc/latent_entropy_plugin.c | 10 ++++++---- tools/gcc/size_overflow_hash.data | 6 ++++++ 6 files changed, 22 insertions(+), 17 deletions(-) commit 5473ce509ab763c927aa2639f7db8aee384d3693 Author: Eric Dumazet Date: Wed Mar 19 21:02:21 2014 -0700 Upstream commit: 632623153196bf183a69686ed9c07eee98ff1bf8 tcp: syncookies: do not use getnstimeofday() While it is true that getnstimeofday() uses about 40 cycles if TSC is available, it can use 1600 cycles if hpet is the clocksource. Switch to get_jiffies_64(), as this is more than enough, and go back to 60 seconds periods. Fixes: 8c27bd75f04f ("tcp: syncookies: reduce cookie lifetime to 128 seconds") Signed-off-by: Eric Dumazet Cc: Florian Westphal Acked-by: Florian Westphal Signed-off-by: David S. Miller include/net/tcp.h | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 580a16424470410a1655dd62f71847725a89e1f0 Author: Dave Kleikamp Date: Fri Mar 14 10:42:01 2014 -0500 Upstream commit: 1535bd8adbdedd60a0ee62e28fd5225d66434371 sparc64: don't treat 64-bit syscall return codes as 32-bit When checking a system call return code for an error, linux_sparc_syscall was sign-extending the lower 32-bit value and comparing it to -ERESTART_RESTARTBLOCK. lseek can return valid return codes whose lower 32-bits alone would indicate a failure (such as 4G-1). Use the whole 64-bit value to check for errors. Only the 32-bit path should sign extend the lower 32-bit value. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Acked-by: Allen Pais Cc: David S. Miller Cc: sparclinux@vger.kernel.org Signed-off-by: David S. Miller arch/sparc/kernel/syscalls.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 29127b7a71024630e40d98ec08c77e3feb584e7e Author: Brad Spengler Date: Tue Mar 25 17:07:59 2014 -0400 update size_overflow hash table tools/gcc/size_overflow_hash.data | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit d42eece8853149008b9645106936f9cd4ddb38bc Merge: df4b222 cb629d4 Author: Brad Spengler Date: Mon Mar 24 19:07:49 2014 -0400 Merge branch 'pax-test' into grsec-test commit cb629d4458d7491cc16580860c234f85c463111d Merge: 3afa257 896c694 Author: Brad Spengler Date: Mon Mar 24 19:07:30 2014 -0400 Merge branch 'linux-3.13.y' into pax-test Conflicts: arch/x86/kernel/head_32.S drivers/cpufreq/intel_pstate.c commit df4b2229045f125eaa91dd2a696e56c589f8c962 Merge: e440e3a 3afa257 Author: Brad Spengler Date: Mon Mar 24 18:55:45 2014 -0400 Merge branch 'pax-test' into grsec-test commit 3afa2576ef64a8266c5a2f142e3cb3c970f21d3c Author: Brad Spengler Date: Mon Mar 24 18:54:38 2014 -0400 Update to pax-linux-3.13.7-test15.patch: - fixed several compilation problems on arm all*configs, by spender - small update to gcc-common.h - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only) Makefile | 2 +- arch/arm/include/asm/uaccess.h | 1 + arch/ia64/include/asm/uaccess.h | 1 + arch/powerpc/include/asm/uaccess.h | 1 + arch/powerpc/mm/mmap.c | 6 +++--- arch/s390/include/asm/uaccess.h | 1 + arch/x86/include/asm/uaccess.h | 2 +- arch/x86/include/asm/uaccess_64.h | 12 ++++++------ 8 files changed, 15 insertions(+), 11 deletions(-) commit e440e3aa4b4662f8d811120a87f51d8ab48d9c90 Author: Brad Spengler Date: Thu Mar 20 23:16:11 2014 -0400 convert hvc tty driver to proper refcounted atomics on port.count, fixes ppc64 allyesconfig compilation drivers/tty/hvc/hvsi.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 013c6d73e4a4ae358ee180b40428f3dd04dd3aa8 Author: Brad Spengler Date: Thu Mar 20 22:53:31 2014 -0400 add local_unchecked_t accessors to fix ppc64 compilation arch/powerpc/include/asm/local.h | 15 +++++++++++++++ 1 files changed, 15 insertions(+), 0 deletions(-) commit 1cffa7895513b754c95673b12a8c638797e5b7e2 Author: Brad Spengler Date: Thu Mar 20 22:25:47 2014 -0400 add access_ok_noprefault macro to fix ppc64+kvm compilation, patch from pipacs arch/arm/include/asm/uaccess.h | 1 + arch/arm64/include/asm/uaccess.h | 1 + arch/ia64/include/asm/uaccess.h | 1 + arch/mips/include/asm/uaccess.h | 1 + arch/powerpc/include/asm/uaccess.h | 1 + arch/s390/include/asm/uaccess.h | 1 + arch/x86/include/asm/uaccess.h | 2 +- arch/x86/include/asm/uaccess_64.h | 12 ++++++------ arch/x86/mm/gup.c | 4 ++-- virt/kvm/kvm_main.c | 2 +- 10 files changed, 16 insertions(+), 10 deletions(-) commit 58bdcb9b494eb7ab916ead7944e444d0a6af5002 Author: Brad Spengler Date: Thu Mar 20 21:53:32 2014 -0400 correct function definition for kvm_arch_init() to fix compilation on ppc64 arch/powerpc/kvm/powerpc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3eb6820bfec5b4a4bfbb0056c057d50b8df4997 Author: Brad Spengler Date: Thu Mar 20 21:47:35 2014 -0400 fix ppc64 allyesconfig compilation with RANDSTRUCT arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit fb017032977cb38d750fe9b9a11d22fc565e576f Author: Brad Spengler Date: Thu Mar 20 21:36:39 2014 -0400 use $(LATENT_ENTROPY_PLUGIN_CFLAGS) arch/powerpc/kernel/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e795367c8c4d750c3900f6546365ca27b9a8aad5 Author: Brad Spengler Date: Thu Mar 20 21:24:01 2014 -0400 move REMOVE_CFLAGS arch/powerpc/kernel/Makefile | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f80a67cf62542dbab790fcad2395c00e6534c26d Author: Brad Spengler Date: Thu Mar 20 20:30:35 2014 -0400 fix compilation by removing the latent entropy plugin from prom_init.c -- there's a script for ppc64 that checks the object file for a whitelisted set of exported symbols, code is very fragile arch/powerpc/kernel/Makefile | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit cafe563e6cc19e3510c2f341c12440fdbd77a2aa Author: Brad Spengler Date: Thu Mar 20 20:28:07 2014 -0400 export LATENT_ENTROPY_PLUGIN_CFLAGS so we can remove it from prom_init.c on ppc64 Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 90330189b37110d8343edd37147bb5c666feede4 Author: Brad Spengler Date: Thu Mar 20 20:24:53 2014 -0400 fix ppc64 compilation, pass mm_struct through from arch_pick_mmap_layout arch/powerpc/mm/mmap.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 765a84b5300316d57eb9b82f7d941750d9ddf9ec Author: Brad Spengler Date: Wed Mar 19 21:53:12 2014 -0400 add ktla_ktva/ktva_ktla to sparc to fix compilation arch/sparc/include/asm/pgtable.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 896004e18909d7de9ffe295180e12c275a623990 Author: Brad Spengler Date: Wed Mar 19 21:32:20 2014 -0400 remove __read_mostly on ip_vs_genl_ops[], it's const so the attribute is bogus and causes compilation failure on MIPS net/netfilter/ipvs/ip_vs_ctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 143dcb4ff8b259163f978c468663dcaebfe573b4 Author: Brad Spengler Date: Wed Mar 19 21:18:46 2014 -0400 Include second patch needed for compilation, not yet included by upstream (so MIPS compilation is broken there): http://patchwork.linux-mips.org/patch/6585/ arch/mips/include/asm/ftrace.h | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) commit b464eb7ac1132953ab99ff25826478e32690844f Author: Markos Chandras Date: Wed Jan 22 14:39:57 2014 +0000 Upstream commit: a8031d2ce15bdb90baeae02d7a231ccece73da8b MIPS: asm: syscall: Fix copying system call arguments The syscall_get_arguments function expects the arguments to be copied to the '*args' argument but instead a local variable was used to hold the system call argument. As a result of which, this variable was never passed to the filter and any filter testing the system call arguments would fail. This is fixed by passing the '*args' variable as the destination memory for the system call arguments. Signed-off-by: Markos Chandras Reviewed-by: Paul Burton Reviewed-by: James Hogan Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/6402/ Signed-off-by: Ralf Baechle arch/mips/include/asm/syscall.h | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit b8f9d6f82e2fb814be37391109623d79e297571d Author: Brad Spengler Date: Wed Mar 19 21:01:40 2014 -0400 add ktla_ktva/ktva_ktla macros to MIPS arch/mips/include/asm/pgtable.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit f0f660649f3b2cf1d448940ca8b7f4ab4249d8ce Author: Brad Spengler Date: Wed Mar 19 20:46:38 2014 -0400 include linux/prefetch.h to fix mips compilation grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 514ec7617daa1a925a0ec0fa910335396213ef45 Author: Brad Spengler Date: Wed Mar 19 20:45:59 2014 -0400 Revert "fix compiler warning in hugetlbfs code" This reverts commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0. fs/hugetlbfs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6da49b57e2795853a453f596e0b874aece27aa4b Author: Viller Hsiao Date: Sat Feb 22 15:46:49 2014 +0800 Upstream commit: a4671094227d11985c06ee1178d7205c5fd39f8a MIPS: ftrace: Fix icache flush range error In 32-bit mode, the start address passed to flush_icache_range is shifted by 4 bytes before the second safe_store_code() call. This causes system crash from time to time because the first 4 bytes might not be flushed properly. This bug exists since linux-3.8. Also remove obsoleted comment while at it. Signed-off-by: Viller Hsiao Cc: linux-mips@linux-mips.org Cc: rostedt@goodmis.org Cc: fweisbec@gmail.com Cc: mingo@redhat.com Cc: Qais.Yousef@imgtec.com Patchwork: https://patchwork.linux-mips.org/patch/6586/ Signed-off-by: Ralf Baechle arch/mips/kernel/ftrace.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 624ddea7bbda3535b7c9a779b6ff149e93863321 Author: Lars Persson Date: Mon Mar 17 12:14:13 2014 +0100 Upstream commit: 86ca57b5a5525dbf89fc2a3285781fae807276b0 MIPS: Fix syscall tracing interface Fix pointer computation for stack-based arguments. Signed-off-by: Lars Persson Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/6620/ Signed-off-by: Ralf Baechle arch/mips/include/asm/syscall.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bf3daf307906cd7d03cb6eb64559ee98cdf3182 Author: Brad Spengler Date: Wed Mar 19 20:28:16 2014 -0400 fix octeon compilation, add __maybe_unused to usp local var arch/mips/include/asm/syscall.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2c325ed37fe35aa85b4ca6deb67e6ca091704ed0 Author: Brad Spengler Date: Wed Mar 19 19:46:52 2014 -0400 fix compiler warning in hugetlbfs code fs/hugetlbfs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 43783f55374fe9bafc064ceacf915920ca45a6c5 Merge: e018f0a aae8b87 Author: Brad Spengler Date: Mon Mar 17 19:51:01 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/gpio/gpio-rcar.c commit aae8b8720beec7c79d17ddd4f7d55bac0e83d5c6 Author: Brad Spengler Date: Mon Mar 17 19:48:43 2014 -0400 Update to pax-linux-3.13.6-test14.patch: - fixed several compilation problems on arm all*configs, by spender - small update to gcc-common.h - Emese fixed a compile time infinite loop in the size overflow plugin (triggered by the upcoming 3.14 kernel only) arch/arm/include/asm/page.h | 1 + drivers/base/power/domain.c | 4 +- drivers/gpio/gpio-em.c | 2 +- drivers/gpio/gpio-rcar.c | 2 +- drivers/mfd/ab8500-debugfs.c | 2 +- drivers/net/can/Kconfig | 2 +- drivers/staging/imx-drm/imx-drm-core.c | 6 +- include/linux/pm_domain.h | 2 +- tools/gcc/gcc-common.h | 12 +++ tools/gcc/size_overflow_plugin.c | 116 +++++++++++++++++++++++--------- 10 files changed, 106 insertions(+), 43 deletions(-) commit e018f0a38370496abe4289911eb67f1816cdc65d Author: Brad Spengler Date: Mon Mar 17 19:12:04 2014 -0400 move the location of the include to suit pipacs' OCD arch/arm/include/asm/page.h | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit bb6742b0e35d1ee42ec643ea921a340d672ec3bc Author: Brad Spengler Date: Mon Mar 17 18:01:11 2014 -0400 revert lustre change, we'll include compiler.h from asm/page.h instead .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit a39c965db54a571780b9844d93cfec71265b2c5e Author: Brad Spengler Date: Mon Mar 17 18:00:13 2014 -0400 fix ARM compilation with constify plugin arch/arm/include/asm/page.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 721fb83dc182e1442311b8ca3a986963f9cf2b76 Author: Brad Spengler Date: Mon Mar 17 17:18:04 2014 -0400 move header ordering .../lustre/include/linux/lnet/linux/lib-lnet.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 985afa44870e690fce35adf47979a99855db3323 Author: Brad Spengler Date: Mon Mar 17 17:02:24 2014 -0400 compile fix for lustre on ARM with constify plugin .../lustre/include/linux/lnet/linux/lib-lnet.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e5c4fe3e8fb7e1a64f1ab29887b7f787cc989c24 Author: Brad Spengler Date: Mon Mar 17 16:04:34 2014 -0400 fix compiler error caused by constify plugin on ARM drivers/mfd/ab8500-debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b6e2f644cf05a858d3988fb9bb8a8ca6c0beeff4 Author: Brad Spengler Date: Mon Mar 17 15:46:53 2014 -0400 fix more compile errors caused by RANDSTRUCT and constify plugins on ARM drivers/base/power/domain.c | 4 ++-- include/linux/pm_domain.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 2d33f0f25f7ee45412728f8bad6ef97b5bf40a66 Author: Brad Spengler Date: Mon Mar 17 15:34:17 2014 -0400 fix another compile error caused by constify plugin on ARM drivers/gpio/gpio-rcar.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 05b33c660567d4dc74ebcd06e996bf0656146757 Author: Brad Spengler Date: Mon Mar 17 15:08:49 2014 -0400 fix compile error caused by constify plugin on ARM drivers/gpio/gpio-em.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b9c8e0a83ba19e0228317675ffb4e1c1fb175b31 Author: Brad Spengler Date: Sun Mar 16 21:17:20 2014 -0400 fix allyesconfig compilation with PAX_REFCOUNT drivers/staging/imx-drm/imx-drm-core.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b855bafd2e8d4b50c13586e5a00905fb9c03ed5a Author: Brad Spengler Date: Sun Mar 16 21:04:10 2014 -0400 fix arm allmodconfig drivers/net/can/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 611bf735a4def802205cc83a131ec9c77c194662 Author: Brad Spengler Date: Fri Mar 14 20:12:02 2014 -0400 add /usr/share/apport/apport to the allowed userland exec paths -- because apparently some distros have no problem just throwing critical binaries around anywhere. kernel/kmod.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 51692fc9a6be048dd0500f78f97aed4db87bc359 Merge: 54fa0d5 7fcc1d0 Author: Brad Spengler Date: Fri Mar 14 20:09:56 2014 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/mips/mm/mmap.c commit 7fcc1d01537c3e4d4cb3494b4e19890864473376 Author: Brad Spengler Date: Fri Mar 14 20:08:19 2014 -0400 Update to pax-linux-3.13.6-test13.patch: - fixed a few compilation errors on MIPS, by Hinnerk van Bruinehsen arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/kernel/setup.c | 4 ++-- arch/arm/mm/mmu.c | 2 +- arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/hw_irq.h | 2 +- arch/mips/kernel/i8259.c | 2 +- arch/mips/kernel/irq-gt641xx.c | 2 +- arch/mips/kernel/reset.c | 4 ++++ arch/mips/mm/mmap.c | 2 +- arch/mips/pci/pci-octeon.c | 4 ++-- arch/mips/pci/pcie-octeon.c | 12 ++++++------ arch/mips/sni/rm200.c | 2 +- arch/mips/vr41xx/common/icu.c | 2 +- arch/mips/vr41xx/common/irq.c | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 2 +- ipc/mq_sysctl.c | 2 +- kernel/panic.c | 2 +- 18 files changed, 29 insertions(+), 25 deletions(-) commit 54fa0d51929173d4eb6c060ea966ec5abe32faaf Author: Brad Spengler Date: Wed Mar 12 22:54:32 2014 -0400 add support for PAX_EMUTRAMP by default in the autoconfig security/Kconfig | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 1a3518d87b5faa66b5684569bfe84024edc955ce Author: Laura Abbott Date: Mon Mar 10 15:49:44 2014 -0700 Upstream commit: 2af120bc040c5ebcda156df6be6a66610ab6957f mm/compaction: break out of loop on !PageBuddy in isolate_freepages_block We received several reports of bad page state when freeing CMA pages previously allocated with alloc_contig_range: BUG: Bad page state in process Binder_A pfn:63202 page:d21130b0 count:0 mapcount:1 mapping: (null) index:0x7dfbf page flags: 0x40080068(uptodate|lru|active|swapbacked) Based on the page state, it looks like the page was still in use. The page flags do not make sense for the use case though. Further debugging showed that despite alloc_contig_range returning success, at least one page in the range still remained in the buddy allocator. There is an issue with isolate_freepages_block. In strict mode (which CMA uses), if any pages in the range cannot be isolated, isolate_freepages_block should return failure 0. The current check keeps track of the total number of isolated pages and compares against the size of the range: if (strict && nr_strict_required > total_isolated) total_isolated = 0; After taking the zone lock, if one of the pages in the range is not in the buddy allocator, we continue through the loop and do not increment total_isolated. If in the last iteration of the loop we isolate more than one page (e.g. last page needed is a higher order page), the check for total_isolated may pass and we fail to detect that a page was skipped. The fix is to bail out if the loop immediately if we are in strict mode. There's no benfit to continuing anyway since we need all pages to be isolated. Additionally, drop the error checking based on nr_strict_required and just check the pfn ranges. This matches with what isolate_freepages_range does. Signed-off-by: Laura Abbott Acked-by: Minchan Kim Cc: Mel Gorman Acked-by: Vlastimil Babka Cc: Joonsoo Kim Acked-by: Bartlomiej Zolnierkiewicz Acked-by: Michal Nazarewicz Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/compaction.c | 20 +++++++++++++------- 1 files changed, 13 insertions(+), 7 deletions(-) commit 6c2a0937a7bb61db66b01160334fa83c93c05c7b Author: Artem Fetishev Date: Mon Mar 10 15:49:45 2014 -0700 Upstream commit: 70335abb2689c8cd5df91bf2d95a65649addf50b fs/proc/base.c: fix GPF in /proc/$PID/map_files The expected logic of proc_map_files_get_link() is either to return 0 and initialize 'path' or return an error and leave 'path' uninitialized. By the time dname_to_vma_addr() returns 0 the corresponding vma may have already be gone. In this case the path is not initialized but the return value is still 0. This results in 'general protection fault' inside d_path(). Steps to reproduce: CONFIG_CHECKPOINT_RESTORE=y fd = open(...); while (1) { mmap(fd, ...); munmap(fd, ...); } ls -la /proc/$PID/map_files Addresses https://bugzilla.kernel.org/show_bug.cgi?id=68991 Signed-off-by: Artem Fetishev Signed-off-by: Aleksandr Terekhov Reported-by: Acked-by: Pavel Emelyanov Acked-by: Cyrill Gorcunov Reviewed-by: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/proc/base.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 34d22047e821cdae1d31beb2fdda8e6e9fe40cdf Author: Matthew Leach Date: Tue Mar 11 11:58:27 2014 +0000 Upstream commit: dbb490b96584d4e958533fb637f08b557f505657 net: socket: error on a negative msg_namelen When copying in a struct msghdr from the user, if the user has set the msg_namelen parameter to a negative value it gets clamped to a valid size due to a comparison between signed and unsigned values. Ensure the syscall errors when the user passes in a negative value. Signed-off-by: Matthew Leach Signed-off-by: David S. Miller net/socket.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a28f7e3e1ec4d26bf7734c70ca3b6107e54597ca Author: Alexei Starovoitov Date: Mon Mar 10 15:56:51 2014 -0700 Upstream commit: fdfaf64e75397567257e1051931f9a3377360665 x86: bpf_jit: support negative offsets Commit a998d4342337 claimed to introduce negative offset support to x86 jit, but it couldn't be working, since at the time of the execution of LD+ABS or LD+IND instructions via call into bpf_internal_load_pointer_neg_helper() the %edx (3rd argument of this func) had junk value instead of access size in bytes (1 or 2 or 4). Store size into %edx instead of %ecx (what original commit intended to do) Fixes: a998d4342337 ("bpf jit: Let the x86 jit handle negative offsets") Signed-off-by: Alexei Starovoitov Cc: Jan Seiffert Cc: Eric Dumazet Acked-by: Eric Dumazet Signed-off-by: David S. Miller arch/x86/net/bpf_jit.S | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 977ee3909139082a57a04afbb8e9ee202475aa27 Author: Brad Spengler Date: Wed Mar 12 19:21:43 2014 -0400 Improve GRKERNSEC_JIT_HARDEN against a theoretical attack I dreamed up -- if an attacker had an arbitrary read vuln and ability to redirect control flow, he could, in ~2,000,000,000 attempts have a 50% chance of pre-selecting a 32bit random key which the attacker has XORed with his desired immediates to cause the constant blinding to produce a potentially useful instruction stream (which he could verify by abusing the infoleak). Instead of using one key per instruction stream, generate a new key for each instruction using prandom_u32(). The downside is some performance impact during JIT compilation, though this shouldn't be so common an event for anyone to notice. arch/x86/net/bpf_jit_comp.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 1b3f7f8f68d05143c0d55e8ceba0904c21007ad4 Author: Brad Spengler Date: Fri Mar 7 20:44:22 2014 -0500 fix typo ipc/mq_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 90c31e93dc4eb2045775930cacbb64318cabafad Author: Brad Spengler Date: Fri Mar 7 20:25:53 2014 -0500 add no_const to ctl_table located on stack ipc/mq_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 098fd10b3af4ef61b2edc60314ef18991b2f6f71 Author: Sabrina Dubroca Date: Thu Mar 6 17:51:57 2014 +0100 Upstream commit: c88507fbad8055297c1d1e21e599f46960cbee39 ipv6: don't set DST_NOCOUNT for remotely added routes DST_NOCOUNT should only be used if an authorized user adds routes locally. In case of routes which are added on behalf of router advertisments this flag must not get used as it allows an unlimited number of routes getting added remotely. Signed-off-by: Sabrina Dubroca Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/route.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c4bd306f576cc03b5f0f9e56253e3f0a3be5d3bd Merge: 71ed8ef a2aac72 Author: Brad Spengler Date: Fri Mar 7 20:10:30 2014 -0500 Merge branch 'pax-test' into grsec-test commit a2aac72603c2309d560a606493bb3003e2abe6c7 Merge: 96545e3 404df65 Author: Brad Spengler Date: Fri Mar 7 20:10:13 2014 -0500 Merge branch 'linux-3.13.y' into pax-test Conflicts: arch/arm/mm/mmu.c mm/memory.c commit 71ed8ef8e7d2ffcc57b5ffacef3a9262ed8781c7 Author: Brad Spengler Date: Tue Mar 4 18:08:29 2014 -0500 Backport security fix: http://seclists.org/oss-sec/2014/q1/477 net/ipv4/inet_fragment.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d752f1f1704ddbec282d7eb2150c75e05b9bcdd3 Author: Daniel Borkmann Date: Mon Mar 3 17:23:04 2014 +0100 Upstream commit: ec0223ec48a90cb605244b45f7c62de856403729 Remote DoS fix net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable RFC4895 introduced AUTH chunks for SCTP; during the SCTP handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS being optional though): ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- -------------------- COOKIE-ECHO --------------------> <-------------------- COOKIE-ACK --------------------- A special case is when an endpoint requires COOKIE-ECHO chunks to be authenticated: ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- ------------------ AUTH; COOKIE-ECHO ----------------> <-------------------- COOKIE-ACK --------------------- RFC4895, section 6.3. Receiving Authenticated Chunks says: The receiver MUST use the HMAC algorithm indicated in the HMAC Identifier field. If this algorithm was not specified by the receiver in the HMAC-ALGO parameter in the INIT or INIT-ACK chunk during association setup, the AUTH chunk and all the chunks after it MUST be discarded and an ERROR chunk SHOULD be sent with the error cause defined in Section 4.1. [...] If no endpoint pair shared key has been configured for that Shared Key Identifier, all authenticated chunks MUST be silently discarded. [...] When an endpoint requires COOKIE-ECHO chunks to be authenticated, some special procedures have to be followed because the reception of a COOKIE-ECHO chunk might result in the creation of an SCTP association. If a packet arrives containing an AUTH chunk as a first chunk, a COOKIE-ECHO chunk as the second chunk, and possibly more chunks after them, and the receiver does not have an STCB for that packet, then authentication is based on the contents of the COOKIE-ECHO chunk. In this situation, the receiver MUST authenticate the chunks in the packet by using the RANDOM parameters, CHUNKS parameters and HMAC_ALGO parameters obtained from the COOKIE-ECHO chunk, and possibly a local shared secret as inputs to the authentication procedure specified in Section 6.3. If authentication fails, then the packet is discarded. If the authentication is successful, the COOKIE-ECHO and all the chunks after the COOKIE-ECHO MUST be processed. If the receiver has an STCB, it MUST process the AUTH chunk as described above using the STCB from the existing association to authenticate the COOKIE-ECHO chunk and all the chunks after it. [...] Commit bbd0d59809f9 introduced the possibility to receive and verification of AUTH chunk, including the edge case for authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, the function sctp_sf_do_5_1D_ce() handles processing, unpacks and creates a new association if it passed sanity checks and also tests for authentication chunks being present. After a new association has been processed, it invokes sctp_process_init() on the new association and walks through the parameter list it received from the INIT chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO and SCTP_PARAM_CHUNKS, and copies them into asoc->peer meta data (peer_random, peer_hmacs, peer_chunks) in case sysctl -w net.sctp.auth_enable=1 is set. If in INIT's SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, peer_random != NULL and peer_hmacs != NULL the peer is to be assumed asoc->peer.auth_capable=1, in any other case asoc->peer.auth_capable=0. Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is available, we set up a fake auth chunk and pass that on to sctp_sf_authenticate(), which at latest in sctp_auth_calculate_hmac() reliably dereferences a NULL pointer at position 0..0008 when setting up the crypto key in crypto_hash_setkey() by using asoc->asoc_shared_key that is NULL as condition key_id == asoc->active_key_id is true if the AUTH chunk was injected correctly from remote. This happens no matter what net.sctp.auth_enable sysctl says. The fix is to check for net->sctp.auth_enable and for asoc->peer.auth_capable before doing any operations like sctp_sf_authenticate() as no key is activated in sctp_auth_asoc_init_active_key() for each case. Now as RFC4895 section 6.3 states that if the used HMAC-ALGO passed from the INIT chunk was not used in the AUTH chunk, we SHOULD send an error; however in this case it would be better to just silently discard such a maliciously prepared handshake as we didn't even receive a parameter at all. Also, as our endpoint has no shared key configured, section 6.3 says that MUST silently discard, which we are doing from now onwards. Before calling sctp_sf_pdiscard(), we need not only to free the association, but also the chunk->auth_chunk skb, as commit bbd0d59809f9 created a skb clone in that case. I have tested this locally by using netfilter's nfqueue and re-injecting packets into the local stack after maliciously modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) and the SCTP packet containing the COOKIE_ECHO (injecting AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") Signed-off-by: Daniel Borkmann Cc: Vlad Yasevich Cc: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/sm_statefuns.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 855c02e8cb1af9b40752258060af547805881899 Author: Brad Spengler Date: Tue Mar 4 18:05:10 2014 -0500 Backport local DoS fix: http://seclists.org/oss-sec/2014/q1/494 security/keys/keyring.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 4877e98529649880ac76ade11e5529403a40ea73 Author: Brad Spengler Date: Mon Mar 3 14:42:58 2014 -0500 mark 'processor' as __read_only instead of forcing constify on it to avoid a GCC constant propagation that will cause a NULL deref on boot on ARM MULTI_CPU configs Thanks to Arnaud Fontaine and Arnaud Ebalard for the report, fix is from the PaX Team arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/kernel/setup.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit 9c8d2926262f0345af454da45b41c6259bdc89e8 Author: Andrew Honig Date: Thu Feb 27 19:35:14 2014 +0100 Upstream commit: a08d3b3b99efd509133946056531cdf8f3a0c09b kvm: x86: fix emulator buffer overflow (CVE-2014-0049) The problem occurs when the guest performs a pusha with the stack address pointing to an mmio address (or an invalid guest physical address) to start with, but then extending into an ordinary guest physical address. When doing repeated emulated pushes emulator_read_write sets mmio_needed to 1 on the first one. On a later push when the stack points to regular memory, mmio_nr_fragments is set to 0, but mmio_is_needed is not set to 0. As a result, KVM exits to userspace, and then returns to complete_emulated_mmio. In complete_emulated_mmio vcpu->mmio_cur_fragment is incremented. The termination condition of vcpu->mmio_cur_fragment == vcpu->mmio_nr_fragments is never achieved. The code bounces back and fourth to userspace incrementing mmio_cur_fragment past it's buffer. If the guest does nothing else it eventually leads to a a crash on a memcpy from invalid memory address. However if a guest code can cause the vm to be destroyed in another vcpu with excellent timing, then kvm_clear_async_pf_completion_queue can be used by the guest to control the data that's pointed to by the call to cancel_work_item, which can be used to gain execution. Fixes: f78146b0f9230765c6315b2e14f56112513389ad Signed-off-by: Andrew Honig Cc: stable@vger.kernel.org (3.5+) Signed-off-by: Paolo Bonzini arch/x86/kvm/x86.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40051b60939861d365baf66d95dadd3f090542ac Author: Mike Pecovnik Date: Mon Feb 24 21:11:16 2014 +0100 Upstream commit: 46833a86f7ab30101096d81117dd250bfae74c6f net: Fix permission check in netlink_connect() netlink_sendmsg() was changed to prevent non-root processes from sending messages with dst_pid != 0. netlink_connect() however still only checks if nladdr->nl_groups is set. This patch modifies netlink_connect() to check for the same condition. Signed-off-by: Mike Pecovnik Signed-off-by: David S. Miller net/netlink/af_netlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a3be34042aa8d3eccb476cb240d8cdc85024b18a Author: Brad Spengler Date: Sat Mar 1 23:17:33 2014 -0500 Apply role_umask RBAC restrictions to POSIX ACLs as well fs/posix_acl.c | 7 +++++-- fs/xattr_acl.c | 9 +++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) commit 652b798b80f39815b94fc9b7192d648ad6b6cf64 Author: Brad Spengler Date: Mon Feb 24 21:57:37 2014 -0500 mention in config help that gcc 4.6.4 or higher is needed for RANDSTRUCT grsecurity/Kconfig | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 5ffde76a88cb5dadc307cabc33d7ad253158b608 Author: Brad Spengler Date: Mon Feb 24 18:54:34 2014 -0500 use current_umask() helper in lustre instead of current->fs->umask drivers/staging/lustre/lustre/llite/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 49761e88b63e2771f09aa16cb4e98c681515cf31 Merge: daf0afa 96545e3 Author: Brad Spengler Date: Mon Feb 24 17:43:09 2014 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/cpu/common.c commit 96545e3f1c4df86c1d9b74a1916d1b712138345f Merge: 1ea0c4a dc0ead5 Author: Brad Spengler Date: Mon Feb 24 17:37:59 2014 -0500 Update to pax-linux-3.13.5-test11.patch: - fixed a mismerge in atomic64_sub_return on arm, reported by Arnaud Fontaine - the latent entropy plugin can now initialize structure variables as well Merge branch 'linux-3.13.y' into pax-test Conflicts: arch/x86/kernel/ftrace.c include/linux/compiler-gcc4.h commit daf0afa64695bd49bf6be19450fea0a533edc3ab Author: Brad Spengler Date: Mon Feb 24 17:16:47 2014 -0500 when IPC hardening is disabled via sysctl, we shouldn't be imposing any additional restrictions thanks to Mathias Krause (minipli) for the report grsecurity/grsec_ipc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 179bf20a88510350fc86383c7d1b8e7d422cc604 Author: Brad Spengler Date: Fri Feb 21 12:06:41 2014 -0500 add missing return in the ARM refcount code. Thanks to Arnaud Fontaine for the report and patch! arch/arm/include/asm/atomic.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 5eecd26548fa8462296745eedf66858bf83532c9 Merge: d32875c 1ea0c4a Author: Brad Spengler Date: Thu Feb 20 21:39:25 2014 -0500 Merge branch 'pax-test' into grsec-test commit 1ea0c4ab7114838fb5f7b320c5c4bee6269c2f99 Author: Brad Spengler Date: Thu Feb 20 21:39:02 2014 -0500 Update to pax-linux-3.13.4-test10.patch tools/gcc/latent_entropy_plugin.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit d32875ccf8800fd9b458907fbd9f08e74847012b Author: Brad Spengler Date: Thu Feb 20 18:42:11 2014 -0500 work around pipacs' latent_entropy plugin tools/gcc/randomize_layout_plugin.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 91ea54c68a7f728341371d3ca8c6208acc885706 Author: Brad Spengler Date: Thu Feb 20 17:57:36 2014 -0500 .data takes the address of the ints, not their values net/core/neighbour.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit bc41258c48ca6acae51d191e914556ab37ca7c92 Merge: 3051292 0ce19d4 Author: Brad Spengler Date: Thu Feb 20 17:45:07 2014 -0500 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/compiler-gcc4.h commit 0ce19d411496f0ab77a86c1c5091b909fd720665 Author: Brad Spengler Date: Thu Feb 20 17:43:26 2014 -0500 Update to pax-linux-3.13.4-test10.patch: - fixed asm goto for all gcc versions, backport from upstream (https://git.kernel.org/linus/a9f180345f5378ac87) - fixed a size overflow false positive in the ELF loader (needs a non-0 based PIE to trigger), reported by spender - the latent entropy plugin will now insert some entropy at compile time into the random pools drivers/char/random.c | 6 +- fs/binfmt_elf.c | 2 +- include/linux/compiler-gcc4.h | 4 -- tools/gcc/gcc-common.h | 10 ++++- tools/gcc/latent_entropy_plugin.c | 84 +++++++++++++++++++++++++++++++++---- tools/gcc/stackleak_plugin.c | 5 +- 6 files changed, 90 insertions(+), 21 deletions(-) commit 3051292e84bf30c218e447a105ab898e8c509b44 Merge: 71d207d 8a3ecf6 Author: Brad Spengler Date: Thu Feb 20 17:19:54 2014 -0500 Merge branch 'pax-test' into grsec-test commit 8a3ecf6d2b7e6304d259608e77a7259daeeeab9b Merge: 98242db 93ee5dc Author: Brad Spengler Date: Thu Feb 20 17:17:30 2014 -0500 Merge branch 'linux-3.13.y' into pax-test commit 71d207d2df0cc95b1cf26d1499317d5b010c4033 Author: Brad Spengler Date: Thu Feb 20 16:59:26 2014 -0500 Fix a 16+ year old hack in Linux that exposed itself when RANDSTRUCT was enabled, reported by jacekalex on the forums include/net/neighbour.h | 1 - net/core/neighbour.c | 9 +++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 6d3beec0d1c79dfad2ba060c4d06ebf65ce39d15 Author: Brad Spengler Date: Wed Feb 19 22:01:38 2014 -0500 Backport CIFS vuln fix: http://article.gmane.org/gmane.linux.kernel.cifs/9401 fs/cifs/file.c | 37 ++++++++++++++++++++++++++++++++++--- 1 files changed, 34 insertions(+), 3 deletions(-) commit 20eb03803ea2fea3f8c420b69097058122de32f6 Author: Trond Myklebust Date: Tue Feb 11 09:15:54 2014 -0500 Upstream commit: 06ea0bfe6e6043cb56a78935a19f6f8ebc636226 SUNRPC: Fix races in xs_nospace() When a send failure occurs due to the socket being out of buffer space, we call xs_nospace() in order to have the RPC task wait until the socket has drained enough to make it worth while trying again. The current patch fixes a race in which the socket is drained before we get round to setting up the machinery in xs_nospace(), and which is reported to cause hangs. Link: http://lkml.kernel.org/r/20140210170315.33dfc621@notabene.brown Fixes: a9a6b52ee1ba (SUNRPC: Don't start the retransmission timer...) Reported-by: Neil Brown Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust net/sunrpc/xprtsock.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 9fff690287df8c389126420e1dab2608ddb4be75 Author: Trond Myklebust Date: Tue Feb 11 13:56:54 2014 -0500 Upstream commit: 628356791b04ea988fee070f66a748a823d001bb SUNRPC: Fix potential memory scribble in xprt_free_bc_request() The call to xprt_free_allocation() will call list_del() on req->rq_bc_pa_list, which is not attached to a list. This patch moves the list_del() out of xprt_free_allocation() and into those callers that need it. Signed-off-by: Trond Myklebust net/sunrpc/backchannel_rqst.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 5382ae56cf22adf34d2dd9da03b3a44af0c846f1 Author: Trond Myklebust Date: Sun Feb 16 12:14:13 2014 -0500 Upstream commit: 9eb2ddb48ce3a7bd745c14a933112994647fa3cd SUNRPC: Ensure that gss_auth isn't freed before its upcall messages Fix a race in which the RPC client is shutting down while the gss daemon is processing a downcall. If the RPC client manages to shut down before the gss daemon is done, then the struct gss_auth used in gss_release_msg() may have already been freed. Link: http://lkml.kernel.org/r/1392494917.71728.YahooMailNeo@web140002.mail.bf1.yahoo.com Reported-by: John Reported-by: Borislav Petkov Cc: stable@vger.kernel.org # 3.12+ Signed-off-by: Trond Myklebust net/sunrpc/auth_gss/auth_gss.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) commit 76e2d40cfc26bc44ba2ff4604c1f0ff4821ec13b Author: Trond Myklebust Date: Sun Feb 16 13:28:01 2014 -0500 Upstream commit: e9776d0f4adee8877145672f6416b06b57f2dc27 SUNRPC: Fix a pipe_version reference leak In gss_alloc_msg(), if the call to gss_encode_v1_msg() fails, we want to release the reference to the pipe_version that was obtained earlier in the function. Fixes: 9d3a2260f0f4b (SUNRPC: Fix buffer overflow checking in...) Signed-off-by: Trond Myklebust net/sunrpc/auth_gss/auth_gss.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 715c3e4109210d090282b360463aa474c978dcf5 Author: Christoffer Dall Date: Sun Feb 2 22:21:31 2014 +0100 Upstream commit: 4d9c5b89cf3605bbc39c6e274351ff25f0d83e6a ARM: 7950/1: mm: Fix stage-2 device memory attributes The stage-2 memory attributes are distinct from the Hyp memory attributes and the Stage-1 memory attributes. We were using the stage-1 memory attributes for stage-2 mappings causing device mappings to be mapped as normal memory. Add the S2 equivalent defines for memory attributes and fix the comments explaining the defines while at it. Add a prot_pte_s2 field to the mem_type struct and fill out the field for device mappings accordingly. Cc: [3.9+] Acked-by: Marc Zyngier Acked-by: Catalin Marinas Signed-off-by: Christoffer Dall Signed-off-by: Russell King Conflicts: arch/arm/mm/mmu.c arch/arm/include/asm/pgtable-3level.h | 15 +++++++++------ arch/arm/mm/mm.h | 1 + arch/arm/mm/mmu.c | 7 ++++++- 3 files changed, 16 insertions(+), 7 deletions(-) commit 49f25f2842b5e567ca45d5648460ad7cfd2af7ab Author: Will Deacon Date: Fri Feb 7 19:12:20 2014 +0100 Upstream commit: bae0ca2bc550d1ec6a118fb8f2696f18c4da3d8e ARM: 7953/1: mm: ensure TLB invalidation is complete before enabling MMU During __v{6,7}_setup, we invalidate the TLBs since we are about to enable the MMU on return to head.S. Unfortunately, without a subsequent dsb instruction, the invalidation is not guaranteed to have completed by the time we write to the sctlr, potentially exposing us to junk/stale translations cached in the TLB. This patch reworks the init functions so that the dsb used to ensure completion of cache/predictor maintenance is also used to ensure completion of the TLB invalidation. Cc: Reported-by: Albin Tonnerre Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/mm/proc-v6.S | 3 ++- arch/arm/mm/proc-v7.S | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) commit fa4b67556529451bd4489b07472f58feec35d51d Author: Will Deacon Date: Fri Feb 7 19:12:32 2014 +0100 Upstream commit: 7c8746a9eb287642deaad0e7c2cdf482dce5e4be ARM: 7955/1: spinlock: ensure we have a compiler barrier before sev When unlocking a spinlock, we require the following, strictly ordered sequence of events: /* dmb */ /* dsb */ Whilst the code does indeed reflect this in terms of the architecture, the final + have been contracted into a single inline asm without a "memory" clobber, therefore the compiler is at liberty to reorder the unlock to the end of the above sequence. In such a case, a waiting CPU may be woken up before the lock has been unlocked, leading to extremely poor performance. This patch reworks the dsb_sev() function to make use of the dsb() macro and ensure ordering against the unlock. Cc: Reported-by: Mark Rutland Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/include/asm/spinlock.h | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit f3efaba9e0a1d5d96fc0783ae8ec8e733e113bfa Author: Russell King Date: Tue Feb 11 17:11:04 2014 +0000 Upstream commit: e83b366487b5582274374f8226e489cb214ae5a6 Fix uses of dma_max_pfn() when converting to a limiting address We must use a 64-bit for this, otherwise overflowed bits get lost, and that can result in a lower than intended value set. Fixes: 8e0cb8a1f6ac ("ARM: 7797/1: mmc: Use dma_max_pfn(dev) helper for bounce_limit calculations") Fixes: 7d35496dd982 ("ARM: 7796/1: scsi: Use dma_max_pfn(dev) helper for bounce_limit calculations") Tested-Acked-by: Santosh Shilimkar Reviewed-by: Ulf Hansson Signed-off-by: Russell King drivers/mmc/card/queue.c | 2 +- drivers/scsi/scsi_lib.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 5a3e8a10d439ba8bcd893bf2159618908fe80384 Author: Vinayak Kale Date: Wed Feb 12 07:30:01 2014 +0100 Upstream commit: 39544ac9df20f73e49fc6b9ac19ff533388c82c0 ARM: 7957/1: add DSB after icache flush in __flush_icache_all() Add DSB after icache flush to complete the cache maintenance operation. Signed-off-by: Vinayak Kale Acked-by: Catalin Marinas Cc: Signed-off-by: Russell King arch/arm/include/asm/cacheflush.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 26d22a6946dfbb4f4a760038816c43ba49504863 Author: Linus Torvalds Date: Mon Feb 17 12:24:45 2014 -0800 Upstream commit: e4178d809fdaee32a56833fff1f5056c99e90a1a printk: fix syslog() overflowing user buffer This is not a buffer overflow in the traditional sense: we don't overflow any *kernel* buffers, but we do mis-count the amount of data we copy back to user space for the SYSLOG_ACTION_READ_ALL case. In particular, if the user buffer is too small to hold everything, and *if* there is a continuation line at just the right place, we can end up giving the user more data than he asked for. The reason is that we first count up the number of bytes all the log records contains, then we walk the records again until we've skipped the records at the beginning that won't fit, and then we walk the rest of the records and copy them to the user space buffer. And in between that "skip the initial records that won't fit" and the "copy the records that *will* fit to user space", we reset the 'prev' variable that contained the record information for the last record not copied. That meant that when we started copying to user space, we now had a different character count than what we had originally calculated in the first record walk-through. The fix is to simply not clear the 'prev' flags value (in both cases where we had the same logic: syslog_print_all and kmsg_dump_get_buffer: the latter is used for pstore-like dumping) Reported-and-tested-by: Debabrata Banerjee Acked-by: Kay Sievers Cc: Greg Kroah-Hartman Cc: Jeff Mahoney Signed-off-by: Linus Torvalds kernel/printk/printk.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 88d5fdac3aa7813d963ab5a3325c2f15c36c97cf Author: Rafael Aquini Date: Mon Feb 10 14:25:48 2014 -0800 Upstream commit: a0b54adda3fe4b4cc6d28f2a9217cd35d1aa888c mm: fix page leak at nfs_symlink() Changes in commit a0b8cab3b9b2 ("mm: remove lru parameter from __pagevec_lru_add and remove parts of pagevec API") have introduced a call to add_to_page_cache_lru() which causes a leak in nfs_symlink() as now the page gets an extra refcount that is not dropped. Jan Stancek observed and reported the leak effect while running test8 from Connectathon Testsuite. After several iterations over the test case, which creates several symlinks on a NFS mountpoint, the test system was quickly getting into an out-of-memory scenario. This patch fixes the page leak by dropping that extra refcount add_to_page_cache_lru() is grabbing. Signed-off-by: Jan Stancek Signed-off-by: Rafael Aquini Acked-by: Mel Gorman Acked-by: Rik van Riel Cc: Jeff Layton Cc: Trond Myklebust Cc: [3.11.x+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/nfs/dir.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit bf53635ba34d0ef231a89dd30aa9954b0fa3d87b Author: Dan Carpenter Date: Mon Feb 17 20:33:01 2014 -0500 Upstream commit: 92e3b40537707001d17bbad800d150ab04e53bf4 jbd2: fix use after free in jbd2_journal_start_reserved() If start_this_handle() fails then it leads to a use after free of "handle". Signed-off-by: Dan Carpenter Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/jbd2/transaction.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 7eb9d6b170b2d83e9a59d8d5e9c3eaec76b3e1a2 Author: Theodore Ts'o Date: Sat Feb 15 22:42:25 2014 -0500 Upstream commit: 3d2660d0c9c2f296837078c189b68a47f6b2e3b5 ext4: fix online resize with a non-standard blocks per group setting The set_flexbg_block_bitmap() function assumed that the number of blocks in a blockgroup was sb->blocksize * 8, which is normally true, but not always! Use EXT4_BLOCKS_PER_GROUP(sb) instead, to fix block bitmap corruption after: mke2fs -t ext4 -g 3072 -i 4096 /dev/vdd 1G mount -t ext4 /dev/vdd /vdd resize2fs /dev/vdd 8G Signed-off-by: "Theodore Ts'o" Reported-by: Jon Bernard Cc: stable@vger.kernel.org fs/ext4/resize.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 588500229af3505116b0fe05c4e54a06cabd64e4 Author: Theodore Ts'o Date: Sat Feb 15 21:33:13 2014 -0500 Upstream commit: b93c95353413041a8cebad915a8109619f66bcc6 ext4: fix online resize with very large inode tables If a file system has a large number of inodes per block group, all of the metadata blocks in a flex_bg may be larger than what can fit in a single block group. Unfortunately, ext4_alloc_group_tables() in resize.c was never tested to see if it would handle this case correctly, and there were a large number of bugs which caused the following sequence to result in a BUG_ON: kernel bug at fs/ext4/resize.c:409! ... call trace: [] ext4_flex_group_add+0x1448/0x1830 [] ext4_resize_fs+0x7b2/0xe80 [] ext4_ioctl+0xbf0/0xf00 [] do_vfs_ioctl+0x2dd/0x4b0 [] ? final_putname+0x22/0x50 [] sys_ioctl+0x81/0xa0 [] system_call_fastpath+0x16/0x1b code: c8 4c 89 df e8 41 96 f8 ff 44 89 e8 49 01 c4 44 29 6d d4 0 rip [] set_flexbg_block_bitmap+0x171/0x180 This can be reproduced with the following command sequence: mke2fs -t ext4 -i 4096 /dev/vdd 1G mount -t ext4 /dev/vdd /vdd resize2fs /dev/vdd 8G To fix this, we need to make sure the right thing happens when a block group's inode table straddles two block groups, which means the following bugs had to be fixed: 1) Not clearing the BLOCK_UNINIT flag in the second block group in ext4_alloc_group_tables --- the was proximate cause of the BUG_ON. 2) Incorrectly determining how many block groups contained contiguous free blocks in ext4_alloc_group_tables(). 3) Incorrectly setting the start of the next block range to be marked in use after a discontinuity in setup_new_flex_group_blocks(). Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/ext4/resize.c | 32 ++++++++++++++++++++------------ 1 files changed, 20 insertions(+), 12 deletions(-) commit dfb5654f8a9946e06f67d0481c907fa9ae4c6b04 Author: Theodore Ts'o Date: Wed Feb 12 12:16:04 2014 -0500 Upstream commit: 23301410972330c0ae9a8afc379ba2005e249cc6 ext4: don't try to modify s_flags if the the file system is read-only If an ext4 file system is created by some tool other than mke2fs (perhaps by someone who has a pathalogical fear of the GPL) that doesn't set one or the other of the EXT2_FLAGS_{UN}SIGNED_HASH flags, and that file system is then mounted read-only, don't try to modify the s_flags field. Otherwise, if dm_verity is in use, the superblock will change, causing an dm_verity failure. Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/ext4/super.c | 20 +++++++++++++------- 1 files changed, 13 insertions(+), 7 deletions(-) commit d2a631f973d3cff9a1c015cb64b08bb9cc52de8b Author: Eric Whitney Date: Wed Feb 12 10:42:45 2014 -0500 Upstream commit: 15cc17678547676c82a5da9ccf357447333fc342 ext4: fix xfstest generic/299 block validity failures Commit a115f749c1 (ext4: remove wait for unwritten extent conversion from ext4_truncate) exposed a bug in ext4_ext_handle_uninitialized_extents(). It can be triggered by xfstest generic/299 when run on a test file system created without a journal. This test continuously fallocates and truncates files to which random dio/aio writes are simultaneously performed by a separate process. The test completes successfully, but if the test filesystem is mounted with the block_validity option, a warning message stating that a logical block has been mapped to an illegal physical block is posted in the kernel log. The bug occurs when an extent is being converted to the written state by ext4_end_io_dio() and ext4_ext_handle_uninitialized_extents() discovers a mapping for an existing uninitialized extent. Although it sets EXT4_MAP_MAPPED in map->m_flags, it fails to set map->m_pblk to the discovered physical block number. Because map->m_pblk is not otherwise initialized or set by this function or its callers, its uninitialized value is returned to ext4_map_blocks(), where it is stored as a bogus mapping in the extent status tree. Since map->m_pblk can accidentally contain illegal values that are larger than the physical size of the file system, calls to check_block_validity() in ext4_map_blocks() that are enabled if the block_validity mount option is used can fail, resulting in the logged warning message. Signed-off-by: Eric Whitney Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org # 3.11+ fs/ext4/extents.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7eb52392ee886f01a5c944f35fbe95edc2169877 Author: Zheng Liu Date: Wed Feb 12 11:48:31 2014 -0500 Upstream commit: 30d29b119ef01776e0a301444ab24defe8d8bef3 ext4: fix error paths in swap_inode_boot_loader() In swap_inode_boot_loader() we forgot to release ->i_mutex and resume unlocked dio for inode and inode_bl if there is an error starting the journal handle. This commit fixes this issue. Reported-by: Ahmed Tamrawi Cc: Andreas Dilger Cc: Dr. Tilmann Bubeck Signed-off-by: Zheng Liu Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org # v3.10+ fs/ext4/ioctl.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4dc90c1991032c483b11690717ba07952f4fef07 Author: Theodore Ts'o Date: Sun Feb 16 19:29:32 2014 -0500 Upstream commit: 19ea80603715d473600cd993b9987bc97d042e02 ext4: don't leave i_crtime.tv_sec uninitialized If the i_crtime field is not present in the inode, don't leave the field uninitialized. Fixes: ef7f38359 ("ext4: Add nanosecond timestamps") Reported-by: Vegard Nossum Tested-by: Vegard Nossum Signed-off-by: "Theodore Ts'o" Cc: stable@vger.kernel.org fs/ext4/ext4.h | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 9d8aa319cfbfdb4bdf7a5d4adc4b93fe028bec12 Author: Brad Spengler Date: Wed Feb 19 20:39:37 2014 -0500 While a Xen dom0 is technically a guest, it's perceived as a host by many and there's really no Linux "host" for Xen, so allow PARAVIRT to be enabled on "host" kernels only when Xen is selected Thanks to gaima on the forums for the report Conflicts: arch/x86/Kconfig arch/x86/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8ef15c34cb044db1ae729a53327e5b848631fbee Author: Petr Písař Date: Thu Feb 6 21:01:23 2014 +0100 Upstream commit: 0930b0950a8996aa88b0d2ba4bb2bab27cc36bc7 vt: Fix secure clear screen \E[3J console code (secure clear screen) needs to update_screen(vc) in order to write-through blanks into off-screen video memory. This has been removed accidentally in 3.6 by: commit 81732c3b2fede049a692e58a7ceabb6d18ffb18c Author: Jean-François Moine Date: Thu Sep 6 19:24:13 2012 +0200 tty vt: Fix line garbage in virtual console on command line edition Signed-off-by: Petr Písař Cc: stable # 3.6 Signed-off-by: Greg Kroah-Hartman drivers/tty/vt/vt.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8568da92bd738464772c24fd68a9b300d22985b5 Author: H. Peter Anvin Date: Thu Feb 13 07:46:04 2014 -0800 Upstream commit: 4640c7ee9b8953237d05a61ea3ea93981d1bc961 x86, smap: smap_violation() is bogus if CONFIG_X86_SMAP is off If CONFIG_X86_SMAP is disabled, smap_violation() tests for conditions which are incorrect (as the AC flag doesn't matter), causing spurious faults. The dynamic disabling of SMAP (nosmap on the command line) is fine because it disables X86_FEATURE_SMAP, therefore causing the static_cpu_has() to return false. Found by Fengguang Wu's test system. [ v3: move all predicates into smap_violation() ] [ v2: use IS_ENABLED() instead of #ifdef ] Reported-by: Fengguang Wu Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost Signed-off-by: H. Peter Anvin Cc: # v3.7+ arch/x86/mm/fault.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit dc68abaa1208e66be3bc07eb57855d4ab413373c Author: H. Peter Anvin Date: Thu Feb 13 07:34:30 2014 -0800 Upstream commit: 03bbd596ac04fef47ce93a730b8f086d797c3021 x86, smap: Don't enable SMAP if CONFIG_X86_SMAP is disabled If SMAP support is not compiled into the kernel, don't enable SMAP in CR4 -- in fact, we should clear it, because the kernel doesn't contain the proper STAC/CLAC instructions for SMAP support. Found by Fengguang Wu's test system. Reported-by: Fengguang Wu Link: http://lkml.kernel.org/r/20140213124550.GA30497@localhost Signed-off-by: H. Peter Anvin Cc: # v3.7+ arch/x86/kernel/cpu/common.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 6d804df770568f2d41f36cc446dc2c4b9ddbdc66 Author: Steven Noonan Date: Wed Feb 12 23:01:07 2014 -0800 Upstream commit: a9f180345f5378ac87d80ed0bea55ba421d83859 compiler/gcc4: Make quirk for asm_volatile_goto() unconditional I started noticing problems with KVM guest destruction on Linux 3.12+, where guest memory wasn't being cleaned up. I bisected it down to the commit introducing the new 'asm goto'-based atomics, and found this quirk was later applied to those. Unfortunately, even with GCC 4.8.2 (which ostensibly fixed the known 'asm goto' bug) I am still getting some kind of miscompilation. If I enable the asm_volatile_goto quirk for my compiler, KVM guests are destroyed correctly and the memory is cleaned up. So make the quirk unconditional for now, until bug is found and fixed. Suggested-by: Linus Torvalds Signed-off-by: Steven Noonan Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Jakub Jelinek Cc: Richard Henderson Cc: Andrew Morton Cc: Oleg Nesterov Cc: Link: http://lkml.kernel.org/r/1392274867-15236-1-git-send-email-steven@uplinklabs.net Link: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58670 Signed-off-by: Ingo Molnar include/linux/compiler-gcc4.h | 6 +----- 1 files changed, 1 insertions(+), 5 deletions(-) commit df681ad2079c8b443dd98a66daa49a96f6803118 Author: Brad Spengler Date: Sat Feb 15 14:43:58 2014 -0500 add note on how to disable rate limiting on log messages grsecurity/Kconfig | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 247661801d1a9904eac479770aac8c31adfb3a03 Merge: 294e38e 98242db Author: Brad Spengler Date: Thu Feb 13 20:17:09 2014 -0500 Merge branch 'pax-test' into grsec-test commit 98242dba193affafa9996207af8aaee0a58e237c Author: Brad Spengler Date: Thu Feb 13 20:16:39 2014 -0500 Update to pax-linux-3.13.3-test9.patch: - forward port to 3.13.3 - updated hash table from Emese, missing entries reported by Adam ChyÅ‚a and Matthew Thode kernel/sched/core.c | 2 +- kernel/trace/ftrace.c | 8 ++++---- tools/gcc/size_overflow_hash.data | 6 ++++++ 3 files changed, 11 insertions(+), 5 deletions(-) commit 294e38ee2ac097654f11df09cfe8c5584a573b6c Merge: d1fd1fc 990a904 Author: Brad Spengler Date: Thu Feb 13 18:11:12 2014 -0500 Merge branch 'pax-test' into grsec-test commit 990a9041b296c2afe56f7c5ff4bb2e2e0ed6298f Merge: d32ab3c 7955a48 Author: Brad Spengler Date: Thu Feb 13 18:11:01 2014 -0500 Merge branch 'linux-3.13.y' into pax-test Conflicts: kernel/trace/ftrace.c commit d1fd1fc0d4c9d07cd6f2f2dad040db0f1c433b5d Author: Brad Spengler Date: Thu Feb 13 16:50:39 2014 -0500 Force off all virtualization guest options if the autoconfig choice was not for the kernel to be used for vm guests likewise force off Xen if it wasn't mentioned in the autoconfig arch/x86/Kconfig | 1 + arch/x86/xen/Kconfig | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 6f7fd76856916bda9145d3fb89b3462b18630c75 Merge: 32aa9fa d32ab3c Author: Brad Spengler Date: Thu Feb 13 15:25:21 2014 -0500 Merge branch 'pax-test' into grsec-test commit d32ab3c04e157fd34738846fc1cbdbed5eab1147 Author: Brad Spengler Date: Thu Feb 13 15:24:57 2014 -0500 Update to pax-linux-3.13.2-test9.patch: - fixed some gcc plugins to work in low-memory environments as well, reported by many, big thanks to niv for help tools/gcc/Makefile | 2 +- tools/gcc/latent_entropy_plugin.c | 18 +++++++++-- tools/gcc/size_overflow_plugin.c | 19 +++++++++-- tools/gcc/stackleak_plugin.c | 58 ++++++++++++++++++++++++++++-------- 4 files changed, 76 insertions(+), 21 deletions(-) commit 32aa9fa0174969476774c472226d304f122291a5 Author: Brad Spengler Date: Thu Feb 13 12:35:16 2014 -0500 add missing header grsecurity/grsec_mem.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48d8d3b1b527d8dc7a9162bda44d32608906632 Author: Brad Spengler Date: Thu Feb 13 12:04:44 2014 -0500 export msr_write logging function and convert all exported symbols to EXPORT_SYMBOL_GPL Conflicts: grsecurity/gracl.c grsecurity/grsec_disabled.c grsecurity/grsec_exec.c grsecurity/gracl.c | 8 ++++---- grsecurity/grsec_chroot.c | 2 +- grsecurity/grsec_disabled.c | 4 ++-- grsecurity/grsec_exec.c | 8 ++++---- grsecurity/grsec_init.c | 2 +- grsecurity/grsec_mem.c | 1 + grsecurity/grsec_sock.c | 12 ++++++------ grsecurity/grsec_time.c | 2 +- 8 files changed, 20 insertions(+), 19 deletions(-) commit 3c05c8568522f6a660debeaacf536a99a0212342 Author: Brad Spengler Date: Thu Feb 13 11:28:26 2014 -0500 add missing header arch/x86/kernel/msr.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e68254d468db8b3a28fa549606136fdba9276a75 Author: Brad Spengler Date: Thu Feb 13 11:12:36 2014 -0500 fix typo arch/x86/kernel/msr.c | 4 ++-- include/linux/grsecurity.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 2845d9e8598070db65f7429ecf2ac1803077ed9e Author: Brad Spengler Date: Thu Feb 13 10:57:06 2014 -0500 PLUGIN_FINISH_DECL is an enum, so use explicit gcc version checking instead tools/gcc/randomize_layout_plugin.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1cd63e6169739aa7881796ac74b43b83bdbd8626 Author: Brad Spengler Date: Thu Feb 13 09:23:29 2014 -0500 Relax MSR restrictions under GRKERNSEC_KMEM, allow MSR reads but not writes. Log all writing attempts. arch/x86/Kconfig | 1 - arch/x86/kernel/msr.c | 9 +++++++++ grsecurity/grsec_mem.c | 6 ++++++ include/linux/grmsg.h | 1 + include/linux/grsecurity.h | 1 + 5 files changed, 17 insertions(+), 1 deletions(-) commit a750206a1934759fc0da5ab831852a22ce720862 Author: Richard Yao Date: Sat Feb 8 19:32:01 2014 -0500 Upstream commit: b6f52ae2f0d32387bde2b89883e3b64d88b9bfe8 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers The 9p-virtio transport does zero copy on things larger than 1024 bytes in size. It accomplishes this by returning the physical addresses of pages to the virtio-pci device. At present, the translation is usually a bit shift. That approach produces an invalid page address when we read/write to vmalloc buffers, such as those used for Linux kernel modules. Any attempt to load a Linux kernel module from 9p-virtio produces the following stack. [] p9_virtio_zc_request+0x45e/0x510 [] p9_client_zc_rpc.constprop.16+0xfd/0x4f0 [] p9_client_read+0x15d/0x240 [] v9fs_fid_readn+0x50/0xa0 [] v9fs_file_readn+0x10/0x20 [] v9fs_file_read+0x37/0x70 [] vfs_read+0x9b/0x160 [] kernel_read+0x41/0x60 [] copy_module_from_fd.isra.34+0xfb/0x180 Subsequently, QEMU will die printing: qemu-system-x86_64: virtio: trying to map MMIO memory This patch enables 9p-virtio to correctly handle this case. This not only enables us to load Linux kernel modules off virtfs, but also enables ZFS file-based vdevs on virtfs to be used without killing QEMU. Special thanks to both Avi Kivity and Alexander Graf for their interpretation of QEMU backtraces. Without their guidence, tracking down this bug would have taken much longer. Also, special thanks to Linus Torvalds for his insightful explanation of why this should use is_vmalloc_addr() instead of is_vmalloc_or_module_addr(): https://lkml.org/lkml/2014/2/8/272 Signed-off-by: Richard Yao Signed-off-by: David S. Miller net/9p/trans_virtio.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 6f3de18441f63778b664f2815cfc0d2af0d22f4f Author: Brad Spengler Date: Thu Feb 13 08:38:14 2014 -0500 rename finish_decl function to fix compat with gcc 4.7.2 that exposed too much of its internals add a useful compile error if we try building with < gcc 4.6.4 tools/gcc/randomize_layout_plugin.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 596b24936ed3687455327c3d26a8a820263a1f88 Author: Brad Spengler Date: Tue Feb 11 17:33:49 2014 -0500 [PATCH] random: fix overflow for big nbits values in credit_entropy_bits() Commit 30e37ec516ae "random: account for entropy loss due to overwrites" introduced an overflow in the arithmetics of credit_entropy_bits() when CONFIG_GRKERNSEC_RANDNET is enabled as the latter quadruples the pool size and therefore invalidates the assumptions of the "nifty" formula. Fix the overflow by using 64bit arithmetics. Reported-by: Torsten Hilbrich Signed-off-by: Mathias Krause This bug is at worst a privileged DoS -- with RANDNET enabled, an admin with CAP_SYS_ADMIN feeding large amounts of entropy into the pool at once can cause less than expected entropy to be credited (but this doesn't affect how much is actually added). For specific buffer sizes, this can result in 0 entropy being credited and end in a situation in which the kernel can't recover, causing future reads from /dev/random to stall. Many thanks to Torsten and Mathias for the report! drivers/char/random.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 04f9fc1040b96a623cca444b330a3a96c104d3af Author: Brad Spengler Date: Sun Feb 9 11:30:53 2014 -0500 just ignore the seed file, the hash is in a different dir tools/gcc/.gitignore | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit eaddc3f039b57731d04d90e334cf75c6cdde895d Author: Brad Spengler Date: Sun Feb 9 11:27:22 2014 -0500 Don't pass the hashed seed via build commandline, generate a header to include in vermagic.h instead Documentation/dontdiff | 2 +- Makefile | 4 +--- include/linux/vermagic.h | 1 + tools/gcc/.gitignore | 4 ++-- tools/gcc/Makefile | 9 ++++----- tools/gcc/gen-random-seed.sh | 3 ++- 6 files changed, 11 insertions(+), 12 deletions(-) commit d3fcb6991a09d163867dd6e7e04ad5675f9c3202 Author: Brad Spengler Date: Sat Feb 8 22:03:25 2014 -0500 update dontdiff and .gitignore to reflect new seed/hash filenames for RANDSTRUCT Documentation/dontdiff | 4 ++-- tools/gcc/.gitignore | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 3e96d2ad6f7e3373a978767099f3b3bb12890644 Author: Brad Spengler Date: Sat Feb 8 20:02:12 2014 -0500 don't divide cputime by HZ as some architectures can't handle this use proper task_cputime and cputime_to_secs wrappers Thanks to Michael Tremer for the report grsecurity/gracl.c | 23 ++++++++++++----------- 1 files changed, 12 insertions(+), 11 deletions(-) commit bff837da26077ae243118561da6e31e8d2ef83b7 Author: Brad Spengler Date: Thu Feb 6 21:26:51 2014 -0500 gcc 4.9 update for RANDSTRUCT plugin part 1 tools/gcc/randomize_layout_plugin.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 58eee46f846245affdc86a1fd057bc7802bfef63 Merge: 954a136 2b56794 Author: Brad Spengler Date: Thu Feb 6 20:36:18 2014 -0500 Merge branch 'pax-test' into grsec-test commit 2b56794a375594b35d2984d0950059977624a5ed Author: Brad Spengler Date: Thu Feb 6 20:35:40 2014 -0500 Update to pax-linux-3.13.2-test8.patch: - fixed compile errors on arm due to constification, reported by Michael Tremer - fixed the PLUGIN_START_UNIT callback names in the latent entropy and size overflow plugins, reported by spender - added a new header to gcc-common.h, reported by spender - some useful backports from upstream 3.14: - debug info for .S: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7db436325db821b400328563ed693b09f8c4c46c - make v4 -s handling: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e36aaea28972c57a32a3ba5365e61633739719b9 Makefile | 8 +++++++- arch/arm/mach-omap2/powerdomains43xx_data.c | 5 ++++- arch/x86/include/asm/tlbflush.h | 1 - drivers/gpu/drm/armada/armada_drv.c | 10 +--------- drivers/gpu/drm/tegra/hdmi.c | 2 +- drivers/misc/eeprom/sunxi_sid.c | 4 +++- drivers/mmc/host/sdhci-esdhc-imx.c | 7 +++++-- include/drm/drmP.h | 1 + include/drm/ttm/ttm_page_alloc.h | 1 + tools/gcc/gcc-common.h | 1 + 10 files changed, 24 insertions(+), 16 deletions(-) commit 954a136c7f2ce3a76f9a8b148c49614092554b5b Author: Brad Spengler Date: Thu Feb 6 20:20:41 2014 -0500 Backport SELinux DoS fix from http://marc.info/?l=selinux&m=139110025203759&w=2 security/selinux/ss/services.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit a16066ea179a4f15b368cd5003d9c3638aa7f48e Author: Brad Spengler Date: Thu Feb 6 20:16:57 2014 -0500 don't pass the seed via build commandline, store it in a header file instead and build it into the RANDSTRUCT plugin. set up proper dependencies for the generated files used by the RANDSTRUCT plugin, fixing some race conditions in the build process support O= argument to make and place generated files in the target directory tree update RANDSTRUCT documentation Makefile | 6 ++---- grsecurity/Kconfig | 2 +- scripts/gen-random-seed.sh | 8 -------- tools/gcc/Makefile | 10 +++++++++- tools/gcc/gen-random-seed.sh | 7 +++++++ tools/gcc/randomize_layout_plugin.c | 23 ++++++++--------------- 6 files changed, 27 insertions(+), 29 deletions(-) commit 79cb2972d4d5e61a831e8eae996b286f433afd10 Author: Brad Spengler Date: Thu Feb 6 18:15:24 2014 -0500 make GRKERNSEC_HIDESYM also protect the target directory specified with the O= arg to 'make' grsecurity/Makefile | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 10a483b7ae687f15e3836234175920518ec50fa7 Merge: 95e6c94 5a87ea7 Author: Brad Spengler Date: Thu Feb 6 17:21:02 2014 -0500 Merge branch 'pax-test' into grsec-test commit 5a87ea74aab86c3c211612d1ae7cac26694b736d Merge: 1554390 fd82174 Author: Brad Spengler Date: Thu Feb 6 17:19:50 2014 -0500 Merge branch 'linux-3.13.y' into pax-test Conflicts: net/compat.c commit 95e6c94d6945ce8acfb56997feada8fde8aab8a6 Author: Brad Spengler Date: Wed Feb 5 23:43:27 2014 -0500 avoid printing jibberish in some instances with RANDSTRUCT and modules built with other seeds, as the kernel's module loader trusts the module layout kernel/module.c | 25 +++++++++++++++++++++++++ 1 files changed, 25 insertions(+), 0 deletions(-) commit 71ff747386915adda2113b08c47b0ccb1683dea5 Author: Brad Spengler Date: Wed Feb 5 23:32:26 2014 -0500 Introduce the non-performance mode -- the performance mode had previously been inadvertently forced on regardless of config setting Resolve an issue with gcc completing declarations for recently finished types *before* the plugin's finish_type being called to randomize that structure. This resulted in too small a structure size being emitted for this_module and generally crashes whenever modules were loaded. Makefile | 2 +- tools/gcc/randomize_layout_plugin.c | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletions(-) commit e17b47e4f837bb769f5159b928f5accce5131514 Author: Brad Spengler Date: Mon Feb 3 17:30:32 2014 -0500 select DEBUG_KERNEL in addition to DEBUG_LIST security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1a4fd0231e9cee0203dd7f10faf89d721883b6a4 Merge: 5fb88fe 1554390 Author: Brad Spengler Date: Sun Feb 2 21:25:11 2014 -0500 Merge branch 'pax-test' into grsec-test commit 1554390d0c012ebcbe8734216913fcb94681db2b Author: Brad Spengler Date: Sun Feb 2 21:24:45 2014 -0500 update plugin start_unit names tools/gcc/latent_entropy_plugin.c | 2 +- tools/gcc/size_overflow_plugin.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 5fb88febacff2f061c9aad406d107177acc3f950 Author: Brad Spengler Date: Sun Feb 2 21:23:30 2014 -0500 update copyright date grsecurity/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f4d392661ab08166ed1aa81d4f1d90fec146f761 Author: Brad Spengler Date: Sun Feb 2 21:23:08 2014 -0500 update copyright message grsecurity/Makefile | 22 ++++++++++++++++------ 1 files changed, 16 insertions(+), 6 deletions(-) commit 7bd6dcd5823155b1948fe0815a7aa173da6bea35 Author: Brad Spengler Date: Sat Feb 1 19:53:04 2014 -0500 update RANDSTRUCT plugin to eliminate false posities on struct type mismatches resulting from an IS_ERR() sequence add checks for bad casts in local and global variable initializers use the main variant when comparing types tools/gcc/randomize_layout_plugin.c | 150 +++++++++++++++++++++++++++++++++-- 1 files changed, 144 insertions(+), 6 deletions(-) commit 5349795dd080969318409078672c2c53c0645354 Author: Brad Spengler Date: Sat Feb 1 15:13:06 2014 -0500 remove unnecessary TODO_* flags for our passive bad cast gimple pass tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a22b89b09d12e3db4b464d3b26e45c7b3a65c0ba Author: Brad Spengler Date: Sat Feb 1 10:55:36 2014 -0500 fix RANDSTRUCT plugin compatibility with gcc 4.9 tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b3d5d360931c93bdeaf6fa199e29f47e7f70b17b Author: Brad Spengler Date: Fri Jan 31 21:52:14 2014 -0500 sanity check to make sure we never randomize a struct in include/uapi/* scripts/gen-random-seed.sh | 2 +- tools/gcc/randomize_layout_plugin.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletions(-) commit d2057f02e759a707a700bc9c80d1f7f55afa89f1 Author: Brad Spengler Date: Fri Jan 31 18:11:51 2014 -0500 force on modversion support if RANDSTRUCT is enabled so that we're sure no modules can be loaded that were built with a different seed grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5e1f8e0b67af1f2876f1906eab828914a1c2670b Author: Brad Spengler Date: Thu Jan 30 16:47:31 2014 -0500 Fix an extremely serious vulnerability (it's nearly an arbitrary write) introduced in 3.4 with the addition of X32 support. Hopefully most users haven't enabled this option, but as it's enabled now in some distros (e.g. Ubuntu, which is affected) the chance is more likely for those importing base configs from such a distro. I would recommend you disable X32 support, especially if you're not using it. As this bug could have been discovered with even a completely dumb syscall fuzzer, it should be clear what level of testing went into X32 support. Normally we would have fixed this immediately, announced it, and moved on, but this was not my bug and not my choice. So I got to wait for the likes of linux-distros and security@kernel.org to decide when it could be fixed, while I had to continue releasing grsecurity patches without the fix for a serious vulnerability I was aware of for two days. I'm not happy at all about this, and this is exactly why I refuse to work in any kind of situation where I would become aware of something that I couldn't fix immediately. Hopefully this is the last time this will happen. Credits to the PaX Team for finding the bug and writing the fix. This is CVE-2014-0038. net/compat.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit 9d599455aa9fb272a7160c3f8276771a5af7c74a Merge: 6aeb51b f93afd1 Author: Brad Spengler Date: Wed Jan 29 21:49:00 2014 -0500 Merge branch 'pax-test' into grsec-test commit f93afd1627ef450a96e96bdb2b984aefb66cb531 Author: Brad Spengler Date: Wed Jan 29 21:48:24 2014 -0500 Update to pax-linux-3.13.1-test6.patch: - forward port to 3.13.1 - fixed a weak UDEREF regression resulting in a kernel hang on boot, reported by Negres arch/x86/include/asm/uaccess_64.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 18727190851782d5ee2b5fe579e4a4c379303a34 Merge: b9c766b 07ecf16 Author: Brad Spengler Date: Wed Jan 29 21:41:57 2014 -0500 Merge branch 'linux-3.13.y' into pax-test commit 6aeb51bccfcad549c3b39235df08aa043cdfa9bc Author: Weston Andros Adamson Date: Tue Dec 17 12:16:11 2013 -0500 Upstream commit: 6ff33b7dd0228b7d7ed44791bbbc98b03fd15d9d sunrpc: Fix infinite loop in RPC state machine When a task enters call_refreshresult with status 0 from call_refresh and !rpcauth_uptodatecred(task) it enters call_refresh again with no rate-limiting or max number of retries. Instead of trying forever, make use of the retry path that other errors use. This only seems to be possible when the crrefresh callback is gss_refresh_null, which only happens when destroying the context. To reproduce: 1) mount with sec=krb5 (or sec=sys with krb5 negotiated for non FSID specific operations). 2) reboot - the client will be stuck and will need to be hard rebooted BUG: soft lockup - CPU#0 stuck for 22s! [kworker/0:2:46] Modules linked in: rpcsec_gss_krb5 nfsv4 nfs fscache ppdev crc32c_intel aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd serio_raw i2c_piix4 i2c_core e1000 parport_pc parport shpchp nfsd auth_rpcgss oid_registry exportfs nfs_acl lockd sunrpc autofs4 mptspi scsi_transport_spi mptscsih mptbase ata_generic floppy irq event stamp: 195724 hardirqs last enabled at (195723): [] restore_args+0x0/0x30 hardirqs last disabled at (195724): [] apic_timer_interrupt+0x6a/0x80 softirqs last enabled at (195722): [] __do_softirq+0x1df/0x276 softirqs last disabled at (195717): [] irq_exit+0x53/0x9a CPU: 0 PID: 46 Comm: kworker/0:2 Not tainted 3.13.0-rc3-branch-dros_testing+ #4 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013 Workqueue: rpciod rpc_async_schedule [sunrpc] task: ffff8800799c4260 ti: ffff880079002000 task.ti: ffff880079002000 RIP: 0010:[] [] __rpc_execute+0x8a/0x362 [sunrpc] RSP: 0018:ffff880079003d18 EFLAGS: 00000246 RAX: 0000000000000005 RBX: 0000000000000007 RCX: 0000000000000007 RDX: 0000000000000007 RSI: ffff88007aecbae8 RDI: ffff8800783d8900 RBP: ffff880079003d78 R08: ffff88006e30e9f8 R09: ffffffffa005a3d7 R10: ffff88006e30e7b0 R11: ffff8800783d8900 R12: ffffffffa006675e R13: ffff880079003ce8 R14: ffff88006e30e7b0 R15: ffff8800783d8900 FS: 0000000000000000(0000) GS:ffff88007f200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3072333000 CR3: 0000000001a0b000 CR4: 00000000001407f0 Stack: ffff880079003d98 0000000000000246 0000000000000000 ffff88007a9a4830 ffff880000000000 ffffffff81073f47 ffff88007f212b00 ffff8800799c4260 ffff8800783d8988 ffff88007f212b00 ffffe8ffff604800 0000000000000000 Call Trace: [] ? trace_hardirqs_on_caller+0x145/0x1a1 [] rpc_async_schedule+0x27/0x32 [sunrpc] [] process_one_work+0x211/0x3a5 [] ? process_one_work+0x172/0x3a5 [] worker_thread+0x134/0x202 [] ? rescuer_thread+0x280/0x280 [] ? rescuer_thread+0x280/0x280 [] kthread+0xc9/0xd1 [] ? __kthread_parkme+0x61/0x61 [] ret_from_fork+0x7c/0xb0 [] ? __kthread_parkme+0x61/0x61 Code: e8 87 63 fd e0 c6 05 10 dd 01 00 01 48 8b 43 70 4c 8d 6b 70 45 31 e4 a8 02 0f 85 d5 02 00 00 4c 8b 7b 48 48 c7 43 48 00 00 00 00 <4c> 8b 4b 50 4d 85 ff 75 0c 4d 85 c9 4d 89 cf 0f 84 32 01 00 00 And the output of "rpcdebug -m rpc -s all": RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refresh (status 0) RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refresh (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 RPC: 61 call_refreshresult (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refresh (status 0) RPC: 61 call_refreshresult (status 0) RPC: 61 refreshing RPCSEC_GSS cred ffff88007a413cf0 Signed-off-by: Weston Andros Adamson Cc: stable@vger.kernel.org # 2.6.37+ Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 9ad04e13872458b4883e9f8f087cad538ae8f3e3 Author: Scott Mayhew Date: Fri Jan 17 15:12:05 2014 -0500 Upstream commit: 263b4509ec4d47e0da3e753f85a39ea12d1eff24 nfs: always make sure page is up-to-date before extending a write to cover the entire page We should always make sure the cached page is up-to-date when we're determining whether we can extend a write to cover the full page -- even if we've received a write delegation from the server. Commit c7559663 added logic to skip this check if we have a write delegation, which can lead to data corruption such as the following scenario if client B receives a write delegation from the NFS server: Client A: # echo 123456789 > /mnt/file Client B: # echo abcdefghi >> /mnt/file # cat /mnt/file 0�D0�abcdefghi Just because we hold a write delegation doesn't mean that we've read in the entire page contents. Cc: # v3.11+ Signed-off-by: Scott Mayhew Signed-off-by: Trond Myklebust fs/nfs/write.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit d6a427afc951e705a45d18fe513b4a9644b54586 Author: Trond Myklebust Date: Fri Jan 17 17:03:41 2014 -0500 Upstream commit: 64590daa9e0dfb3aad89e3ab9230683b76211d5b NFSv4.1: Handle errors correctly in nfs41_walk_client_list Both nfs41_walk_client_list and nfs40_walk_client_list expect the 'status' variable to be set to the value -NFS4ERR_STALE_CLIENTID if the loop fails to find a match. The problem is that the 'pos->cl_cons_state > NFS_CS_READY' changes the value of 'status', and sets it either to the value '0' (which indicates success), or to the value EINTR. Cc: stable@vger.kernel.org # 3.7.x: 7b1f1fd1842e6: NFSv4/4.1: Fix bugs in Signed-off-by: Trond Myklebust fs/nfs/nfs4client.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit f7c465156fdef12a66d0a59114582dc4d4d7f406 Author: Weston Andros Adamson Date: Sun Jan 19 22:45:36 2014 -0500 Upstream commit: abad2fa5ba67725a3f9c376c8cfe76fbe94a3041 nfs4: fix discover_server_trunking use after free If clp is new (cl_count = 1) and it matches another client in nfs4_discover_server_trunking, the nfs_put_client will free clp before ->cl_preserve_clid is set. Cc: stable@vger.kernel.org # 3.7+ Signed-off-by: Weston Andros Adamson Signed-off-by: Trond Myklebust fs/nfs/nfs4client.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit d3737c02af42ac32da97dc30dac94ae7343cec14 Author: Heiko Carstens Date: Mon Jan 27 17:07:19 2014 -0800 Upstream commit: 592f6b842f64e416c7598a1b97c649b34241e22d compat: fix sys_fanotify_mark Commit 91c2e0bcae72 ("unify compat fanotify_mark(2), switch to COMPAT_SYSCALL_DEFINE") added a new unified compat fanotify_mark syscall to be used by all architectures. Unfortunately the unified version merges the split mask parameter in a wrong way: the lower and higher word got swapped. This was discovered with glibc's tst-fanotify test case. Signed-off-by: Heiko Carstens Reported-by: Andreas Krebbel Cc: "James E.J. Bottomley" Acked-by: "David S. Miller" Acked-by: Al Viro Cc: Benjamin Herrenschmidt Cc: Ingo Molnar Cc: Ralf Baechle Cc: [3.10+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/notify/fanotify/fanotify_user.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ae72596a96d46255c781f07ee2de05abe57d43ff Merge: 5254ff7 b9c766b Author: Brad Spengler Date: Tue Jan 28 18:23:25 2014 -0500 Merge branch 'pax-test' into grsec-test commit b9c766bc9706fcfe5bbe0df099178e8eaa643327 Author: Brad Spengler Date: Tue Jan 28 18:22:46 2014 -0500 Update to pax-linux-3.13-test6.patch: - fixed the TRACE_IRQFLAGS/KERNEXEC problem for real, 3rd time's a charm, by minipli - fixed a size overflow false positive in skb_network_offset due to an intentional overflow, by Emese Revfy, reported by Nikita Matovs arch/x86/kernel/entry_64.S | 22 ++++++++++++---------- include/linux/skbuff.h | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) commit 5254ff73f13759d893213092da5fd654ca22960f Merge: 7e5aad2 c956349 Author: Brad Spengler Date: Mon Jan 27 22:52:22 2014 -0500 Merge branch 'pax-test' into grsec-test commit c956349a3335c72308d1bce7524f2e0f521ff709 Author: Brad Spengler Date: Mon Jan 27 22:51:57 2014 -0500 Update to pax-linux-3.13-test5.patch: - new size overflow hash table from spender - backported http://git.kernel.org/linus/34228d473ef - fixed CONFIG_MEM_SOFT_DIRTY interference with _PAGE_NX on x86 - fixed the size overflow plugin for gcc 4.9, by Emese Revfy arch/x86/include/asm/pgtable_types.h | 2 +- mm/mmap.c | 12 +++++++++- tools/gcc/gcc-common.h | 2 + tools/gcc/size_overflow_hash.data | 33 ++++++++++++++++++++++++++-- tools/gcc/size_overflow_plugin.c | 38 +++++++++++++++++----------------- 5 files changed, 62 insertions(+), 25 deletions(-) commit 7e5aad2c98c49f82bdd6a6949133c0393b743e4a Author: Brad Spengler Date: Mon Jan 27 21:12:59 2014 -0500 update size_overflow hash table tools/gcc/size_overflow_hash.data | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 9583ac30e401a97397c5a4a30564521bc2d8afeb Author: Brad Spengler Date: Mon Jan 27 20:33:30 2014 -0500 Relicense RANDSTRUCT plugin as GPLv2, removing the GPLv3 option tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f4afefdb6f09d22d5c0a74cf2a3ff4f44a67a8c8 Author: Brad Spengler Date: Mon Jan 27 20:30:10 2014 -0500 Make all grsecurity code GPLv2 only for future releases. Not really important as grsecurity is a derivative work of the Linux kernel and thus forced to be GPLv2, the "or higher" was superfluous. grsecurity/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 718e2b2400f29a7fa414c6c5d383f82658a3457f Author: Brad Spengler Date: Sun Jan 26 22:22:52 2014 -0500 update size_overflow hash table tools/gcc/size_overflow_hash.data | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit a4369fd780e658a9d26bedc53415261286caefe5 Merge: c93ceb8 f3b1213 Author: Brad Spengler Date: Sun Jan 26 21:24:43 2014 -0500 Merge branch 'pax-test' into grsec-test commit f3b12134d032b0bfc2a9fc2183a50fabcaabdbf5 Author: Brad Spengler Date: Sun Jan 26 21:24:17 2014 -0500 Update to pax-linux-3.13-test4.patch: - fixed a constify plugin regression, reported by spender - updated gcc-common.h tools/gcc/constify_plugin.c | 4 +- tools/gcc/gcc-common.h | 68 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 65 insertions(+), 7 deletions(-) commit 962a3acff3d42cf360932f438a666224b8597012 Author: Brad Spengler Date: Sun Jan 26 21:24:01 2014 -0500 Revert "fix an assert triggering in constify plugin update, real fix coming later" This reverts commit 899baaf06fdd79f9b9b410a414695ba7b80f6203. tools/gcc/constify_plugin.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit c93ceb8d5ed604ddd5580de9a764fc411824c5c0 Author: Brad Spengler Date: Sun Jan 26 21:18:31 2014 -0500 update size_overflow hash table tools/gcc/size_overflow_hash.data | 19 ++++++++++++++++++- 1 files changed, 18 insertions(+), 1 deletions(-) commit b42c965a52f58915c8fd048749c1dc5bcf373339 Merge: 663306e 899baaf Author: Brad Spengler Date: Sun Jan 26 20:35:52 2014 -0500 Merge branch 'pax-test' into grsec-test commit 899baaf06fdd79f9b9b410a414695ba7b80f6203 Author: Brad Spengler Date: Sun Jan 26 20:34:49 2014 -0500 fix an assert triggering in constify plugin update, real fix coming later tools/gcc/constify_plugin.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 663306edb8f76d8be46c39ba6aafcdec3e000ab1 Author: Brad Spengler Date: Sun Jan 26 18:24:44 2014 -0500 fix typo tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4539e5f2729719d07095cf267ea426524f7dc8f9 Author: Brad Spengler Date: Sun Jan 26 18:22:33 2014 -0500 Update RANDSTRUCT plugin for gcc 4.9 and gcc-common.h tools/gcc/randomize_layout_plugin.c | 77 +++++++++++++++++++---------------- 1 files changed, 42 insertions(+), 35 deletions(-) commit 3344ccde1ca59e4e0a4105f25ffbab561e5ee582 Merge: ff96162 0b83e85 Author: Brad Spengler Date: Sun Jan 26 18:04:38 2014 -0500 Merge branch 'pax-test' into grsec-test commit 0b83e85c64c9e6e4328cac45d980cdd7e088f157 Author: Brad Spengler Date: Sun Jan 26 18:03:50 2014 -0500 Update to pax-linux-3.13-test3.patch: - gcc plugin updates - ported them to gcc trunk (future 4.9) - introduced gcc-common.h to simplify gcc version dependencies - updated size overflow hash table from spender - fixed kallocstat to detect constant size arguments early - fixed constify to preserve type qualifiers on pointer-to-self fields - added a few sparse/checker annotations and changes to satisfy gcc's address space logic - fixed the TRACE_IRQFLAGS problem reported by minipli again arch/x86/ia32/ia32_signal.c | 6 +- arch/x86/include/asm/uaccess_64.h | 4 +- arch/x86/kernel/entry_64.S | 112 ++++---- arch/x86/kernel/preempt.S | 3 + arch/x86/kernel/tboot.c | 2 +- arch/x86/kernel/xsave.c | 8 +- arch/x86/lib/thunk_64.S | 2 +- block/compat_ioctl.c | 2 +- drivers/gpu/drm/drm_crtc.c | 2 +- drivers/gpu/drm/qxl/qxl_ioctl.c | 6 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 10 +- drivers/media/v4l2-core/v4l2-ctrls.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 2 +- drivers/mmc/card/block.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/vhost/vringh.c | 18 +- drivers/video/fbmem.c | 2 +- fs/compat_ioctl.c | 2 +- fs/exec.c | 2 +- fs/proc/vmcore.c | 4 +- include/uapi/linux/videodev2.h | 2 +- ipc/compat.c | 2 +- kernel/compat.c | 2 +- kernel/kmod.c | 4 +- net/9p/client.c | 6 +- net/compat.c | 2 +- net/core/filter.c | 2 +- net/netfilter/nft_compat.c | 4 +- net/socket.c | 6 +- net/tipc/subscr.c | 2 +- sound/pci/hda/hda_codec.c | 2 +- tools/gcc/Makefile | 2 +- tools/gcc/checker_plugin.c | 30 +-- tools/gcc/colorize_plugin.c | 62 +++-- tools/gcc/constify_plugin.c | 105 ++++---- tools/gcc/gcc-common.h | 207 +++++++++++++++ tools/gcc/kallocstat_plugin.c | 164 +++++++------ tools/gcc/kernexec_plugin.c | 333 ++++++++++++++---------- tools/gcc/latent_entropy_plugin.c | 146 +++++------ tools/gcc/size_overflow_hash.data | 68 +++++- tools/gcc/size_overflow_plugin.c | 348 +++++++++++-------------- tools/gcc/stackleak_plugin.c | 236 +++++++++-------- tools/gcc/structleak_plugin.c | 90 +++---- 43 files changed, 1149 insertions(+), 871 deletions(-) commit ff9616214c2e875db763bd395dce11df378df896 Author: Brad Spengler Date: Sun Jan 26 13:35:44 2014 -0500 pass hashed seed define as a string Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 39961e3ad1abacccc8a2de280868bcfe52a1edff Author: Brad Spengler Date: Sun Jan 26 12:44:21 2014 -0500 add a sha256-hashed version of the seed to modversion to ensure no modules compiled with another seed can be loaded Documentation/dontdiff | 1 + Makefile | 4 +++- include/linux/vermagic.h | 8 +++++++- scripts/gen-random-seed.sh | 2 +- tools/gcc/.gitignore | 1 + 5 files changed, 13 insertions(+), 3 deletions(-) commit 1df9ff15112f3713997ac10e915b99ad99d2e33a Author: Brad Spengler Date: Sun Jan 26 11:26:44 2014 -0500 Force HIDESYM on if RANDSTRUCT is used, just in case there is a user who already isn't enabling it (to prevent the seed from potentially being visible to other users if compiled on the same machine). Suggested by minipli grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5ee75cac712d37f79de1e6f509a18749258b2085 Author: Brad Spengler Date: Sun Jan 26 01:01:31 2014 -0500 Update size_overflow hash table tools/gcc/size_overflow_hash.data | 19 +++++++++++++++++-- 1 files changed, 17 insertions(+), 2 deletions(-) commit d87a88e0b3298c9d39bb7b3257dabb8fc17b8e9c Author: Brad Spengler Date: Sat Jan 25 22:19:55 2014 -0500 update to new mount_lock grsecurity/gracl.c | 24 +++++++++++------------- 1 files changed, 11 insertions(+), 13 deletions(-) commit 677d1d169912d98b7a139563ab7f7fb82ee6c3c5 Author: Brad Spengler Date: Sat Jan 25 19:05:59 2014 -0500 compile fix init/main.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) commit c8496c1e0bb5cbed7aff11ee208a7a89ffd80b40 Author: Brad Spengler Date: Sat Jan 25 19:00:50 2014 -0500 resync random code with 3.13 include/linux/random.h | 4 ++++ include/uapi/linux/random.h | 7 ------- 2 files changed, 4 insertions(+), 7 deletions(-) commit 3d168ee50cb706276c805ae1d6a5e8417a91067a Author: Brad Spengler Date: Sat Jan 25 14:54:11 2014 -0500 Fix another compiler error caught by RANDSTRUCT Signed-off-by: Brad Spengler sound/isa/sb/emu8000_synth.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit bc4a5595404b985a2b17e84d29765b7af7e968ca Author: Brad Spengler Date: Sat Jan 25 14:34:12 2014 -0500 Fix another compiler error caught by RANDSTRUCT Signed-off-by: Brad Spengler drivers/net/wan/z85230.c | 24 ++++++++++++------------ 1 files changed, 12 insertions(+), 12 deletions(-) commit 0f0da7cb40431fe816aa356499bff026452cfc44 Author: Brad Spengler Date: Sat Jan 25 14:30:46 2014 -0500 fix compilation with RANDSTRUCT plugin Signed-off-by: Brad Spengler sound/drivers/opl4/opl4_seq.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 97d6cc865b9cf64fada1fcaabfa923fecee54ef7 Author: Brad Spengler Date: Sat Jan 25 14:16:18 2014 -0500 avoid problems by just building our fake field decl node from scratch Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 6455dfb41e9c0d3f26f00ef2f505bd0f74aa8dca Author: Brad Spengler Date: Sat Jan 25 13:45:18 2014 -0500 while in non-debug mode, don't emit notes for non-randomized struct types clear all signs from our fake field decl of being a bitfield Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 35909486eebb6c1ab27956ef6cc35e19e19282a2 Author: Brad Spengler Date: Sat Jan 25 12:56:05 2014 -0500 revert change to read-only marking of fake struct field Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bbd5d12c912390e0bdb6ddde81279b579fc94edb Author: Brad Spengler Date: Sat Jan 25 12:42:48 2014 -0500 Update RANDSTRUCT plugin help Signed-off-by: Brad Spengler tools/gcc/randomize_layout_plugin.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 0d829e61f501ae59387a6e1d0f9060d5555ac588 Author: Brad Spengler Date: Sat Jan 25 12:25:43 2014 -0500 Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures automatically enabled by GRKERNSEC_CONFIG_AUTO performance mode is activated if the config priority is set to performance Signed-off-by: Brad Spengler Documentation/dontdiff | 1 + Makefile | 12 +- arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/block/cciss.h | 30 +- drivers/block/drbd/drbd_interval.c | 6 +- drivers/block/smart1,2.h | 40 +- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/wan/lmc/lmc_media.c | 97 ++-- drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 20 +- drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- drivers/video/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/matrox/matroxfb_Ti3026.c | 5 +- fs/mount.h | 4 +- fs/proc/internal.h | 4 +- fs/reiserfs/item_ops.c | 24 +- grsecurity/Kconfig | 31 +- include/linux/compiler-gcc4.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 4 +- include/linux/dcache.h | 2 +- include/linux/fs.h | 14 +- include/linux/fs_struct.h | 2 +- include/linux/ipc_namespace.h | 2 +- include/linux/kobject.h | 2 +- include/linux/mm_types.h | 4 +- include/linux/module.h | 4 +- include/linux/mount.h | 2 +- include/linux/pid_namespace.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/rbtree_augmented.h | 4 +- include/linux/sched.h | 6 +- include/linux/sysctl.h | 2 +- include/linux/tty.h | 2 +- include/linux/tty_driver.h | 2 +- include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 2 +- lib/rbtree.c | 4 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/decnet/dn_dev.c | 2 +- net/vmw_vsock/vmci_transport_notify.c | 30 +- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- net/x25/sysctl_net_x25.c | 2 +- scripts/Makefile | 2 + scripts/gen-random-seed.sh | 8 + sound/core/seq/oss/seq_oss.c | 4 +- sound/core/seq/seq_midi.c | 4 +- sound/drivers/opl3/opl3_seq.c | 4 +- sound/pci/emu10k1/emu10k1_synth.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 2 + tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++ 74 files changed, 1222 insertions(+), 390 deletions(-) commit 301f9fc40e1bed50d31034a192bc95874d5bf3b6 Author: Brad Spengler Date: Sun Jan 19 09:00:56 2014 -0500 compile fix Signed-off-by: Brad Spengler include/linux/random.h | 4 ---- include/uapi/linux/random.h | 7 +++++++ 2 files changed, 7 insertions(+), 4 deletions(-) commit b79910431008b8ce731d45aa3aecc75fe33c928c Author: Hannes Frederic Sowa Date: Mon Nov 11 12:20:34 2013 +0100 Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9 random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized The Tausworthe PRNG is initialized at late_initcall time. At that time the entropy pool serving get_random_bytes is not filled sufficiently. This patch adds an additional reseeding step as soon as the nonblocking pool gets marked as initialized. On some machines it might be possible that late_initcall gets called after the pool has been initialized. In this situation we won't reseed again. (A call to prandom_seed_late blocks later invocations of early reseed attempts.) Joint work with Daniel Borkmann. Cc: Eric Dumazet Cc: Theodore Ts'o Signed-off-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Acked-by: "Theodore Ts'o" Signed-off-by: David S. Miller Conflicts: lib/random32.c Signed-off-by: Brad Spengler drivers/char/random.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 31dee23268ac47eaaafacb186229bc14fb84fa9b Author: Brad Spengler Date: Sat Jan 18 20:43:43 2014 -0500 Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls Signed-off-by: Brad Spengler net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit ffccf022adef560230b6a641c612f33600ce0e6b Author: Brad Spengler Date: Wed Jan 8 20:24:27 2014 -0500 zeroing out btime from /proc/stat breaks ps aux, it's the seconds of uptime for the system, information which is also available elsewhere (/proc/uptime), so there's no reason to limit it Signed-off-by: Brad Spengler fs/proc/stat.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a96a6e3b96ffa8c96fa3939c109dc783de2110e0 Author: Brad Spengler Date: Wed Jan 8 18:13:15 2014 -0500 fix typo Signed-off-by: Brad Spengler mm/vmstat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4c084ac8468cdd4bbb8458fae4d0b6d2d1d5afd1 Author: Brad Spengler Date: Wed Jan 8 18:06:53 2014 -0500 provide a zeroed out /proc/vmstat to unprivileged users instead of denied access, some poorly-written desktop apps bail out completely when it can't be opened Signed-off-by: Brad Spengler mm/vmstat.c | 21 +++++++++++++++------ 1 files changed, 15 insertions(+), 6 deletions(-) commit e0d003dfd4911828f08fa93da2138c9f3be4f352 Author: Brad Spengler Date: Wed Jan 8 17:46:46 2014 -0500 back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers Signed-off-by: Brad Spengler drivers/pci/pci-sysfs.c | 9 --------- drivers/pci/proc.c | 3 --- 2 files changed, 0 insertions(+), 12 deletions(-) commit 0a0823fe85e85b9ad92131a35fe57e9aebc30260 Author: Brad Spengler Date: Thu Jan 2 17:05:39 2014 -0500 add missing #include Signed-off-by: Brad Spengler fs/proc/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 867c7a59c12374d99c59b9c99a1bf8214583baad Author: Brad Spengler Date: Thu Jan 2 17:02:24 2014 -0500 Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc) Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0 checks currently Signed-off-by: Brad Spengler drivers/pci/pci-sysfs.c | 17 +++++++---------- drivers/pci/proc.c | 13 ++----------- drivers/pci/syscall.c | 4 ---- 3 files changed, 9 insertions(+), 25 deletions(-) commit e9075cc0c4bab695e2eea8e8ba8f8acfa3cef2ed Author: Brad Spengler Date: Tue Dec 31 10:30:20 2013 -0500 Resolve compatibility with libgtop and recent restriction of /proc/stat, reported by KacKurx. We now provide a properly-formatted but zeroed /proc/stat instead of denying unpriv access to the entry Signed-off-by: Brad Spengler fs/proc/stat.c | 34 ++++++++++++++++++++++++---------- 1 files changed, 24 insertions(+), 10 deletions(-) commit 7a559ce128070d9d79bf4490a258dba677fa741e Author: Brad Spengler Date: Mon Dec 30 11:19:53 2013 -0500 Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy Kulikov: http://www.openwall.com/lists/kernel-hardening/2011/11/07/1 Signed-off-by: Brad Spengler fs/proc/interrupts.c | 4 ++++ fs/proc/stat.c | 4 ++++ 2 files changed, 8 insertions(+), 0 deletions(-) commit 3898c8157466ff87ef613785f207c019ba8174cb Author: Brad Spengler Date: Mon Dec 30 11:13:49 2013 -0500 Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information. Signed-off-by: Brad Spengler grsecurity/Kconfig | 16 ++++++++++------ grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++--- include/linux/grmsg.h | 2 +- ipc/util.c | 3 ++- 4 files changed, 42 insertions(+), 11 deletions(-) commit 2a5eb70e0981fd24168be9e5d1c30735a922edca Author: Brad Spengler Date: Thu Dec 26 19:20:26 2013 -0500 add missing #include Signed-off-by: Brad Spengler grsecurity/grsec_mount.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7d66c996e754d41be945e7a2997b364643a13977 Author: Brad Spengler Date: Thu Dec 26 15:51:51 2013 -0500 Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM Signed-off-by: Brad Spengler grsecurity/Kconfig | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit bc9b4fe1db97c913b2c1163a90805c52c0f0df65 Author: Brad Spengler Date: Thu Dec 26 15:35:31 2013 -0500 Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig). Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- grsecurity/grsec_mount.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 2b5ad27e4a323648a0db99a9fa3f27b042dd70f0 Author: Brad Spengler Date: Wed Dec 25 16:37:02 2013 -0500 Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532 Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not the other way around (to produce more secure settings when distro configs are used as a base) Signed-off-by: Brad Spengler drivers/acpi/custom_method.c | 4 ++++ drivers/pci/pci-sysfs.c | 12 ++++++++++++ drivers/pci/proc.c | 12 ++++++++++++ drivers/pci/syscall.c | 4 ++++ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ kernel/power/Kconfig | 2 ++ security/Kconfig | 1 - 7 files changed, 46 insertions(+), 1 deletions(-) commit c70c49f956beb3d785ca20466c4e5c1d84d7356b Author: Brad Spengler Date: Wed Dec 25 15:11:51 2013 -0500 remove unused 'dentry' variable Signed-off-by: Brad Spengler fs/xattr.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit cb20fb467591aa2a85a8c12a1bc215a01ed75b18 Author: Brad Spengler Date: Wed Dec 25 15:03:13 2013 -0500 Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use. Signed-off-by: Brad Spengler fs/xattr.c | 18 +++++++++++------- grsecurity/gracl_fs.c | 6 ++++++ grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 2 ++ 5 files changed, 27 insertions(+), 8 deletions(-) commit 482ec0da63b38a9c20cc2205bc7ea87a3985d164 Author: Brad Spengler Date: Fri Dec 20 20:18:56 2013 -0500 compile fix Signed-off-by: Brad Spengler fs/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 038cc5994b483905c9c0b9e6259a84f7333becc2 Author: Brad Spengler Date: Fri Dec 13 19:39:54 2013 -0500 Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy) In practice this causes bogus auditing messages for / and could potentially cause a subject without executable shared memory support to permit executable shared memory (if PaX is disabled on the binary). Instead just allocate these two special objects with kzalloc at enable time and free them at disable time. Thanks to nyt@countercultured.net for the report Signed-off-by: Brad Spengler grsecurity/gracl_policy.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit b67b5e4666934693bb1fc4804ca60724f98a54d7 Author: Brad Spengler Date: Wed Dec 4 18:15:02 2013 -0500 Don't duplicate __get_dumpable, also make sure we check against SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing detection when suid_dumpable was set to 2 Signed-off-by: Brad Spengler fs/coredump.c | 7 +++++-- grsecurity/grsec_sig.c | 14 ++------------ include/linux/grsecurity.h | 2 +- 3 files changed, 8 insertions(+), 15 deletions(-) commit ad3f9d56b43c4c448d5ba55d4e073e66a59898d7 Author: Brad Spengler Date: Tue Dec 3 19:39:04 2013 -0500 Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated. Disable KEXEC when GRKERNSEC_KMEM is enabled: http://mjg59.dreamwidth.org/28746.html Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present Signed-off-by: Brad Spengler arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/mips/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/tile/Kconfig | 1 + arch/x86/Kconfig | 1 + arch/x86/kernel/ioport.c | 12 ++++++------ grsecurity/Kconfig | 27 +++++++++++---------------- 8 files changed, 23 insertions(+), 22 deletions(-) commit 7044221d2d6e8d8e8fa26d5c30c72bd6e1d9b599 Author: Brad Spengler Date: Tue Nov 26 15:16:48 2013 -0500 Fix null deref on application of the shutdown role, reported by zakalwe Signed-off-by: Brad Spengler grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++- grsecurity/gracl_policy.c | 58 ++++----------------------------------------- 2 files changed, 62 insertions(+), 54 deletions(-) commit 1f894d3a1357fa9c7b2f849079546115fc797fd8 Author: Brad Spengler Date: Tue Nov 26 13:04:07 2013 -0500 Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root Signed-off-by: Brad Spengler kernel/kmod.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit aa561a3ad4b30e8c03837ff96bbcd868e363cb21 Author: Brad Spengler Date: Tue Nov 26 12:59:00 2013 -0500 Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe Signed-off-by: Brad Spengler grsecurity/gracl_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b031d4f071e25462e94f742166b0ea6b8874dae4 Author: Brad Spengler Date: Mon Nov 25 22:33:33 2013 -0500 compile fix Signed-off-by: Brad Spengler kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00a30755e85c7dbfd1042a0f4c5d911e288c8cc9 Author: Brad Spengler Date: Mon Nov 25 12:01:21 2013 -0500 Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity Signed-off-by: Brad Spengler kernel/kmod.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7177ab477fcc5d670718dafba3f6a454ed2e121e Author: Brad Spengler Date: Sun Nov 24 22:49:05 2013 -0500 Revert "HID: multitouch: validate feature report details" This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684. Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 +++++-------------------- 1 files changed, 5 insertions(+), 20 deletions(-) commit f0d33fb85de097278d1ae605c3d98fc99b578d56 Author: Brad Spengler Date: Sun Nov 24 22:48:49 2013 -0500 Revert "HID: lenovo-tpkbd: validate output report details" This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a. Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 0c2a1258705b5c90732c2895664965da6a16bebc Author: Brad Spengler Date: Sun Nov 24 22:48:33 2013 -0500 Revert "HID: steelseries: validate output report details" This reverts commit 0996966348dc3c3f7515567d3245292785d484fc. Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit b17b436bd1781a43866931ce6b6ba2811882ade5 Author: Brad Spengler Date: Sun Nov 24 22:08:33 2013 -0500 add missing header Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45eefce5c5dc37368ed21d2b22a2d15973b7c06b Author: Brad Spengler Date: Sun Nov 24 22:04:55 2013 -0500 Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 804611c10dcd6e9486cf374fcbfb2053a80f918d Author: Brad Spengler Date: Sun Nov 24 17:50:21 2013 -0500 remove unnecessary code/comments after new reload method Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ---- grsecurity/gracl_policy.c | 13 ------------- 2 files changed, 0 insertions(+), 17 deletions(-) commit 4aeb0dc39f03db1c2c55ebc0cb7797289948a872 Author: Brad Spengler Date: Sun Nov 24 16:05:01 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. Signed-off-by: Brad Spengler grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3903 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 2 + 12 files changed, 3082 insertions(+), 2787 deletions(-) commit cdfd01e44815f0e0cb700b5597b3b2eb44352903 Author: Brad Spengler Date: Sun Nov 24 15:08:28 2013 -0500 compile fix for recent GRKERNSEC_CHROOT_INITRD change Signed-off-by: Brad Spengler init/main.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 3ac09de20b5b3967c77a59ed064cd05e607ecca8 Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path Signed-off-by: Brad Spengler include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit 7fc979f0a8ffdc501b57e0c9c8b5251b8458d98e Author: Brad Spengler Date: Sat Nov 23 17:20:15 2013 -0500 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. Reported by acez on IRC Signed-off-by: Brad Spengler arch/arm/mm/fault.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 9b5ffb45694e2381a73275b029d1cde3ba090555 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. Conflicts: init/main.c Signed-off-by: Brad Spengler grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) commit 71ea2cc2fb940a4eaa6a4f6e5084efc91197bed1 Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected Signed-off-by: Brad Spengler kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 36895fdbcf3b528221475a894076611c6340bc6f Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well Signed-off-by: Brad Spengler fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 47474491a88a18956b3c23a0f8ea5a793aeaaf0b Author: Brad Spengler Date: Fri Nov 22 20:31:37 2013 -0500 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. It caused errors with traceroute, reported to upstream and fixed with http://patchwork.ozlabs.org/patch/293614/ But there's no reason for us to maintain this backport as we're already impervious to recvmsg/msg_name infoleaks Conflicts: net/ipv4/ping.c Signed-off-by: Brad Spengler net/ieee802154/dgram.c | 3 ++- net/ipv4/ping.c | 11 +++++++++-- net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 8 files changed, 35 insertions(+), 12 deletions(-) commit 8aeb360164c3165b8d843b90776f92748cb0826f Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC Signed-off-by: Brad Spengler grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 65982aa12f534a722a92dd211e9b2461cac099cd Author: Brad Spengler Date: Thu Nov 14 19:07:11 2013 -0500 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows Signed-off-by: Brad Spengler arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c07ac5819bfcbb29fe75896f409517acc95f09d0 Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ Will let this sit in -test for a while to weed out any app incompatibilities Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit 7a03cf3e714a075ce6d1b1c4e2cbe269968c32d9 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c Signed-off-by: Brad Spengler drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1822dec9af44fef43a2092fbb98d986d40688e92 Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 252aafc936113beb2c4b654c51ca4f69e34e7ece Author: Brad Spengler Date: Sun Nov 10 17:50:12 2013 -0500 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND Signed-off-by: Brad Spengler arch/arm/mm/Kconfig | 2 +- grsecurity/Kconfig | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletions(-) commit d91a8c0aac4fd7d52d861fa389d094b0dbe69d8b Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. Signed-off-by: Brad Spengler mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 521a19248a7f3ae875854835be586208d7e94362 Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 88abc9f686cef116d741924e96c8264c6feeb280 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking Conflicts: security/Kconfig Signed-off-by: Brad Spengler security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ca2e0bc771e1868a1b993013d725ab602d8e0454 Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c Signed-off-by: Brad Spengler lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 9f9fda5bdad944095d49943719343439cebceb34 Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/uio/uio.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 0f332bf501f3c2035c63fc3e58f07be9cc96924b Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change Signed-off-by: Brad Spengler grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit d6aeef5cb3bbaa011f74eb38133043965302cc32 Author: Brad Spengler Date: Sun Sep 22 18:14:07 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 02b18c56607ff93f00659ee100517bba70972aca Author: Brad Spengler Date: Sun Sep 15 09:19:21 2013 -0400 remove unnecessary check from when protocol was signed Signed-off-by: Brad Spengler net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8991fc98b032a2338b9fda708d2dad227fbcd83 Author: Brad Spengler Date: Sat Sep 14 21:12:45 2013 -0400 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) Signed-off-by: Brad Spengler lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c63230b915355cea2649fac21c9469a8c3f88876 Author: Brad Spengler Date: Sat Sep 14 19:16:48 2013 -0400 Fix a bad git merge, re-applied a previously reverted patch Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 0dcfe7e8eac4751d2bbabc48fb63a0118bb353eb Author: Brad Spengler Date: Sat Sep 14 16:56:37 2013 -0400 finish porting namei.c Signed-off-by: Brad Spengler fs/namei.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) commit 89d5374f91319363bb79c916764c747f3229759c Author: Brad Spengler Date: Sat Sep 14 16:44:08 2013 -0400 cred->user -> current_user() Signed-off-by: Brad Spengler fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fefeb37bc66cf8e1b8c32a1f1e9776f6b701b245 Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit e4a184da44ae23ab3ee9e250d4bc38050e4a3533 Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit c96e77a4ec0b7045e4e3e8f6d33937c078a79cb6 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 600c8f5a6a7b57e4ecbb16d10eab3bdfae399299 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) commit 979cb67c276ef34486ed64bb58ed30020bc8a53f Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit d259a636db5500db5e3ddacab82857db244bf46f Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() Signed-off-by: Brad Spengler grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 73872d212f992833add967be12de9628941bdd5b Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Signed-off-by: Brad Spengler drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 57a621395b231025d33da789f7593da0e9c591a4 Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 6261da1c18366e4b2e0ff28781e0a769a2d31d1b Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9a7678270debd6b7c14ed1e91fb502d73bfaee08 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit efb7731d700d5b4568871670ac0841a84f003029 Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs Signed-off-by: Brad Spengler arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 3469d59da7f6bd0c5838764e5b06bad97193f628 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 03b91bfc983379670fd439b2b3fbec633ea6468d Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2e9828b85e2ab096affe9e8b52cd68d7a0d8839d Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit aeddd9080b145f520dfdba52e07ffe7ac5c2940a Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Signed-off-by: Brad Spengler arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 8953b010e785f55d35e96de6d7913b7e6791d9f9 Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 Signed-off-by: Brad Spengler include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 346b6fb51f351bc8a2e52c158794c863b88c730b Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages Signed-off-by: Brad Spengler arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 5a95c583a8e74e8b980ae810c3755d7490f9f208 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 Signed-off-by: Brad Spengler security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit be64e6e8a615622f5c8b8feefdbae24dfe1eb13a Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! Signed-off-by: Brad Spengler kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) commit bf41ff82977f5629d76e58b4eec76e78b6e0794c Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 80c4d845fa846426a226c1807310670fdc3f4fb9 Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs Signed-off-by: Brad Spengler mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 29f82c7cc74a11260863cea855cb7bb7b79506db Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include Signed-off-by: Brad Spengler grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b313d3d863fe87ecf4f79f61e9670955df66685e Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation Signed-off-by: Brad Spengler include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit e0b580d61744ac72ba2275fb5211de2bfc570058 Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping Signed-off-by: Brad Spengler fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit 2860f00640ffc0745e102fc8eea1b4787747a34f Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define Signed-off-by: Brad Spengler grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 271a28185b48e1c659c497837e26350f0b98b56b Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit c7b8b1a6d33fb9f2f33b6661d98ccf034bc4fa88 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 506d84be8c4e9db0b655d3f6da2cec92482b610f Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 7b7d053d1c9209c6810ee0e82d902d633df55114 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit f9503913fa6c0b461e5a6c991eb04b8e369e0dd2 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit 4d203a112c51248189db81e89926ed2ccbbf3727 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t Signed-off-by: Brad Spengler include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98cc5ab35c0f012765475db240189e0d72e9e936 Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit aa8d1edbfb648b1b942996d59fa446fd830df989 Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 28b7a6a844d93d88bb83383bb6273cdc22c595ad Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 9490ca70e30846522d28b6f9ca7caf28cdb7b9e3 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 5f7d6c7e7e4ef41577b73936595ed1f28649e9e9 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit 91c416711e2e713d870dc52ce17af0607a82cb75 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 99cad551389634d849387cf5e2054d9aa2c1c1b4 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 9ec58c4629d5aba15d09d4a740b83bf4cdb6da90 Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit dd368be2aef36cae4f997fc798087069fb64d442 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 8970e77a91e35ddac604cf96462c600651e94baa Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit d5711d44bf668cdc5d29383e5e16ff884f1991ee Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit f9bf16c3f73ff249219c1a7d457f10b5f5448da1 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit afb88b8065edeb572c4d7992c6916d19a8bbc483 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 981fbde7260e575f99c7c9fc83239fca752cb543 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit c3ebfc69b7c5c12f54ee8b2c34776c503eb825f5 Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship Signed-off-by: Brad Spengler grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 5f3672544ae20bb1a595a849b304d1c168254e2b Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT Signed-off-by: Brad Spengler fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f892f6cf3070e516828ef6b81c39abdec77d7e93 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error Signed-off-by: Brad Spengler mm/madvise.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit bacca56a4c5ce1734004a310588d710ab642c14d Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel Signed-off-by: Brad Spengler mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit bb802e55264979a3517687cc4e3ea4043187a4d6 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit 80af0d78732fcd1345751765d6bdba75e4453096 Author: Brad Spengler Date: Sat Sep 14 16:15:10 2013 -0400 Initial port of grsecurity to 3.11 using new git method Signed-off-by: Brad Spengler Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 13 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 14 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 1 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 3 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 11 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 218 ++- fs/namespace.c | 16 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 2 +- grsecurity/gracl_fs.c | 6 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 40 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/locking/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 69 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 341 +++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 229 files changed, 4100 insertions(+), 2025 deletions(-) commit 75586073addae35174967d77e1b985e6b534e3f8 Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches Signed-off-by: Brad Spengler arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 0100435c11a01cfbedea13ac5aebd38fb03309b4 Author: Brad Spengler Date: Sat Jan 25 17:32:18 2014 -0500 Initial import of pax-linux-3.13-test2.patch Documentation/dontdiff | 47 +- Documentation/kernel-parameters.txt | 23 + Makefile | 102 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 442 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 95 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/module.c | 31 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 24 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 4 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/cache-l2x0.c | 2 +- arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 140 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 185 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 728 +++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 15 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 16 +- arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 2 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 6 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 106 +- arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +- arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 10 +- arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 173 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 269 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 166 +- arch/x86/include/asm/bitops.h | 18 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/calling.h | 118 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 78 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 20 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 106 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 136 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 15 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/preempt.h | 2 +- arch/x86/include/asm/processor.h | 79 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rmwcc.h | 84 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/tlbflush.h | 74 +- arch/x86/include/asm/uaccess.h | 162 +- arch/x86/include/asm/uaccess_32.h | 24 +- arch/x86/include/asm/uaccess_64.h | 177 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/include/uapi/asm/ptrace-abi.h | 1 - arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 69 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 132 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 ++- arch/x86/kernel/entry_64.S | 736 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 136 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/jump_label.c | 8 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 5 +- arch/x86/kernel/setup.c | 63 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 28 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 63 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 20 +- arch/x86/lib/copy_user_64.S | 81 +- arch/x86/lib/copy_user_nocache_64.S | 14 + arch/x86/lib/csum-copy_64.S | 18 +- arch/x86/lib/csum-wrappers_64.c | 8 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 10 +- arch/x86/lib/memmove_64.S | 4 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 2 + arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 12 +- arch/x86/lib/usercopy_32.c | 357 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 564 ++- arch/x86/mm/gup.c | 6 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 151 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 38 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/intel_mid_pci.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/intel-mid/intel-mid.c | 3 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 11 +- arch/x86/xen/smp.c | 21 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 29 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/null_blk.c | 27 +- drivers/block/pktcdvd.c | 4 +- drivers/bluetooth/btwilink.c | 2 +- drivers/bus/arm-cci.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 12 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 9 +- drivers/cpufreq/acpi-cpufreq.c | 13 +- drivers/cpufreq/cpufreq.c | 11 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 4 +- drivers/cpufreq/cpufreq_ondemand.c | 10 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/intel_pstate.c | 25 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 70 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/driver.c | 2 +- drivers/cpuidle/governor.c | 2 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdmac.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 2 +- drivers/firmware/efi/cper.c | 8 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 12 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 26 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- drivers/gpu/drm/qxl/qxl_drv.h | 8 +- drivers/gpu/drm/qxl/qxl_irq.c | 16 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 61 +- drivers/gpu/drm/tegra/dc.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/vga/vga_switcheroo.c | 4 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/nct6775.c | 6 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stats.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 4 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/platform/vivi.c | 4 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 67 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/mmci.c | 4 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_netlink.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 2 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath10k/htc.c | 7 +- drivers/net/wireless/ath/ath10k/htc.h | 4 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 6 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/chrome/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/powercap/powercap_sys.c | 136 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/gdm724x/gdm_tty.c | 2 +- drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- drivers/staging/lustre/lnet/selftest/framework.c | 4 - drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- drivers/staging/lustre/lustre/include/obd.h | 2 +- .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 12 +- drivers/tty/hvc/hvsi_lib.c | 4 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 5 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 8 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 15 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/devio.c | 10 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 6 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/host/ehci-hub.c | 4 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 8 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbmem.c | 6 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/omap2/dss/display.c | 8 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 2 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 6 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 678 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/file.c | 10 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 16 +- fs/dcache.c | 5 +- fs/ecryptfs/inode.c | 2 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/ext4/xattr.c | 5 +- fs/fhandle.c | 3 +- fs/file.c | 4 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 40 +- fs/fscache/internal.h | 200 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/hostfs/hostfs_kern.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 12 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 2 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 2 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 59 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 4 +- fs/splice.c | 41 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 16 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_readdir.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 212 +- include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/bitops/__fls.h | 2 +- include/asm-generic/bitops/fls.h | 2 +- include/asm-generic/bitops/fls64.h | 4 +- include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 15 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/i915_pciids.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/audit.h | 2 +- include/linux/binfmts.h | 3 +- include/linux/bitops.h | 6 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 8 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 12 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 4 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 6 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 12 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/jiffies.h | 12 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 10 +- include/linux/mempolicy.h | 7 + include/linux/mm.h | 118 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/padata.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/pm.h | 1 + include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 19 + include/linux/proc_ns.h | 2 +- include/linux/quota.h | 2 +- include/linux/random.h | 23 +- include/linux/rculist.h | 20 +- include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 68 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 - include/linux/semaphore.h | 2 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 14 +- include/linux/slub_def.h | 2 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vga_switcheroo.h | 8 +- include/linux/vmalloc.h | 7 +- include/linux/vmstat.h | 24 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 20 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 4 +- include/net/netns/ipv6.h | 4 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/checksum.h | 4 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 8 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 13 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 2 - include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 78 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 10 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/events/internal.h | 10 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 166 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 +- kernel/locking/lockdep.c | 7 +- kernel/locking/mutex-debug.c | 12 +- kernel/locking/mutex-debug.h | 4 +- kernel/locking/mutex.c | 10 +- kernel/locking/rtmutex-tester.c | 24 +- kernel/module.c | 337 +- kernel/notifier.c | 17 +- kernel/padata.c | 4 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcu/srcu.c | 4 +- kernel/rcu/tiny.c | 4 +- kernel/rcu/torture.c | 56 +- kernel/rcu/tree.c | 76 +- kernel/rcu/tree.h | 26 +- kernel/rcu/tree_plugin.h | 40 +- kernel/rcu/tree_trace.c | 22 +- kernel/rcu/update.c | 4 +- kernel/sched/auto_group.c | 4 +- kernel/sched/completion.c | 6 +- kernel/sched/core.c | 43 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 14 +- kernel/sys.c | 10 +- kernel/sysctl.c | 34 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 1 - kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/percpu-refcount.c | 2 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 28 +- mm/memory.c | 424 ++- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 583 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 42 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 106 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 88 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 2 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 75 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/fragmentation.c | 2 +- net/batman-adv/soft-interface.c | 6 +- net/batman-adv/types.h | 6 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 4 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 8 +- net/core/sock.c | 28 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 20 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 37 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 18 +- net/ipv6/addrconf.c | 12 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ip6_vti.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 28 +- net/ipv6/raw.c | 17 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 17 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 10 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 8 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/svcauth_unix.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 22 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/module-common.lds | 4 + scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 689 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/security.c | 9 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 11 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 8 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/soc/soc-core.c | 6 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 557 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 474 ++ tools/gcc/latent_entropy_plugin.c | 335 ++ tools/gcc/size_overflow_hash.data | 5618 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 4072 ++++++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/lib/lk/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 44 +- 1716 files changed, 34523 insertions(+), 8024 deletions(-) commit 512ab625d6d34c2f8602a044454bb1366b80b98e Author: Brad Spengler Date: Sat Jan 25 14:54:11 2014 -0500 Fix another compiler error caught by RANDSTRUCT sound/isa/sb/emu8000_synth.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 43bd0a97d977b78f2a54045bbf98ee967209c144 Author: Brad Spengler Date: Sat Jan 25 14:34:12 2014 -0500 Fix another compiler error caught by RANDSTRUCT drivers/net/wan/z85230.c | 24 ++++++++++++------------ 1 files changed, 12 insertions(+), 12 deletions(-) commit e833f51aa919e2c94bb7ac6979a68cf3f4fcc131 Author: Brad Spengler Date: Sat Jan 25 14:30:46 2014 -0500 fix compilation with RANDSTRUCT plugin sound/drivers/opl4/opl4_seq.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 743f2ccb4dc72e6366e0cf0b371d37951c67ce0d Author: Brad Spengler Date: Sat Jan 25 14:16:18 2014 -0500 avoid problems by just building our fake field decl node from scratch tools/gcc/randomize_layout_plugin.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 9345145bb31148c2fb4918fe989d45bbf1219373 Author: Brad Spengler Date: Sat Jan 25 13:45:18 2014 -0500 while in non-debug mode, don't emit notes for non-randomized struct types clear all signs from our fake field decl of being a bitfield tools/gcc/randomize_layout_plugin.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 946d2d5cafa4f123f6ee36596f67cf8571e461b4 Author: Brad Spengler Date: Sat Jan 25 12:56:05 2014 -0500 revert change to read-only marking of fake struct field tools/gcc/randomize_layout_plugin.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c947104c6a4c0e05ed6440287ad8872e2cbdb2f3 Author: Brad Spengler Date: Sat Jan 25 12:42:48 2014 -0500 Update RANDSTRUCT plugin help tools/gcc/randomize_layout_plugin.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 3757914c9c5d2278f93a3a8dc7d19847c6ee8e3a Author: Brad Spengler Date: Sat Jan 25 12:25:43 2014 -0500 Introduce GRKERNSEC_RANDSTRUCT: automatic structure layout randomization of pure ops structs randomization of marked sensitive kernel structures automatically enabled by GRKERNSEC_CONFIG_AUTO performance mode is activated if the config priority is set to performance Documentation/dontdiff | 1 + Makefile | 12 +- arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/block/cciss.h | 30 +- drivers/block/drbd/drbd_interval.c | 6 +- drivers/block/smart1,2.h | 40 +- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/infiniband/hw/ipath/ipath_dma.c | 26 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/wan/lmc/lmc_media.c | 97 ++-- drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 20 +- drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- drivers/staging/media/solo6x10/solo6x10-g723.c | 2 +- drivers/video/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/matrox/matroxfb_Ti3026.c | 5 +- fs/mount.h | 4 +- fs/proc/internal.h | 4 +- fs/reiserfs/item_ops.c | 24 +- grsecurity/Kconfig | 31 +- include/linux/compiler-gcc4.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 4 +- include/linux/dcache.h | 2 +- include/linux/fs.h | 14 +- include/linux/fs_struct.h | 2 +- include/linux/ipc_namespace.h | 2 +- include/linux/kobject.h | 2 +- include/linux/mm_types.h | 4 +- include/linux/module.h | 4 +- include/linux/mount.h | 2 +- include/linux/pid_namespace.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/rbtree_augmented.h | 4 +- include/linux/sched.h | 6 +- include/linux/sysctl.h | 2 +- include/linux/tty.h | 2 +- include/linux/tty_driver.h | 2 +- include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 2 +- lib/rbtree.c | 4 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/decnet/dn_dev.c | 2 +- net/vmw_vsock/vmci_transport_notify.c | 30 +- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- net/x25/sysctl_net_x25.c | 2 +- scripts/Makefile | 2 + scripts/gen-random-seed.sh | 8 + sound/core/seq/oss/seq_oss.c | 4 +- sound/core/seq/seq_midi.c | 4 +- sound/drivers/opl3/opl3_seq.c | 4 +- sound/pci/emu10k1/emu10k1_synth.c | 4 +- sound/synth/emux/emux_seq.c | 14 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 2 + tools/gcc/randomize_layout_plugin.c | 726 +++++++++++++++++++++++ 74 files changed, 1222 insertions(+), 390 deletions(-) commit 44ebc77fd9886fdebf8e3942a935cbe2f3272c3d Author: Brad Spengler Date: Sun Jan 19 09:27:31 2014 -0500 add PRNG self-tests lib/random32.c | 207 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 files changed, 197 insertions(+), 10 deletions(-) commit 7780c290ada57bac294c5a7e5b0286dd604920c5 Author: Brad Spengler Date: Sun Jan 19 09:00:56 2014 -0500 compile fix include/linux/random.h | 4 ---- include/uapi/linux/random.h | 2 +- 2 files changed, 1 insertions(+), 5 deletions(-) commit 4c4359a96c7b208513eb3563c90558cd5d2ca1a0 Author: Daniel Borkmann Date: Mon Nov 11 12:20:36 2013 +0100 Upstream commit: a98814cef87946d2708812ad9f8b1e03b8366b6f random32: upgrade taus88 generator to taus113 from errata paper Since we use prandom*() functions quite often in networking code i.e. in UDP port selection, netfilter code, etc, upgrade the PRNG from Pierre L'Ecuyer's original paper "Maximally Equidistributed Combined Tausworthe Generators", Mathematics of Computation, 65, 213 (1996), 203--213 to the version published in his errata paper [1]. The Tausworthe generator is a maximally-equidistributed generator, that is fast and has good statistical properties [1]. The version presented there upgrades the 3 state LFSR to a 4 state LFSR with increased periodicity from about 2^88 to 2^113. The algorithm is presented in [1] by the very same author who also designed the original algorithm in [2]. Also, by increasing the state, we make it a bit harder for attackers to "guess" the PRNGs internal state. See also discussion in [3]. Now, as we use this sort of weak initialization discussed in [3] only between core_initcall() until late_initcall() time [*] for prandom32*() users, namely in prandom_init(), it is less relevant from late_initcall() onwards as we overwrite seeds through prandom_reseed() anyways with a seed source of higher entropy, that is, get_random_bytes(). In other words, a exhaustive keysearch of 96 bit would be needed. Now, with the help of this patch, this state-search increases further to 128 bit. Initialization needs to make sure that s1 > 1, s2 > 7, s3 > 15, s4 > 127. taus88 and taus113 algorithm is also part of GSL. I added a test case in the next patch to verify internal behaviour of this patch with GSL and ran tests with the dieharder 3.31.1 RNG test suite: $ dieharder -g 052 -a -m 10 -s 1 -S 4137730333 #taus88 $ dieharder -g 054 -a -m 10 -s 1 -S 4137730333 #taus113 With this seed configuration, in order to compare both, we get the following differences: algorithm taus88 taus113 rands/second [**] 1.61e+08 1.37e+08 sts_serial(4, 1st run) WEAK PASSED sts_serial(9, 2nd run) WEAK PASSED rgb_lagged_sum(31) WEAK PASSED We took out diehard_sums test as according to the authors it is considered broken and unusable [4]. Despite that and the slight decrease in performance (which is acceptable), taus113 here passes all 113 tests (only rgb_minimum_distance_5 in WEAK, the rest PASSED). In general, taus/taus113 is considered "very good" by the authors of dieharder [5]. The papers [1][2] states a single warm-up step is sufficient by running quicktaus once on each state to ensure proper initialization of ~s_{0}: Our selection of (s) according to Table 1 of [1] row 1 holds the condition L - k <= r - s, that is, (32 32 32 32) - (31 29 28 25) <= (25 27 15 22) - (18 2 7 13) with r = k - q and q = (6 2 13 3) as also stated by the paper. So according to [2] we are safe with one round of quicktaus for initialization. However we decided to include the warm-up phase of the PRNG as done in GSL in every case as a safety net. We also use the warm up phase to make the output of the RNG easier to verify by the GSL output. In prandom_init(), we also mix random_get_entropy() into it, just like drivers/char/random.c does it, jiffies ^ random_get_entropy(). random-get_entropy() is get_cycles(). xor is entropy preserving so it is fine if it is not implemented by some architectures. Note, this PRNG is *not* used for cryptography in the kernel, but rather as a fast PRNG for various randomizations i.e. in the networking code, or elsewhere for debugging purposes, for example. [*]: In order to generate some "sort of pseduo-randomness", since get_random_bytes() is not yet available for us, we use jiffies and initialize states s1 - s3 with a simple linear congruential generator (LCG), that is x <- x * 69069; and derive s2, s3, from the 32bit initialization from s1. So the above quote from [3] accounts only for the time from core to late initcall, not afterwards. [**] Single threaded run on MacBook Air w/ Intel Core i5-3317U [1] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme2.ps [2] http://www.iro.umontreal.ca/~lecuyer/myftp/papers/tausme.ps [3] http://thread.gmane.org/gmane.comp.encryption.general/12103/ [4] http://code.google.com/p/dieharder/source/browse/trunk/libdieharder/diehard_sums.c?spec=svn490&r=490#20 [5] http://www.phy.duke.edu/~rgb/General/dieharder.php Joint work with Hannes Frederic Sowa. Cc: Florian Weimer Cc: Theodore Ts'o Signed-off-by: Daniel Borkmann Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Conflicts: include/linux/random.h include/linux/random.h | 13 +++++-- lib/random32.c | 80 +++++++++++++++++++++++++++-------------------- 2 files changed, 55 insertions(+), 38 deletions(-) commit 53dd59a26859c9b98cadcad65791c951b162e91e Author: Hannes Frederic Sowa Date: Mon Nov 11 12:20:33 2013 +0100 Upstream commit: 6d31920246a9fc80be4f16acd27c0bbe8d7b8494 random32: add periodic reseeding The current Tausworthe PRNG is never reseeded with truly random data after the first attempt in late_initcall. As this PRNG is used for some critical random data as e.g. UDP port randomization we should try better and reseed the PRNG once in a while with truly random data from get_random_bytes(). When we reseed with prandom_seed we now make also sure to throw the first output away. This suffices the reseeding procedure. The delay calculation is based on a proposal from Eric Dumazet. Joint work with Daniel Borkmann. Cc: Eric Dumazet Cc: Theodore Ts'o Signed-off-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller Conflicts: lib/random32.c lib/random32.c | 22 ++++++++++++++++++++++ 1 files changed, 22 insertions(+), 0 deletions(-) commit 9deef5d021000495e04a730ba1880fb4b8951d45 Author: Hannes Frederic Sowa Date: Mon Nov 11 12:20:34 2013 +0100 Upstream commit: 4af712e8df998475736f3e2727701bd31e3751a9 random32: add prandom_reseed_late() and call when nonblocking pool becomes initialized The Tausworthe PRNG is initialized at late_initcall time. At that time the entropy pool serving get_random_bytes is not filled sufficiently. This patch adds an additional reseeding step as soon as the nonblocking pool gets marked as initialized. On some machines it might be possible that late_initcall gets called after the pool has been initialized. In this situation we won't reseed again. (A call to prandom_seed_late blocks later invocations of early reseed attempts.) Joint work with Daniel Borkmann. Cc: Eric Dumazet Cc: Theodore Ts'o Signed-off-by: Hannes Frederic Sowa Signed-off-by: Daniel Borkmann Acked-by: "Theodore Ts'o" Signed-off-by: David S. Miller Conflicts: lib/random32.c drivers/char/random.c | 5 ++++- include/linux/random.h | 1 + lib/random32.c | 24 +++++++++++++++++++++++- 3 files changed, 28 insertions(+), 2 deletions(-) commit 7445d45f81df0b84bbb7fc6cc598e6b70522c286 Author: Brad Spengler Date: Sat Jan 18 20:43:43 2014 -0500 Since the reworking of recvmsg handlers by Hannes Frederic Sowa, it should be safe to revert our workaround for large number of infoleaks the previous interface made possible, restoring some performance to these syscalls net/socket.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 2c18c01da2a59df2cdaa0d99e0ed2f781c3cbf4e Author: Eric Dumazet Date: Wed Jan 15 06:50:07 2014 -0800 Upstream commit: aee636c4809fa54848ff07a899b326eb1f9987a2 bpf: do not use reciprocal divide At first Jakub Zawadzki noticed that some divisions by reciprocal_divide were not correct. (off by one in some cases) http://www.wireshark.org/~darkjames/reciprocal-buggy.c He could also show this with BPF: http://www.wireshark.org/~darkjames/set-and-dump-filter-k-bug.c The reciprocal divide in linux kernel is not generic enough, lets remove its use in BPF, as it is not worth the pain with current cpus. Signed-off-by: Eric Dumazet Reported-by: Jakub Zawadzki Cc: Mircea Gherzan Cc: Daniel Borkmann Cc: Hannes Frederic Sowa Cc: Matt Evans Cc: Martin Schwidefsky Cc: Heiko Carstens Cc: David S. Miller Signed-off-by: David S. Miller Conflicts: arch/x86/net/bpf_jit_comp.c arch/arm/net/bpf_jit_32.c | 6 +++--- arch/powerpc/net/bpf_jit_comp.c | 7 ++++--- arch/s390/net/bpf_jit_comp.c | 17 ++++++++++++----- arch/sparc/net/bpf_jit_comp.c | 17 ++++++++++++++--- arch/x86/net/bpf_jit_comp.c | 16 ++++++++++------ net/core/filter.c | 30 ++---------------------------- 6 files changed, 45 insertions(+), 48 deletions(-) commit 6986871c84f81084d5c8723538ccefc5c401b31c Author: Jie Liu Date: Wed Jan 1 19:28:03 2014 +0800 Upstream commit: bba719b5004234e55737e7074b81b337210c511d xfs: fix off-by-one error in xfs_attr3_rmt_verify With CRC check is enabled, if trying to set an attributes value just equal to the maximum size of XATTR_SIZE_MAX would cause the v3 remote attr write verification procedure failure, which would yield the back trace like below: XFS (sda7): Internal error xfs_attr3_rmt_write_verify at line 191 of file fs/xfs/xfs_attr_remote.c Call Trace: [] dump_stack+0x45/0x56 [] xfs_error_report+0x3b/0x40 [xfs] [] ? _xfs_buf_ioapply+0x6d/0x390 [xfs] [] xfs_corruption_error+0x55/0x80 [xfs] [] xfs_attr3_rmt_write_verify+0x14b/0x1a0 [xfs] [] ? _xfs_buf_ioapply+0x6d/0x390 [xfs] [] ? xfs_bdstrat_cb+0x55/0xb0 [xfs] [] _xfs_buf_ioapply+0x6d/0x390 [xfs] [] ? vm_map_ram+0x31a/0x460 [] ? wake_up_state+0x20/0x20 [] ? xfs_bdstrat_cb+0x55/0xb0 [xfs] [] xfs_buf_iorequest+0x6b/0xc0 [xfs] [] xfs_bdstrat_cb+0x55/0xb0 [xfs] [] xfs_bwrite+0x46/0x80 [xfs] [] xfs_attr_rmtval_set+0x334/0x490 [xfs] [] xfs_attr_leaf_addname+0x24a/0x410 [xfs] [] xfs_attr_set_int+0x223/0x470 [xfs] [] xfs_attr_set+0x96/0xb0 [xfs] [] xfs_xattr_set+0x42/0x70 [xfs] [] generic_setxattr+0x62/0x80 [] __vfs_setxattr_noperm+0x63/0x1b0 [] ? evm_inode_setxattr+0xe/0x10 [] vfs_setxattr+0xb5/0xc0 [] setxattr+0x12e/0x1c0 [] ? final_putname+0x22/0x50 [] ? putname+0x2b/0x40 [] ? user_path_at_empty+0x5f/0x90 [] ? __sb_start_write+0x49/0xe0 [] ? vm_mmap_pgoff+0x99/0xc0 [] SyS_setxattr+0x8f/0xe0 [] system_call_fastpath+0x1a/0x1f Tests: setfattr -n user.longxattr -v `perl -e 'print "A"x65536'` testfile This patch fix it to check the remote EA size is greater than the XATTR_SIZE_MAX rather than more than or equal to it, because it's valid if the specified EA value size is equal to the limitation as per VFS setxattr interface. Signed-off-by: Jie Liu Reviewed-by: Mark Tinguely Signed-off-by: Ben Myers (cherry picked from commit 85dd0707f0cad26d60f2dc574d17a5ab948d10f7) fs/xfs/xfs_attr_remote.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e8aa7f8223cf2bc0893c6bec7ada0b13edc07703 Author: Steven Rostedt Date: Thu Jan 9 21:46:34 2014 -0500 Upstream commit: 3dc91d4338d698ce77832985f9cb183d8eeaf6be SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() While running stress tests on adding and deleting ftrace instances I hit this bug: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: selinux_inode_permission+0x85/0x160 PGD 63681067 PUD 7ddbe067 PMD 0 Oops: 0000 [#1] PREEMPT CPU: 0 PID: 5634 Comm: ftrace-test-mki Not tainted 3.13.0-rc4-test-00033-gd2a6dde-dirty #20 Hardware name: /DG965MQ, BIOS MQ96510J.86A.0372.2006.0605.1717 06/05/2006 task: ffff880078375800 ti: ffff88007ddb0000 task.ti: ffff88007ddb0000 RIP: 0010:[] [] selinux_inode_permission+0x85/0x160 RSP: 0018:ffff88007ddb1c48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000800000 RCX: ffff88006dd43840 RDX: 0000000000000001 RSI: 0000000000000081 RDI: ffff88006ee46000 RBP: ffff88007ddb1c88 R08: 0000000000000000 R09: ffff88007ddb1c54 R10: 6e6576652f6f6f66 R11: 0000000000000003 R12: 0000000000000000 R13: 0000000000000081 R14: ffff88006ee46000 R15: 0000000000000000 FS: 00007f217b5b6700(0000) GS:ffffffff81e21000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M CR2: 0000000000000020 CR3: 000000006a0fe000 CR4: 00000000000007f0 Call Trace: security_inode_permission+0x1c/0x30 __inode_permission+0x41/0xa0 inode_permission+0x18/0x50 link_path_walk+0x66/0x920 path_openat+0xa6/0x6c0 do_filp_open+0x43/0xa0 do_sys_open+0x146/0x240 SyS_open+0x1e/0x20 system_call_fastpath+0x16/0x1b Code: 84 a1 00 00 00 81 e3 00 20 00 00 89 d8 83 c8 02 40 f6 c6 04 0f 45 d8 40 f6 c6 08 74 71 80 cf 02 49 8b 46 38 4c 8d 4d cc 45 31 c0 <0f> b7 50 20 8b 70 1c 48 8b 41 70 89 d9 8b 78 04 e8 36 cf ff ff RIP selinux_inode_permission+0x85/0x160 CR2: 0000000000000020 Investigating, I found that the inode->i_security was NULL, and the dereference of it caused the oops. in selinux_inode_permission(): isec = inode->i_security; rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); Note, the crash came from stressing the deletion and reading of debugfs files. I was not able to recreate this via normal files. But I'm not sure they are safe. It may just be that the race window is much harder to hit. What seems to have happened (and what I have traced), is the file is being opened at the same time the file or directory is being deleted. As the dentry and inode locks are not held during the path walk, nor is the inodes ref counts being incremented, there is nothing saving these structures from being discarded except for an rcu_read_lock(). The rcu_read_lock() protects against freeing of the inode, but it does not protect freeing of the inode_security_struct. Now if the freeing of the i_security happens with a call_rcu(), and the i_security field of the inode is not changed (it gets freed as the inode gets freed) then there will be no issue here. (Linus Torvalds suggested not setting the field to NULL such that we do not need to check if it is NULL in the permission check). Note, this is a hack, but it fixes the problem at hand. A real fix is to restructure the destroy_inode() to call all the destructor handlers from the RCU callback. But that is a major job to do, and requires a lot of work. For now, we just band-aid this bug with this fix (it works), and work on a more maintainable solution in the future. Link: http://lkml.kernel.org/r/20140109101932.0508dec7@gandalf.local.home Link: http://lkml.kernel.org/r/20140109182756.17abaaa8@gandalf.local.home Cc: stable@vger.kernel.org Signed-off-by: Steven Rostedt Signed-off-by: Linus Torvalds security/selinux/hooks.c | 20 ++++++++++++++++++-- security/selinux/include/objsec.h | 5 ++++- 2 files changed, 22 insertions(+), 3 deletions(-) commit e19ed2ef10ac8fb5539ff49890f149230ba504a2 Author: Hugh Dickins Date: Sun Jan 12 01:25:21 2014 -0800 Upstream commit: eecc1e426d681351a6026a7d3e7d225f38955b6c thp: fix copy_page_rep GPF by testing is_huge_zero_pmd once only We see General Protection Fault on RSI in copy_page_rep: that RSI is what you get from a NULL struct page pointer. RIP: 0010:[] [] copy_page_rep+0x5/0x10 RSP: 0000:ffff880136e15c00 EFLAGS: 00010286 RAX: ffff880000000000 RBX: ffff880136e14000 RCX: 0000000000000200 RDX: 6db6db6db6db6db7 RSI: db73880000000000 RDI: ffff880dd0c00000 RBP: ffff880136e15c18 R08: 0000000000000200 R09: 000000000005987c R10: 000000000005987c R11: 0000000000000200 R12: 0000000000000001 R13: ffffea00305aa000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f195752f700(0000) GS:ffff880c7fc20000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000093010000 CR3: 00000001458e1000 CR4: 00000000000027e0 Call Trace: copy_user_huge_page+0x93/0xab do_huge_pmd_wp_page+0x710/0x815 handle_mm_fault+0x15d8/0x1d70 __do_page_fault+0x14d/0x840 do_page_fault+0x2f/0x90 page_fault+0x22/0x30 do_huge_pmd_wp_page() tests is_huge_zero_pmd(orig_pmd) four times: but since shrink_huge_zero_page() can free the huge_zero_page, and we have no hold of our own on it here (except where the fourth test holds page_table_lock and has checked pmd_same), it's possible for it to answer yes the first time, but no to the second or third test. Change all those last three to tests for NULL page. (Note: this is not the same issue as trinity's DEBUG_PAGEALLOC BUG in copy_page_rep with RSI: ffff88009c422000, reported by Sasha Levin in https://lkml.org/lkml/2013/3/29/103. I believe that one is due to the source page being split, and a tail page freed, while copy is in progress; and not a problem without DEBUG_PAGEALLOC, since the pmd_same check will prevent a miscopy from being made visible.) Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page") Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.10 v3.11 v3.12 Signed-off-by: Linus Torvalds mm/huge_memory.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 49bf1cc12db4954afc0a3e9a4506325a53259c13 Author: Christian Engelmayer Date: Sat Jan 11 22:19:30 2014 +0100 Upstream commit: 267d29a69c6af39445f36102a832b25ed483f299 ieee802154: Fix memory leak in ieee802154_add_iface() Fix a memory leak in the ieee802154_add_iface() error handling path. Detected by Coverity: CID 710490. Signed-off-by: Christian Engelmayer Signed-off-by: David S. Miller net/ieee802154/nl-phy.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4e2493507f0d3a43a3c9562a4e75ae806f993d84 Author: Hannes Frederic Sowa Date: Mon Jan 13 02:45:22 2014 +0100 Upstream commit: 95f4a45de1a0f172b35451fc52283290adb21f6e net: avoid reference counter overflows on fib_rules in multicast forwarding Bob Falken reported that after 4G packets, multicast forwarding stopped working. This was because of a rule reference counter overflow which freed the rule as soon as the overflow happend. This patch solves this by adding the FIB_LOOKUP_NOREF flag to fib_rules_lookup calls. This is safe even from non-rcu locked sections as in this case the flag only implies not taking a reference to the rule, which we don't need at all. Rules only hold references to the namespace, which are guaranteed to be available during the call of the non-rcu protected function reg_vif_xmit because of the interface reference which itself holds a reference to the net namespace. Fixes: f0ad0860d01e47 ("ipv4: ipmr: support multiple tables") Fixes: d1db275dd3f6e4 ("ipv6: ip6mr: support multiple tables") Reported-by: Bob Falken Cc: Patrick McHardy Cc: Thomas Graf Cc: Julian Anastasov Cc: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ipmr.c | 7 +++++-- net/ipv6/ip6mr.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 427e1a47ccd092da8d3834ec889bbf899bf02994 Author: NeilBrown Date: Mon Jan 6 10:35:34 2014 +1100 Upstream commit: e8b849158508565e0cd6bc80061124afc5879160 md/raid10: fix bug when raid10 recovery fails to recover a block. commit e875ecea266a543e643b19e44cf472f1412708f9 md/raid10 record bad blocks as needed during recovery. added code to the "cannot recover this block" path to record a bad block rather than fail the whole recovery. Unfortunately this new case was placed *after* r10bio was freed rather than *before*, yet it still uses r10bio. This is will crash with a null dereference. So move the freeing of r10bio down where it is safe. Cc: stable@vger.kernel.org (v3.1+) Fixes: e875ecea266a543e643b19e44cf472f1412708f9 Reported-by: Damian Nowak URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 Signed-off-by: NeilBrown drivers/md/raid10.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 528bc79bf4b9414269c3468527a1fb93992888ec Author: NeilBrown Date: Mon Jan 6 13:19:42 2014 +1100 Upstream commit: 1cc03eb93245e63b0b7a7832165efdc52e25b4e6 md/raid5: Fix possible confusion when multiple write errors occur. commit 5d8c71f9e5fbdd95650be00294d238e27a363b5c md: raid5 crash during degradation Fixed a crash in an overly simplistic way which could leave R5_WriteError or R5_MadeGood set in the stripe cache for devices for which it is no longer relevant. When those devices are removed and spares added the flags are still set and can cause incorrect behaviour. commit 14a75d3e07c784c004b4b44b34af996b8e4ac453 md/raid5: preferentially read from replacement device if possible. Fixed the same bug if a more effective way, so we can now revert the original commit. Reported-and-tested-by: Alexander Lyakas Cc: stable@vger.kernel.org (3.2+ - 3.2 will need a different fix though) Fixes: 5d8c71f9e5fbdd95650be00294d238e27a363b5c Signed-off-by: NeilBrown drivers/md/raid5.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 65e365f661bcc034ce8da73be4521dde4088cbc6 Author: NeilBrown Date: Tue Jan 14 10:38:09 2014 +1100 Upstream commit: b50c259e25d9260b9108dc0c2964c26e5ecbe1c1 md/raid10: fix two bugs in handling of known-bad-blocks. If we discover a bad block when reading we split the request and potentially read some of it from a different device. The code path of this has two bugs in RAID10. 1/ we get a spin_lock with _irq, but unlock without _irq!! 2/ The calculation of 'sectors_handled' is wrong, as can be clearly seen by comparison with raid1.c This leads to at least 2 warnings and a probable crash is a RAID10 ever had known bad blocks. Cc: stable@vger.kernel.org (v3.1+) Fixes: 856e08e23762dfb92ffc68fd0a8d228f9e152160 Reported-by: Damian Nowak URL: https://bugzilla.kernel.org/show_bug.cgi?id=68181 Signed-off-by: NeilBrown drivers/md/raid10.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 648634ea6eaa98407d5cee468eea365addf784d7 Author: Andreas Rohner Date: Tue Jan 14 17:56:36 2014 -0800 Upstream commit: 70f2fe3a26248724d8a5019681a869abdaf3e89a nilfs2: fix segctor bug that causes file system corruption There is a bug in the function nilfs_segctor_collect, which results in active data being written to a segment, that is marked as clean. It is possible, that this segment is selected for a later segment construction, whereby the old data is overwritten. The problem shows itself with the following kernel log message: nilfs_sufile_do_cancel_free: segment 6533 must be clean Usually a few hours later the file system gets corrupted: NILFS: bad btree node (blocknr=8748107): level = 0, flags = 0x0, nchildren = 0 NILFS error (device sdc1): nilfs_bmap_last_key: broken bmap (inode number=114660) The issue can be reproduced with a file system that is nearly full and with the cleaner running, while some IO intensive task is running. Although it is quite hard to reproduce. This is what happens: 1. The cleaner starts the segment construction 2. nilfs_segctor_collect is called 3. sc_stage is on NILFS_ST_SUFILE and segments are freed 4. sc_stage is on NILFS_ST_DAT current segment is full 5. nilfs_segctor_extend_segments is called, which allocates a new segment 6. The new segment is one of the segments freed in step 3 7. nilfs_sufile_cancel_freev is called and produces an error message 8. Loop around and the collection starts again 9. sc_stage is on NILFS_ST_SUFILE and segments are freed including the newly allocated segment, which will contain active data and can be allocated at a later time 10. A few hours later another segment construction allocates the segment and causes file system corruption This can be prevented by simply reordering the statements. If nilfs_sufile_cancel_freev is called before nilfs_segctor_extend_segments the freed segments are marked as dirty and cannot be allocated any more. Signed-off-by: Andreas Rohner Reviewed-by: Ryusuke Konishi Tested-by: Andreas Rohner Signed-off-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/nilfs2/segment.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 380b201967bbe5769291311e5195a603006d391c Author: Mikulas Patocka Date: Tue Jan 14 17:56:40 2014 -0800 Upstream commit: 03e5ac2fc3bf6f4140db0371e8bb4243b24e3e02 mm: fix crash when using XFS on loopback Commit 8456a648cf44 ("slab: use struct page for slab management") causes a crash in the LVM2 testsuite on PA-RISC (the crashing test is fsadm.sh). The testsuite doesn't crash on 3.12, crashes on 3.13-rc1 and later. Bad Address (null pointer deref?): Code=15 regs=000000413edd89a0 (Addr=000006202224647d) CPU: 3 PID: 24008 Comm: loop0 Not tainted 3.13.0-rc6 #5 task: 00000001bf3c0048 ti: 000000413edd8000 task.ti: 000000413edd8000 YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI PSW: 00001000000001101111100100001110 Not tainted r00-03 000000ff0806f90e 00000000405c8de0 000000004013e6c0 000000413edd83f0 r04-07 00000000405a95e0 0000000000000200 00000001414735f0 00000001bf349e40 r08-11 0000000010fe3d10 0000000000000001 00000040829c7778 000000413efd9000 r12-15 0000000000000000 000000004060d800 0000000010fe3000 0000000010fe3000 r16-19 000000413edd82a0 00000041078ddbc0 0000000000000010 0000000000000001 r20-23 0008f3d0d83a8000 0000000000000000 00000040829c7778 0000000000000080 r24-27 00000001bf349e40 00000001bf349e40 202d66202224640d 00000000405a95e0 r28-31 202d662022246465 000000413edd88f0 000000413edd89a0 0000000000000001 sr00-03 000000000532c000 0000000000000000 0000000000000000 000000000532c000 sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000401fe42c 00000000401fe430 IIR: 539c0030 ISR: 00000000202d6000 IOR: 000006202224647d CPU: 3 CR30: 000000413edd8000 CR31: 0000000000000000 ORIG_R28: 00000000405a95e0 IAOQ[0]: vma_interval_tree_iter_first+0x14/0x48 IAOQ[1]: vma_interval_tree_iter_first+0x18/0x48 RP(r2): flush_dcache_page+0x128/0x388 Backtrace: flush_dcache_page+0x128/0x388 lo_splice_actor+0x90/0x148 [loop] splice_from_pipe_feed+0xc0/0x1d0 __splice_from_pipe+0xac/0xc0 lo_direct_splice_actor+0x1c/0x70 [loop] splice_direct_to_actor+0xec/0x228 lo_receive+0xe4/0x298 [loop] loop_thread+0x478/0x640 [loop] kthread+0x134/0x168 end_fault_vector+0x20/0x28 xfs_setsize_buftarg+0x0/0x90 [xfs] Kernel panic - not syncing: Bad Address (null pointer deref?) Commit 8456a648cf44 changes the page structure so that the slab subsystem reuses the page->mapping field. The crash happens in the following way: * XFS allocates some memory from slab and issues a bio to read data into it. * the bio is sent to the loopback device. * lo_receive creates an actor and calls splice_direct_to_actor. * lo_splice_actor copies data to the target page. * lo_splice_actor calls flush_dcache_page because the page may be mapped by userspace. In that case we need to flush the kernel cache. * flush_dcache_page asks for the list of userspace mappings, however that page->mapping field is reused by the slab subsystem for a different purpose. This causes the crash. Note that other architectures without coherent caches (sparc, arm, mips) also call page_mapping from flush_dcache_page, so they may crash in the same way. This patch fixes this bug by testing if the page is a slab page in page_mapping and returning NULL if it is. The patch also fixes VM_BUG_ON(PageSlab(page)) that could happen in earlier kernels in the same scenario on architectures without cache coherence when CONFIG_DEBUG_VM is enabled - so it should be backported to stable kernels. In the old kernels, the function page_mapping is placed in include/linux/mm.h, so you should modify the patch accordingly when backporting it. Signed-off-by: Mikulas Patocka Cc: John David Anglin ] Cc: Andi Kleen Cc: Christoph Lameter Acked-by: Pekka Enberg Reviewed-by: Joonsoo Kim Cc: Helge Deller Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/util.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit e71bfbceaa0246366fe3753a893c660f22568bb9 Merge: 83b84f4 e8219cf Author: Brad Spengler Date: Sat Jan 18 17:30:14 2014 -0500 Merge branch 'pax-test' into grsec-test commit 83b84f4f7b950eeddc319df9dabeca8df99c19e7 Author: Brad Spengler Date: Sat Jan 18 17:30:05 2014 -0500 Revert "Revert recent PaX marking change that broke a significant number" This reverts commit 59672b779a7ef3857bb9335c668f671ea04c8a19. fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++----------------------- 1 files changed, 30 insertions(+), 23 deletions(-) commit e8219cf65fbb6e3763c4298831239929d1c1f9fa Author: Brad Spengler Date: Sat Jan 18 17:29:19 2014 -0500 Update to pax-linux-3.12.8-test15.patch: - reworked the interaction between the various PaX control flag mechanisms for better consistency - fixed type attribute handling in the constify plugin, reported by spender fs/binfmt_elf.c | 144 +++++++++++++++++++++++------------------- include/linux/sched.h | 1 + include/uapi/linux/sysctl.h | 6 -- tools/gcc/constify_plugin.c | 20 +++--- 4 files changed, 89 insertions(+), 82 deletions(-) commit 88474da15f3f3f5d93848102d03bb4983b9a0b78 Merge: 59672b7 dbe1b0b28 Author: Brad Spengler Date: Thu Jan 16 07:00:51 2014 -0500 Merge branch 'pax-test' into grsec-test commit dbe1b0b28973953b8919fbfc479054d527066737 Merge: 229fa99 97f15f1 Author: Brad Spengler Date: Thu Jan 16 07:00:16 2014 -0500 Update to pax-linux-3.12.8-test14.patch: - added a generated file to dontdiff, reported by Emese - removed duplicated code due to a mismerge Merge branch 'linux-3.12.y' into pax-test Conflicts: arch/x86/include/asm/fpu-internal.h commit 59672b779a7ef3857bb9335c668f671ea04c8a19 Author: Brad Spengler Date: Thu Dec 26 19:23:25 2013 -0500 Revert recent PaX marking change that broke a significant number of existing systems. The marking system will be revamped in a later patch to fix softmode support while making XT markings more usable. fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------ 1 files changed, 23 insertions(+), 30 deletions(-) commit 528d5554e49536241bdf98c59ac3daedf2855a11 Merge: f17b6ff 229fa99 Author: Brad Spengler Date: Sun Jan 12 07:56:10 2014 -0500 Merge branch 'pax-test' into grsec-test commit 229fa990d096324284db79ed69b336d19df28afb Author: Brad Spengler Date: Sun Jan 12 07:55:36 2014 -0500 update to newer size_overflow hash table tools/gcc/size_overflow_hash.data | 150 +++++++++++++++++++++---------------- 1 files changed, 84 insertions(+), 66 deletions(-) commit f17b6ff4817c57c0aaae76c2c1cf2ee759773292 Merge: 93e7728 6e027b9 Author: Brad Spengler Date: Sat Jan 11 17:38:57 2014 -0500 Merge branch 'pax-test' into grsec-test commit 6e027b9f1196ed76313c256f8f962afd334d999f Author: Brad Spengler Date: Sat Jan 11 17:38:28 2014 -0500 Update to pax-linux-3.12.7-test12.patch: - new size overflow plugin and hash table from Emese, should really fix the canon_copy_from_read_buf problem - fixed incorrent module parameter type in vivi, caught by the size overflow plugin drivers/media/platform/vivi.c | 4 +- tools/gcc/size_overflow_hash.data | 120 ++++++++++++++++++------------------ tools/gcc/size_overflow_plugin.c | 64 +++++++++++++------- 3 files changed, 105 insertions(+), 83 deletions(-) commit 93e7728fe0c37e00421e82cc43f8d467d5161751 Merge: 41ac3ff eadfb9b Author: Brad Spengler Date: Thu Jan 9 17:47:29 2014 -0500 Merge branch 'pax-test' into grsec-test commit eadfb9b1066d32ee537369fd67683297eb791ed0 Merge: bccc569 4301b7a Author: Brad Spengler Date: Thu Jan 9 17:46:48 2014 -0500 Update to pax-linux-3.12.7-test11.patch: - fixed powerpc compilation, by Purushothama Siddaiah - updated size overflow hash table from Emese, reported by Brian Haslett Merge branch 'linux-3.12.y' into pax-test Conflicts: include/linux/reboot.h mm/fremap.c mm/memory-failure.c scripts/link-vmlinux.sh commit 41ac3ff0c57f5b8bc2e32fd6ee58d618a6c8feec Author: Brad Spengler Date: Wed Jan 8 20:24:27 2014 -0500 zeroing out btime from /proc/stat breaks ps aux, it's the seconds of uptime for the system, information which is also available elsewhere (/proc/uptime), so there's no reason to limit it fs/proc/stat.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a1c966be13a8cfa254a6814c8a79caed3b421f0a Author: Brad Spengler Date: Wed Jan 8 18:13:15 2014 -0500 fix typo mm/vmstat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f1b3c3eec89cd91474518f7fbd6ffe11c0cf22c7 Author: Brad Spengler Date: Wed Jan 8 18:06:53 2014 -0500 provide a zeroed out /proc/vmstat to unprivileged users instead of denied access, some poorly-written desktop apps bail out completely when it can't be opened mm/vmstat.c | 21 +++++++++++++++------ 1 files changed, 15 insertions(+), 6 deletions(-) commit 4e7ac33a7cf3cb6387d69a4d9ba248a2a2c95c52 Merge: ecdc265 bccc569 Author: Brad Spengler Date: Wed Jan 8 17:55:50 2014 -0500 Merge branch 'pax-test' into grsec-test commit bccc5691fbe71245abd1e39c4387c1c0146bb3fd Author: Brad Spengler Date: Wed Jan 8 17:55:08 2014 -0500 Update to pax-linux-3.12.6-test10.patch: - removed config reference to EXT4_FS_XATTR, reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3904) - Emese worked around a few intentional overflows that triggered the size overflow plugin - in cpuset_common_file_read, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=496490) and boris64 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3907) - in canon_copy_from_read_buf, reported by dwokfur (http://forums.grsecurity.net/viewtopic.php?f=3&t=3905) drivers/tty/n_tty.c | 2 +- drivers/usb/core/devio.c | 2 +- security/Kconfig | 1 - tools/gcc/size_overflow_plugin.c | 173 ++++++++++++++++++++++++++++++++------ 4 files changed, 150 insertions(+), 28 deletions(-) commit ecdc2658f89f545acbfddbcef93c04a5bd3c9ce2 Author: Brad Spengler Date: Wed Jan 8 17:46:46 2014 -0500 back out recently-added capability checks to various pci write methods as they break Xorg radeon drivers drivers/pci/pci-sysfs.c | 9 --------- drivers/pci/proc.c | 3 --- 2 files changed, 0 insertions(+), 12 deletions(-) commit 3b9532bcc2f2fda37c6316047764e65d05cfc0d7 Author: Brad Spengler Date: Thu Jan 2 17:05:39 2014 -0500 add missing #include fs/proc/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 44c29b5b08a4475bcd7ca653abe5ed172fa1f8a0 Author: Brad Spengler Date: Thu Jan 2 17:02:24 2014 -0500 Back off recent PCI BAR restrictions as they break various existing necessary functionality (Xorg with VMware video driver, etc) Add CAP_SYS_RAWIO checks instead to code operating off just uid == 0 checks currently drivers/pci/pci-sysfs.c | 17 +++++++---------- drivers/pci/proc.c | 13 ++----------- drivers/pci/syscall.c | 4 ---- 3 files changed, 9 insertions(+), 25 deletions(-) commit 5d6ce67e5ed3913c105cf2fc7c9db1d6e2a9f84a Author: Brad Spengler Date: Tue Dec 31 10:30:20 2013 -0500 Resolve compatibility with libgtop and recent restriction of /proc/stat, reported by KacKurx. We now provide a properly-formatted but zeroed /proc/stat instead of denying unpriv access to the entry fs/proc/stat.c | 34 ++++++++++++++++++++++++---------- 1 files changed, 24 insertions(+), 10 deletions(-) commit fb5263307b4892bbaefc83427412b54c12a4e422 Author: Brad Spengler Date: Mon Dec 30 11:19:53 2013 -0500 Restrict access to /proc/interrupts and /proc/stat as suggested by Vasiliy Kulikov: http://www.openwall.com/lists/kernel-hardening/2011/11/07/1 fs/proc/interrupts.c | 4 ++++ fs/proc/stat.c | 4 ++++ 2 files changed, 8 insertions(+), 0 deletions(-) commit e5f67af1a42dbde9aae812c25e2498b908919689 Author: Brad Spengler Date: Mon Dec 30 11:13:49 2013 -0500 Update to phase two of the IPC hardening. I've heard no complaints about the patch I released, but including it here will generate better information. grsecurity/Kconfig | 16 ++++++++++------ grsecurity/grsec_ipc.c | 32 +++++++++++++++++++++++++++++--- include/linux/grmsg.h | 2 +- ipc/util.c | 3 ++- 4 files changed, 42 insertions(+), 11 deletions(-) commit a5a7395ebf9054496b21fd84978daba0a9bfde5d Merge: b07a1fc bfce0d4 Author: Brad Spengler Date: Thu Dec 26 19:24:39 2013 -0500 Merge branch 'pax-test' into grsec-test commit bfce0d4c8f94977de165b9a559c531759d031b4b Author: Brad Spengler Date: Thu Dec 26 19:23:25 2013 -0500 Revert recent PaX marking change that broke a significant number of existing systems. The marking system will be revamped in a later patch to fix softmode support while making XT markings more usable. fs/binfmt_elf.c | 53 +++++++++++++++++++++++------------------------------ 1 files changed, 23 insertions(+), 30 deletions(-) commit b07a1fc3ab37cf27f8e7b56193a08adfadd569b6 Author: Brad Spengler Date: Thu Dec 26 19:20:26 2013 -0500 add missing #include grsecurity/grsec_mount.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 5fbe9de8e020fdf6b911a2368e41ba88df554343 Author: Brad Spengler Date: Thu Dec 26 15:51:51 2013 -0500 Update config help to reflect requirements for proper security, similar to what we mention for GRKERNSEC_KMEM or GRKERNSEC_HIDESYM grsecurity/Kconfig | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit d26ce94a15a14d44494fd3e307baebc2511a09b8 Author: Brad Spengler Date: Thu Dec 26 15:35:31 2013 -0500 Whenever we perform checks against block devices we should also test for raw character devices provided by CONFIG_RAW_DRIVER. Unlike other OSes, Linux's raw device support has been obsoleted many years ago and is unlikely to be present in a given kernel config (modulo an allyesconfig). grsecurity/gracl.c | 2 +- grsecurity/grsec_mount.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 4bbb922e6241dad03e37919f66e9f422743f5b5e Author: Brad Spengler Date: Wed Dec 25 16:37:02 2013 -0500 Add some of the more obscure, config-dependent kernel modification defenses to GRKERNSEC_KMEM, to be split out into a separate option if this causes any compatibility problems. From Matthew Garrett: https://lkml.org/lkml/2013/9/9/532 Also make make hibernation depend on !PAX_MEMORY_SANITIZE and not the other way around (to produce more secure settings when distro configs are used as a base) drivers/acpi/custom_method.c | 4 ++++ drivers/pci/pci-sysfs.c | 12 ++++++++++++ drivers/pci/proc.c | 12 ++++++++++++ drivers/pci/syscall.c | 4 ++++ drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ kernel/power/Kconfig | 2 ++ security/Kconfig | 1 - 7 files changed, 46 insertions(+), 1 deletions(-) commit 3ae9170407e5782e6a7b2bd796b60149864e6c3e Author: Chad Hanson Date: Mon Dec 23 17:45:01 2013 -0500 Upstream commit: 46d01d63221c3508421dd72ff9c879f61053cffc selinux: fix broken peer recv check Fix a broken networking check. Return an error if peer recv fails. If secmark is active and the packet recv succeeds the peer recv error is ignored. Signed-off-by: Chad Hanson Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/hooks.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit c870e769c2d34bff7a0eba239c092bb115bb9d71 Author: Oleg Nesterov Date: Mon Dec 23 17:45:01 2013 -0500 Upstream commit: c0c1439541f5305b57a83d599af32b74182933fe selinux: selinux_setprocattr()->ptrace_parent() needs rcu_read_lock() selinux_setprocattr() does ptrace_parent(p) under task_lock(p), but task_struct->alloc_lock doesn't pin ->parent or ->ptrace, this looks confusing and triggers the "suspicious RCU usage" warning because ptrace_parent() does rcu_dereference_check(). And in theory this is wrong, spin_lock()->preempt_disable() doesn't necessarily imply rcu_read_lock() we need to access the ->parent. Reported-by: Evan McNabb Signed-off-by: Oleg Nesterov Cc: stable@vger.kernel.org Signed-off-by: Paul Moore security/selinux/hooks.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 717544da98db68da8cf1b902e33eefc098170128 Author: Benjamin LaHaise Date: Sat Dec 21 15:49:28 2013 -0500 Upstream commit: 1881686f842065d2f92ec9c6424830ffc17d23b0 aio: fix kioctx leak introduced by "aio: Fix a trinity splat" e34ecee2ae791df674dfb466ce40692ca6218e43 reworked the percpu reference counting to correct a bug trinity found. Unfortunately, the change lead to kioctxes being leaked because there was no final reference count to put. Add that reference count back in to fix things. Signed-off-by: Benjamin LaHaise Cc: stable@vger.kernel.org fs/aio.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 21649f0e322166802adf5872f2affc38a0d6eb18 Author: Jianguo Wu Date: Wed Dec 18 17:08:59 2013 -0800 Upstream commit: 98398c32f6687ee1e1f3ae084effb4b75adb0747 mm/hugetlb: check for pte NULL pointer in __page_check_address() In __page_check_address(), if address's pud is not present, huge_pte_offset() will return NULL, we should check the return value. Signed-off-by: Jianguo Wu Cc: Naoya Horiguchi Cc: Mel Gorman Cc: qiuxishi Cc: Hanjun Guo Acked-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: mm/rmap.c mm/rmap.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 184b047d4bc06f058aadb07393270e5d972af3aa Author: Kirill A. Shutemov Date: Fri Dec 20 15:10:03 2013 +0200 Upstream commit: ee53664bda169f519ce3c6a22d378f0b946c8178 mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support Sasha Levin found a NULL pointer dereference that is due to a missing page table lock, which in turn is due to the pmd entry in question being a transparent huge-table entry. The code - introduced in commit 1998cc048901 ("mm: make madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it turns out that that function doesn't work correctly. pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would trigger if the transparent hugepage bit was set, but it doesn't do that if pmd_numa() is also set. Note that the NUMA bit only gets set on real NUMA machines, so people trying to reproduce this on most normal development systems would never actually trigger this. Fix it by removing the very subtle (and subtly incorrect) expectation, and instead just checking pmd_trans_huge() explicitly. Reported-by: Sasha Levin Acked-by: Andrea Arcangeli [ Additionally remove the now stale test for pmd_trans_huge() inside the pmd_bad() case - Linus ] Signed-off-by: Linus Torvalds include/asm-generic/pgtable.h | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 1d769ef5d57f3bb616929c7e3c600852e20d575e Author: Daniel Borkmann Date: Tue Dec 17 00:38:39 2013 +0100 Upstream commit: b1aac815c0891fe4a55a6b0b715910142227700f net: inet_diag: zero out uninitialized idiag_{src,dst} fields Jakub reported while working with nlmon netlink sniffer that parts of the inet_diag_sockid are not initialized when r->idiag_family != AF_INET6. That is, fields of r->id.idiag_src[1 ... 3], r->id.idiag_dst[1 ... 3]. In fact, it seems that we can leak 6 * sizeof(u32) byte of kernel [slab] memory through this. At least, in udp_dump_one(), we allocate a skb in ... rep = nlmsg_new(sizeof(struct inet_diag_msg) + ..., GFP_KERNEL); ... and then pass that to inet_sk_diag_fill() that puts the whole struct inet_diag_msg into the skb, where we only fill out r->id.idiag_src[0], r->id.idiag_dst[0] and leave the rest untouched: r->id.idiag_src[0] = inet->inet_rcv_saddr; r->id.idiag_dst[0] = inet->inet_daddr; struct inet_diag_msg embeds struct inet_diag_sockid that is correctly / fully filled out in IPv6 case, but for IPv4 not. So just zero them out by using plain memset (for this little amount of bytes it's probably not worth the extra check for idiag_family == AF_INET). Similarly, fix also other places where we fill that out. Reported-by: Jakub Zawadzki Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller Conflicts: net/ipv4/inet_diag.c net/ipv4/inet_diag.c | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) commit 11093b2d02f7bba2c9085b2d2d020b9ee34f8737 Author: Wenliang Fan Date: Tue Dec 17 11:25:28 2013 +0800 Upstream commit: e9db5c21d3646a6454fcd04938dd215ac3ab620a drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl() The local variable 'bi' comes from userspace. If userspace passed a large number to 'bi.data.calibrate', there would be an integer overflow in the following line: s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; Signed-off-by: Wenliang Fan Signed-off-by: David S. Miller drivers/net/hamradio/hdlcdrv.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e162be84a9971452943c1d85a59c866a5486222b Author: Ard Biesheuvel Date: Mon Dec 23 18:49:30 2013 +0100 Upstream commit: f60900f2609e893c7f8d0bccc7ada4947dac4cd5 auxvec.h: account for AT_HWCAP2 in AT_VECTOR_SIZE_BASE Commit 2171364d1a92 ("powerpc: Add HWCAP2 aux entry") introduced a new AT_ auxv entry type AT_HWCAP2 but failed to update AT_VECTOR_SIZE_BASE accordingly. Signed-off-by: Ard Biesheuvel Fixes: 2171364d1a92 (powerpc: Add HWCAP2 aux entry) Cc: stable@vger.kernel.org Acked-by: Michael Neuling Cc: Nishanth Aravamudan Cc: Benjamin Herrenschmidt Signed-off-by: Linus Torvalds include/linux/auxvec.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a60029d4fb8d62b6dd3617a8ab4031fd79b89fe3 Author: Brad Spengler Date: Wed Dec 25 15:11:51 2013 -0500 remove unused 'dentry' variable fs/xattr.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit d6e290d23c8c47c19536ed84f403eb81f224ed67 Author: Brad Spengler Date: Wed Dec 25 15:03:13 2013 -0500 Add RBAC mediation of *removexattr(), as this has security implications in the case of PaX with softmode enabled or the rare case of RBAC+SELinux use. fs/xattr.c | 18 +++++++++++------- grsecurity/gracl_fs.c | 6 ++++++ grsecurity/grsec_disabled.c | 6 ++++++ include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 2 ++ 5 files changed, 27 insertions(+), 8 deletions(-) commit 848b9c1e52382f446a2db679d6ee68c0a8cbc52e Merge: e45d1dd 846d19a Author: Brad Spengler Date: Sun Dec 22 10:36:48 2013 -0500 Merge branch 'pax-test' into grsec-test commit 846d19aa4207282ce5ac54237517e54324eda092 Author: Brad Spengler Date: Sun Dec 22 10:35:16 2013 -0500 Update to pax-linux-3.12.6-test9.patch: - updated size overflow hash table from spender - fixed silly code in kvm_clear_guest_page detected by USERCOPY, reported by remnix (http://forums.grsecurity.net/viewtopic.php?f=3&t=3899) virt/kvm/kvm_main.c | 13 +++++++++++-- 1 files changed, 11 insertions(+), 2 deletions(-) commit e45d1ddcd3c8005889acc55fbf9e57171339fbb4 Merge: b5c87f6 6754393 Author: Brad Spengler Date: Sat Dec 21 07:53:42 2013 -0500 Merge branch 'pax-test' into grsec-test commit 6754393ea42b9fb1d6d8e4635e8364674cee2bbd Author: Brad Spengler Date: Sat Dec 21 07:53:22 2013 -0500 Update size_overflow hash table tools/gcc/size_overflow_hash.data | 119 +++++++++++++++++++------------------ 1 files changed, 60 insertions(+), 59 deletions(-) commit b5c87f632d1cf19639a94c36276f96955221c77a Author: Brad Spengler Date: Fri Dec 20 20:18:56 2013 -0500 compile fix fs/stat.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 47618a93b003d648b5704040d1e502f76de07093 Merge: ba0eeed 37eeb47 Author: Brad Spengler Date: Fri Dec 20 20:18:18 2013 -0500 Merge branch 'pax-test' into grsec-test commit 37eeb473486a08e3beae62841b19169aef36564d Author: Brad Spengler Date: Fri Dec 20 20:17:46 2013 -0500 Update to pax-linux-3.12.6-test8.patch: - fixed an inconsistency in handling softmode and user.pax.flags, reported by jacekalex (http://forums.grsecurity.net/viewtopic.php?f=3&t=3877) - updated size overflow hash table from spender fs/binfmt_elf.c | 53 ++++++++++++++++++++++++++++++----------------------- 1 files changed, 30 insertions(+), 23 deletions(-) commit ba0eeed0532b602905d87e9bf25aad3664c3f36b Merge: 453a7f1 9dda34c Author: Brad Spengler Date: Fri Dec 20 19:17:33 2013 -0500 Merge branch 'pax-test' into grsec-test commit 9dda34cba200c6eadcbbbccbb4729627fd82e6be Merge: 63ebe2d2 d0266db Author: Brad Spengler Date: Fri Dec 20 19:17:18 2013 -0500 Merge branch 'linux-3.12.y' into pax-test Conflicts: arch/x86/boot/Makefile commit 453a7f1e18d89056fa27a9fdc777cea1a6fd7fe5 Merge: bb777f5 63ebe2d2 Author: Brad Spengler Date: Thu Dec 19 22:48:02 2013 -0500 Merge branch 'pax-test' into grsec-test commit 63ebe2d2adf8f5ebc1639c1b8d8577fbe5813fcd Author: Brad Spengler Date: Thu Dec 19 22:47:35 2013 -0500 add 42 functions to the size_overflow hash table tools/gcc/size_overflow_hash.data | 59 +++++++++++++++++++++++++++++------- 1 files changed, 47 insertions(+), 12 deletions(-) commit bb777f517e6c2a53909351245d7d2009d8ad4c5b Merge: cc59b1f a03d29c Author: Brad Spengler Date: Thu Dec 19 17:12:01 2013 -0500 Merge branch 'pax-test' into grsec-test commit a03d29c1eead36d4f9eac27b3a5d4b4266360a81 Author: Brad Spengler Date: Thu Dec 19 17:11:19 2013 -0500 Update to pax-linux-3.12.5-test7.patch: - fixed some more size overflow reports - gratuitous int/uint conversion in expand_files and expand_fdtable, reported by wizeman (http://forums.grsecurity.net/viewtopic.php?f=3&t=3898) - better fix for the gcc induced intentional overflow in usbdev_read arch/x86/include/asm/atomic.h | 6 +++--- arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- drivers/usb/core/devio.c | 2 +- fs/file.c | 4 ++-- include/asm-generic/atomic-long.h | 2 +- tools/gcc/size_overflow_hash.data | 3 --- 7 files changed, 9 insertions(+), 12 deletions(-) commit cc59b1fbe8989a6f99d229b34653e40a84d871f4 Merge: 44842d2 6ffdbdf Author: Brad Spengler Date: Sun Dec 15 10:40:14 2013 -0500 Merge branch 'pax-test' into grsec-test commit 6ffdbdf295f56e22ce8626b555a03e4d2b8c6a61 Author: Brad Spengler Date: Sun Dec 15 10:38:59 2013 -0500 Update to pax-linux-3.12.5-test6.patch: - Emese fixed a bug in the size overflow plugin resulting in false positives on downcasts from 64 bit variables on i386, reported by Huub Reuver tools/gcc/size_overflow_plugin.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit 44842d2f32b7fd6f325a90b15bd0a094f08feab9 Merge: c2c9b35 f85d978 Author: Brad Spengler Date: Sat Dec 14 10:58:46 2013 -0500 Merge branch 'pax-test' into grsec-test commit f85d978a63b7388c6ab97b54808992fe2ee4ac8c Author: Brad Spengler Date: Sat Dec 14 10:58:14 2013 -0500 Update to pax-linux-3.12.5-test5.patch: - properly fix the use-after-free in sys_remap_file_pages, by Rik van Riel (http://www.spinics.net/lists/linux-mm/msg66710.html) mm/fremap.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit c2c9b35fca510f7e29f80efa2999695448083b52 Author: Linus Torvalds Date: Thu Dec 12 09:38:42 2013 -0800 Upstream commit: f12d5bfceb7e1f9051563381ec047f7f13956c3c futex: fix handling of read-only-mapped hugepages The hugepage code had the exact same bug that regular pages had in commit 7485d0d3758e ("futexes: Remove rw parameter from get_futex_key()"). The regular page case was fixed by commit 9ea71503a8ed ("futex: Fix regression with read only mappings"), but the transparent hugepage case (added in a5b338f2b0b1: "thp: update futex compound knowledge") case remained broken. Found by Dave Jones and his trinity tool. Reported-and-tested-by: Dave Jones Cc: stable@kernel.org # v2.6.38+ Acked-by: Thomas Gleixner Cc: Mel Gorman Cc: Darren Hart Cc: Andrea Arcangeli Cc: Oleg Nesterov Signed-off-by: Linus Torvalds kernel/futex.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7fe4be2ce4c49484298f71455cdcac08149985cb Author: Andy Honig Date: Mon Nov 18 16:09:22 2013 -0800 Upstream commit: 338c7dbadd2671189cec7faf64c84d01071b3f96 KVM: Improve create VCPU parameter (CVE-2013-4587) In multiple functions the vcpu_id is used as an offset into a bitfield. Ag malicious user could specify a vcpu_id greater than 255 in order to set or clear bits in kernel memory. This could be used to elevate priveges in the kernel. This patch verifies that the vcpu_id provided is less than 255. The api documentation already specifies that the vcpu_id must be less than max_vcpus, but this is currently not checked. Reported-by: Andrew Honig Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini virt/kvm/kvm_main.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit e3a3b7a0010abaf6f28afb8521fcb29cee6b3c4c Author: Andy Honig Date: Tue Nov 19 14:12:18 2013 -0800 Upstream commit: b963a22e6d1a266a67e9eecc88134713fd54775c KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) Under guest controllable circumstances apic_get_tmcct will execute a divide by zero and cause a crash. If the guest cpuid support tsc deadline timers and performs the following sequence of requests the host will crash. - Set the mode to periodic - Set the TMICT to 0 - Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) - Set the TMICT to non-zero. Then the lapic_timer.period will be 0, but the TMICT will not be. If the guest then reads from the TMCCT then the host will perform a divide by 0. This patch ensures that if the lapic_timer.period is 0, then the division does not occur. Reported-by: Andrew Honig Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini arch/x86/kvm/lapic.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2b8e6adf070a8938133e318e9a6e2f633095f038 Author: Andy Honig Date: Wed Nov 20 10:23:22 2013 -0800 Upstream commit: fda4e2e85589191b123d31cdc21fd33ee70f50fd KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the potential to corrupt kernel memory if userspace provides an address that is at the end of a page. This patches concerts those functions to use kvm_write_guest_cached and kvm_read_guest_cached. It also checks the vapic_address specified by userspace during ioctl processing and returns an error to userspace if the address is not a valid GPA. This is generally not guest triggerable, because the required write is done by firmware that runs before the guest. Also, it only affects AMD processors and oldish Intel that do not have the FlexPriority feature (unless you disable FlexPriority, of course; then newer processors are also affected). Fixes: b93463aa59d6 ('KVM: Accelerated apic support') Reported-by: Andrew Honig Cc: stable@vger.kernel.org Signed-off-by: Andrew Honig Signed-off-by: Paolo Bonzini arch/x86/kvm/lapic.c | 27 +++++++++++++++------------ arch/x86/kvm/lapic.h | 4 ++-- arch/x86/kvm/x86.c | 40 +--------------------------------------- 3 files changed, 18 insertions(+), 53 deletions(-) commit 6261a034c2cc7f34b4c7663ace10d74f9c1fe479 Author: Gleb Natapov Date: Thu Dec 12 21:20:08 2013 +0100 Upstream commit: 17d68b763f09a9ce824ae23eb62c9efc57b69271 KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) A guest can cause a BUG_ON() leading to a host kernel crash. When the guest writes to the ICR to request an IPI, while in x2apic mode the following things happen, the destination is read from ICR2, which is a register that the guest can control. kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the cluster id. A BUG_ON is triggered, which is a protection against accessing map->logical_map with an out-of-bounds access and manages to avoid that anything really unsafe occurs. The logic in the code is correct from real HW point of view. The problem is that KVM supports only one cluster with ID 0 in clustered mode, but the code that has the bug does not take this into account. Reported-by: Lars Bull Cc: stable@vger.kernel.org Signed-off-by: Gleb Natapov Signed-off-by: Paolo Bonzini arch/x86/kvm/lapic.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit beb27f127ef300b52f8c20402d053b05bab7f4e3 Merge: 82c673f b8daf53 Author: Brad Spengler Date: Fri Dec 13 20:11:22 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/parisc/kernel/sys_parisc.c commit b8daf537ab923daf14f38d283ca5361424154fa8 Merge: 7689612 156c758 Author: Brad Spengler Date: Fri Dec 13 20:07:08 2013 -0500 Update to pax-linux-3.12.5-test4.patch: - fixed 32 bit apps executing certain 64 bit ones, reported by Ronny Meeus - fixed underallocation in __d_alloc that would cause an out-of-bounds read later, reported by Dmitry Vyukov and Kees Cook, not understood by Al Viro (http://lkml.org/lkml/2013/10/3/493 and http://lkml.org/lkml/2013/10/11/293) - fixed use-after-free in sys_remap_file_pages, reported by Dmitry Vyukov (http://lkml.org/lkml/2013/9/17/30) - updated size oveflow plugin from Emese, fixes some false positives reported by Tim Harman and Huub Reuver - fixed a btrfs bug caught by the size overflow plugin, reported by Jens Binnewies (http://forums.grsecurity.net/viewtopic.php?f=1&t=3887) turns out that it was fixed upstream already but never marked for stable backport: - https://bugzilla.kernel.org/show_bug.cgi?id=66661 - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/btrfs/tree-log.c?id=ed9e8af88e2551aaa6bf51d8063a2493e2d71597 - fixed bad interactions between the KERNEXEC plugin and some gcc features, reported by Amadeusz SÅ‚awiÅ„ski (https://bugs.gentoo.org/show_bug.cgi?id=487938) - the mask register has been changed from r10 (used by DRAP) to r12 - all kernel entry points now allocate a full pt_regs area (it required some non-trivial surgery, some fallout is possible) Merge branch 'linux-3.12.y' into pax-test Conflicts: arch/parisc/kernel/sys_parisc.c fs/pipe.c commit 82c673fdfd9925cda2e94b67f775be70b8ef4cca Author: Brad Spengler Date: Fri Dec 13 19:39:54 2013 -0500 Fix a use-after-free on fakefs_obj_rw/fakefs_obj_rwx introduced by the recent atomic reload improvement. These two objects are used only for "files" private to the kernel which don't exist on any mounted filesystem and have no visible path. Only the mode field of these objects is ever used, and we would never attempt to free these objects a second time (due to their being allocated into the memory manager associated with the initial policy) In practice this causes bogus auditing messages for / and could potentially cause a subject without executable shared memory support to permit executable shared memory (if PaX is disabled on the binary). Instead just allocate these two special objects with kzalloc at enable time and free them at disable time. Thanks to nyt@countercultured.net for the report grsecurity/gracl_policy.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit b0be33b9efb31e2cb745d1b33eee4f89b315d5bf Merge: 4c60da7 7689612 Author: Brad Spengler Date: Sun Dec 8 17:07:04 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/ipv4/ping.c commit 7689612bef2f353f37a2fe94ff0ef8c72634b522 Merge: 2f004b8 289b6c7 Author: Brad Spengler Date: Sun Dec 8 17:05:58 2013 -0500 Merge branch 'linux-3.12.y' into pax-test Conflicts: net/compat.c net/ipv4/ping.c net/ipv6/sit.c net/socket.c commit 4c60da771d2fba442fe7831d590277e6fe80e908 Author: Brad Spengler Date: Sun Dec 8 16:12:01 2013 -0500 Backport of: If we allocate less than sizeof(struct attrlist) then we end up corrupting memory or doing a ZERO_PTR_SIZE dereference. This can only be triggered with CAP_SYS_ADMIN. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter fs/xfs/xfs_ioctl.c | 3 ++- fs/xfs/xfs_ioctl32.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) commit bd50af2c306bfe6287631e0e1745cc5d2fbad0c2 Author: Hannes Frederic Sowa Date: Thu Dec 5 23:29:19 2013 +0100 Upstream commit: 239c78db9c41a8f524cce60507440d72229d73bc net: clear local_df when passing skb between namespaces We must clear local_df when passing the skb between namespaces as the packet is not local to the new namespace any more and thus may not get fragmented by local rules. Fred Templin noticed that other namespaces do fragment IPv6 packets while forwarding. Instead they should have send back a PTB. The same problem should be present when forwarding DF-IPv4 packets between namespaces. Reported-by: Templin, Fred L Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/core/skbuff.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7803212c99050491bd0a2618e039f62c825f82e5 Author: Linus Torvalds Date: Mon Dec 2 11:50:37 2013 -0800 Upstream commit: b65502879556d041b45104c6a35abbbba28c8f2d uio: we cannot mmap unaligned page contents In commit 7314e613d5ff ("Fix a few incorrectly checked [io_]remap_pfn_range() calls") the uio driver started more properly checking the passed-in user mapping arguments against the size of the actual uio driver data. That in turn exposed that some driver authors apparently didn't realize that mmap can only work on a page granularity, and had tried to use it with smaller mappings, with the new size check catching that out. So since it's not just the user mmap() arguments that can be confused, make the uio mmap code also verify that the uio driver has the memory allocated at page boundaries in order for mmap to work. If the device memory isn't properly aligned, we return [ENODEV] The fildes argument refers to a file whose type is not supported by mmap(). as per the open group documentation on mmap. Reported-by: Holger Brunck Acked-by: Greg KH Signed-off-by: Linus Torvalds drivers/uio/uio.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e5fb91d26cb825c36042d62373c0a32a176cfe2d Merge: 6b9d9e2 2f004b8 Author: Brad Spengler Date: Sun Dec 8 10:18:49 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: mm/mmap.c commit 2f004b87204d113e467ba360ac8b0a9cbfcf01cb Merge: c04a09b 81605d3 Author: Brad Spengler Date: Sun Dec 8 10:16:53 2013 -0500 Update to pax-linux-3.12.3-test2.patch: - forward port to 3.12.3 - fixed incorrect ACCESS_ONCE accessors in rcutree, reported by mcp - fixed the usual arm/CONSTIFY fallout, reported by Michael Tremer - changed the constify plugin to give better error messages - worked around a gcc induced intentional integer overflow in usbdev_read, reported by quasar366 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3889) - better fix for http://forums.grsecurity.net/viewtopic.php?f=3&t=3885 - fixed crash under qemu when INVPCID was enabled (say, on -cpu Haswell) but PCID itself wasn't, reported by spender - updated size overflow plugin from Emese, coverage will increase further Merge branch 'linux-3.12.y' into pax-test Conflicts: kernel/trace/ftrace.c mm/mmap.c commit 6b9d9e2fe7cd30598a4c22c159ff3b06339e23c8 Author: David Herrmann Date: Tue Nov 26 13:58:18 2013 +0100 Upstream commit: 80897aa787ecd58eabb29deab7cbec9249c9b7e6 HID: uhid: fix leak for 64/32 UHID_CREATE UHID allows short writes so user-space can omit unused fields. We automatically set them to 0 in the kernel. However, the 64/32 bit compat-handler didn't do that in the UHID_CREATE fallback. This will reveal random kernel heap data (of random size, even) to user-space. Fixes: befde0226a59 ('HID: uhid: make creating devices work on 64/32 systems') Reported-by: Ben Hutchings Signed-off-by: David Herrmann Cc: stable@vger.kernel.org Signed-off-by: Jiri Kosina drivers/hid/uhid.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a06981f0117d614ba4d30f6b5dd6eff7d418ffae Author: Brad Spengler Date: Wed Dec 4 18:15:02 2013 -0500 Don't duplicate __get_dumpable, also make sure we check against SUID_DUMP_USER, otherwise we wouldn't trigger suid bruteforcing detection when suid_dumpable was set to 2 fs/coredump.c | 7 +++++-- grsecurity/grsec_sig.c | 14 ++------------ include/linux/grsecurity.h | 2 +- 3 files changed, 8 insertions(+), 15 deletions(-) commit fc706a922b49e3157cac848fb0c8d1dcf4f360bb Merge: 0f023d5 c04a09b Author: Brad Spengler Date: Tue Dec 3 21:41:57 2013 -0500 Merge branch 'pax-test' into grsec-test commit c04a09b7dbfafdbee85e09c224e90ebc665ce4f5 Author: Brad Spengler Date: Tue Dec 3 21:41:20 2013 -0500 fix up ACCESS_ONCE -> ACCESS_ONCE_RW, as reported by mcp kernel/rcutree_plugin.h | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0f023d59d361b9880155dd8ddb0c1e19a48437c6 Author: Brad Spengler Date: Tue Dec 3 19:39:04 2013 -0500 Update documentation for GRKERNSEC_KMEM and GRKERNSEC_IO, see: http://forums.grsecurity.net/viewtopic.php?f=3&t=3879 The previous info was many years outdated. Disable KEXEC when GRKERNSEC_KMEM is enabled: http://mjg59.dreamwidth.org/28746.html Also workaround the GRKERNSEC_IO incompatibility with Xorg by returning -ENODEV instead of -EPERM in the cases where CAP_SYS_RAWIO is present arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/mips/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/tile/Kconfig | 1 + arch/x86/Kconfig | 1 + arch/x86/kernel/ioport.c | 12 ++++++------ grsecurity/Kconfig | 27 +++++++++++---------------- 8 files changed, 23 insertions(+), 22 deletions(-) commit 9f610c9c398e7e61183feb7fec6b91b9f2223b61 Merge: fed624e 1395b8f Author: Brad Spengler Date: Mon Dec 2 17:33:01 2013 -0500 Merge branch 'pax-test' into grsec-test commit 1395b8f8832d179a0c73e890754534c9d5442201 Author: Brad Spengler Date: Mon Dec 2 17:31:35 2013 -0500 Forward-ported the following fix from 3.2: - worked around a false positive int truncation in xlog_grant_push_ail, reported by jorgus (http://forums.grsecurity.net/viewtopic.php?f=3&t=3885) This caused filesystem corruption in the reported XFS case, problem introduced with Nov 24th patch (IPA-based size overflow plugin) arch/x86/include/asm/atomic64_32.h | 2 +- arch/x86/include/asm/atomic64_64.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fed624ebfd1d08ee6db247733cdb44df0e1be8b0 Author: Brad Spengler Date: Mon Dec 2 17:20:00 2013 -0500 Fix qemu -cpu Haswell booting with pax_nouderef on the kernel cmdline init/main.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a72ed588cbbda00d356529507b6bdca56c19d4c3 Merge: 3f201fe db6d69f Author: Brad Spengler Date: Sat Nov 30 10:46:15 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/dcache.c ipc/shm.c net/sunrpc/clnt.c commit db6d69f61412f929242423f92d52f4c2c74bab5d Merge: 1f411d7 050dcf4 Author: Brad Spengler Date: Sat Nov 30 10:40:33 2013 -0500 Merge branch 'linux-3.12.y' into pax-test commit 3f201fe9a368a4b0339a2f3cf1259b785ae8374c Author: Brad Spengler Date: Tue Nov 26 15:16:48 2013 -0500 Fix null deref on application of the shutdown role, reported by zakalwe grsecurity/gracl.c | 58 ++++++++++++++++++++++++++++++++++++++++++++- grsecurity/gracl_policy.c | 58 ++++----------------------------------------- 2 files changed, 62 insertions(+), 54 deletions(-) commit f5648d16a7cc79abe6de7ae62e284fa511bb750a Author: Brad Spengler Date: Tue Nov 26 13:04:07 2013 -0500 Add system library paths to allowed areas for usermode helper calls, later we will also add checks to ensure the file is owned by root kernel/kmod.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit c610c1f0f580069a1dc9d58c0eb0bddd33cbc25c Author: Brad Spengler Date: Tue Nov 26 12:59:00 2013 -0500 Fix gr_policy_state -> gr_reload_state typo that clobbered the oldalloc pointer causing a NULL deref on RBAC reload, reported by zakalwe grsecurity/gracl_policy.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4026c926f19d7642c1f89895b556fe2addaef239 Author: Al Viro Date: Wed Nov 13 07:45:40 2013 -0500 Upstream commit: ede4cebce16f5643c61aedd6d88d9070a1d23a68 prepend_path() needs to reinitialize dentry/vfsmount/mnt on restarts ... and equivalent is needed in 3.12; it's broken there as well Signed-off-by: Al Viro Conflicts: fs/dcache.c fs/dcache.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) commit c68d27fa66951166bff79a5c1bcc26985ac3f8bc Merge: 94b560b 1f411d7 Author: Brad Spengler Date: Mon Nov 25 23:09:47 2013 -0500 Merge branch 'pax-test' into grsec-test commit 1f411d73c56904d2be9cde1f78aaec7f4554dab1 Merge: 5f17cd8 6beb1be Author: Brad Spengler Date: Mon Nov 25 23:09:34 2013 -0500 Merge branch 'linux-3.12.y' into pax-test commit 94b560b0163a20b9eab9ec77b83f0bff853fe601 Author: Brad Spengler Date: Mon Nov 25 22:33:33 2013 -0500 compile fix kernel/kmod.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 58c014d37769d384c2e3c06ce5f60fe54f855b24 Merge: 48ac6ac 5f17cd8 Author: Brad Spengler Date: Mon Nov 25 22:27:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c commit 5f17cd87d5c7faf606255f061dd394f6761e38df Author: Brad Spengler Date: Mon Nov 25 22:25:42 2013 -0500 Update to pax-linux-3.12.1-test2.patch: - made arm/UDEREF violation reports more consistent, reported by acez and spender - added a bit more amd64 kernel page table hardening - fixed some constify related compiler errors - fixed stack trace reports under i386/KERNEXEC, reported by ncopa and minipli - updated the size overflow hash table arch/arm/mm/fault.c | 16 ++- arch/x86/include/asm/paravirt_types.h | 2 +- arch/x86/kernel/head_64.S | 18 ++- drivers/gpu/drm/radeon/radeon_ttm.c | 2 +- drivers/gpu/vga/vga_switcheroo.c | 4 +- drivers/hwmon/nct6775.c | 6 +- drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- drivers/staging/lustre/lnet/selftest/framework.c | 4 - drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- drivers/staging/lustre/lustre/include/obd.h | 2 +- .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +- drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- drivers/staging/rtl8188eu/include/rtw_io.h | 2 +- include/linux/hwmon-sysfs.h | 1 + include/linux/pm.h | 1 + include/linux/vga_switcheroo.h | 8 +- net/core/sysctl_net_core.c | 2 +- scripts/link-vmlinux.sh | 4 +- sound/soc/soc-core.c | 6 +- tools/gcc/size_overflow_hash.data | 142 ++++++++++++-------- 21 files changed, 145 insertions(+), 111 deletions(-) commit 48ac6ac8a1fd55f2b276bf5326ce52782b7c554f Author: Brad Spengler Date: Mon Nov 25 12:01:21 2013 -0500 Conventions exist for a reason -- systemd knows better though and decides to put security-sensitive system administration utilities into /usr/lib/systemd in contrast to *every* other user of usermode helpers. Work around this stupidity kernel/kmod.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9ed081196dcaa72bae91d5a31329e35bd480d92b Author: Brad Spengler Date: Sun Nov 24 22:49:05 2013 -0500 Revert "HID: multitouch: validate feature report details" This reverts commit 8aeb7645473b408fc6b2bd78a72671351fc8e684. drivers/hid/hid-multitouch.c | 25 +++++-------------------- 1 files changed, 5 insertions(+), 20 deletions(-) commit 801d69b26655ea7240df45ad14f96054e4d9803a Author: Brad Spengler Date: Sun Nov 24 22:48:49 2013 -0500 Revert "HID: lenovo-tpkbd: validate output report details" This reverts commit 91bfda18a5711db32c984c632f47fa57458d993a. drivers/hid/hid-lenovo-tpkbd.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 1f70f596dd47ca9467a06b19ffc341c147ea4a23 Author: Brad Spengler Date: Sun Nov 24 22:48:33 2013 -0500 Revert "HID: steelseries: validate output report details" This reverts commit 0996966348dc3c3f7515567d3245292785d484fc. drivers/hid/hid-steelseries.c | 5 ----- 1 files changed, 0 insertions(+), 5 deletions(-) commit 8101ee4167c83f850cc2366088e3f60d01dcb9f7 Author: Brad Spengler Date: Sun Nov 24 22:22:03 2013 -0500 remove __no_const from pv_lock_ops as it's not constified by the plugin arch/x86/include/asm/paravirt_types.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a94e46e08a9d8236544f881faa9cccecfe9c702b Author: Brad Spengler Date: Sun Nov 24 22:08:33 2013 -0500 add missing header fs/proc/proc_sysctl.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit f0018c34f5ef840fffac10eb60fed9048317832f Author: Brad Spengler Date: Sun Nov 24 22:04:55 2013 -0500 Replace nsown_capable with an ns_capable check against the user_ns associated with the net namespace fs/proc/proc_sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 99a6a515bf625395fa31892f46311c3877a3fa93 Author: Brad Spengler Date: Sun Nov 24 17:50:21 2013 -0500 remove unnecessary code/comments after new reload method Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ---- grsecurity/gracl_policy.c | 13 ------------- 2 files changed, 0 insertions(+), 17 deletions(-) commit 10b6650a259b9a5911a33fc9aaf6677920830eee Author: Brad Spengler Date: Sun Nov 24 16:05:01 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. Signed-off-by: Brad Spengler grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3903 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 2 + 12 files changed, 3082 insertions(+), 2787 deletions(-) commit b035ba537ccc7dc58b9643ab58a2f5a7b4e6738e Author: Brad Spengler Date: Sun Nov 24 15:08:28 2013 -0500 compile fix for recent GRKERNSEC_CHROOT_INITRD change Signed-off-by: Brad Spengler init/main.c | 12 +++--------- 1 files changed, 3 insertions(+), 9 deletions(-) commit a898fff136a97e265c63375a2a03ebd91c9c1286 Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path Signed-off-by: Brad Spengler include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit 1ae8347eb782c4e961210052e2de554bfdb52980 Author: Brad Spengler Date: Sat Nov 23 17:20:15 2013 -0500 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. Reported by acez on IRC Signed-off-by: Brad Spengler arch/arm/mm/fault.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 71643b46e6b67e76e52153559d0dc4004c402141 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. Conflicts: init/main.c Signed-off-by: Brad Spengler grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) commit e357e72d769e5c35167e2bf934c722fc825ee2cd Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected Signed-off-by: Brad Spengler kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 4ed2dc55aa2344b9ade6cddbe5ee8b51b6239c54 Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well Signed-off-by: Brad Spengler fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 211bbd408a1d7bc2e9ef72df07aa7ce0cbd6c49d Author: Brad Spengler Date: Fri Nov 22 20:31:37 2013 -0500 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. It caused errors with traceroute, reported to upstream and fixed with http://patchwork.ozlabs.org/patch/293614/ But there's no reason for us to maintain this backport as we're already impervious to recvmsg/msg_name infoleaks Conflicts: net/ipv4/ping.c Signed-off-by: Brad Spengler net/ieee802154/dgram.c | 3 ++- net/ipv4/ping.c | 11 +++++++++-- net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 8 files changed, 35 insertions(+), 12 deletions(-) commit 4bd8414bb148cf8681c8f1d2deda5739cafb6917 Author: Hannes Frederic Sowa Date: Mon Nov 18 07:07:45 2013 +0100 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 ping: prevent NULL pointer dereference on write to msg_name A plain read() on a socket does set msg->msg_name to NULL. So check for NULL pointer first. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ipv4/ping.c | 34 +++++++++++++++++++--------------- 1 files changed, 19 insertions(+), 15 deletions(-) commit ccc6e0dd63fc36c5c7fd1bbe4f8fed6533d188a1 Author: Hannes Frederic Sowa Date: Mon Nov 18 04:20:45 2013 +0100 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb Suggested-by: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ieee802154/dgram.c | 3 +-- net/ipv4/ping.c | 19 +++++++------------ net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- net/phonet/datagram.c | 9 ++++----- 8 files changed, 17 insertions(+), 38 deletions(-) commit 0db1e136415d5696b2342b953361ef7c3017247d Author: Jeff Layton Date: Wed Nov 13 09:08:21 2013 -0500 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. There is no guarantee that doing so will work however, so we can end up retrying the call in an infinite loop. Worse yet, we create the new client using rpc_clone_client_set_auth, which creates the new client as a child of the old one. Thus, we can end up with a *very* long lineage of rpc_clnts. When we go to put all of the references to them, we can end up with a long call chain that can smash the stack as each rpc_free_client() call can recurse back into itself. This patch fixes this by simply ensuring that the SETCLIENTID call will only be retried in this situation if the last attempt did not use RPC_AUTH_UNIX. Note too that with this change, we don't need the (i > 2) check in the -EACCES case since we now have a more reliable test as to whether we should reattempt. Cc: stable@vger.kernel.org # v3.10+ Cc: Chuck Lever Tested-by/Acked-by: Weston Andros Adamson Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Brad Spengler fs/nfs/nfs4state.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 74d59ef1b28635f588c47b270777cd69b0e8291f Author: Trond Myklebust Date: Tue Nov 12 17:24:36 2013 -0500 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b SUNRPC: Avoid deep recursion in rpc_release_client In cases where an rpc client has a parent hierarchy, then rpc_free_client may end up calling rpc_release_client() on the parent, thus recursing back into rpc_free_client. If the hierarchy is deep enough, then we can get into situations where the stack simply overflows. The fix is to have rpc_release_client() loop so that it can take care of the parent rpc client hierarchy without needing to recurse. Reported-by: Jeff Layton Reported-by: Weston Andros Adamson Reported-by: Bruce Fields Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust Signed-off-by: Brad Spengler net/sunrpc/clnt.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 8ae59cf66f3a302d45578171337df2d8fe35458c Author: Trond Myklebust Date: Fri Nov 8 16:03:50 2013 -0500 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 SUNRPC: Fix a data corruption issue when retransmitting RPC calls The following scenario can cause silent data corruption when doing NFS writes. It has mainly been observed when doing database writes using O_DIRECT. 1) The RPC client uses sendpage() to do zero-copy of the page data. 2) Due to networking issues, the reply from the server is delayed, and so the RPC client times out. 3) The client issues a second sendpage of the page data as part of an RPC call retransmission. 4) The reply to the first transmission arrives from the server _before_ the client hardware has emptied the TCP socket send buffer. 5) After processing the reply, the RPC state machine rules that the call to be done, and triggers the completion callbacks. 6) The application notices the RPC call is done, and reuses the pages to store something else (e.g. a new write). 7) The client NIC drains the TCP socket send buffer. Since the page data has now changed, it reads a corrupted version of the initial RPC call, and puts it on the wire. This patch fixes the problem in the following manner: The ordering guarantees of TCP ensure that when the server sends a reply, then we know that the _first_ transmission has completed. Using zero-copy in that situation is therefore safe. If a time out occurs, we then send the retransmission using sendmsg() (i.e. no zero-copy), We then know that the socket contains a full copy of the data, and so it will retransmit a faithful reproduction even if the RPC call completes, and the application reuses the O_DIRECT buffer in the meantime. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org Signed-off-by: Brad Spengler net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- 1 files changed, 21 insertions(+), 7 deletions(-) commit 1a40aeaa23860a26df02c9c8729937b6da2bcdd6 Author: Dan Carpenter Date: Thu Nov 14 11:21:10 2013 +0300 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 isdnloop: use strlcpy() instead of strcpy() These strings come from a copy_from_user() and there is no way to be sure they are NUL terminated. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Brad Spengler drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit a7a1549064b332e878efa22fdebed32035cc8f07 Author: Eric Dumazet Date: Thu Nov 14 13:37:54 2013 -0800 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf ipv4: fix possible seqlock deadlock ip4_datagram_connect() being called from process context, it should use IP_INC_STATS() instead of IP_INC_STATS_BH() otherwise we can deadlock on 32bit arches, or get corruptions of SNMP counters. Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") Signed-off-by: Eric Dumazet Reported-by: Dave Jones Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ipv4/datagram.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 96b7719c933229c8619f8ad207c141dcc70d546e Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC Signed-off-by: Brad Spengler grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0001071fa9ff6ef9370a370bea51bef2f1e3c2ab Author: Brad Spengler Date: Thu Nov 14 19:07:11 2013 -0500 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows Signed-off-by: Brad Spengler arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 05ae94add600530e3ae98f9a153cb6423b91e46a Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ Will let this sit in -test for a while to weed out any app incompatibilities Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit f5be6d902d5b36c0fb40aabb61f686e510a2d887 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c Signed-off-by: Brad Spengler drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e60c412c422f72a52c819465db8b81991d861390 Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 17d5ff67a76aab404c8cbe13576d492a7a8b342a Author: Brad Spengler Date: Sun Nov 10 17:50:12 2013 -0500 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND Signed-off-by: Brad Spengler arch/arm/mm/Kconfig | 2 +- grsecurity/Kconfig | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletions(-) commit b4aa2136272e6b1cdbb285a74ee17471dd679dfa Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. Signed-off-by: Brad Spengler mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 197a69f1783917091d60db2a3ffd7ff14d41489d Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing Signed-off-by: Brad Spengler fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 010702a965acb2aea4d81510f99d788ab6564123 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking Conflicts: security/Kconfig Signed-off-by: Brad Spengler security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 09ce0d45a4fc86ca1389260bf28a62f98ccff362 Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c Signed-off-by: Brad Spengler lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 60a1f79d72bdfc2c6aed1be9537559959a0b8b55 Author: Jason Wang Date: Fri Nov 1 15:01:10 2013 +0800 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd net: flow_dissector: fail on evil iph->ihl We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae (rps: support IPIP encapsulation). Cc: Eric Dumazet Cc: Petr Matousek Cc: Michael S. Tsirkin Cc: Daniel Borkmann Signed-off-by: Jason Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/core/flow_dissector.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9743a1eca0b0172da4ec07bc07fa30fcccb9fba7 Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/uio/uio.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 187b4936fbaaafd087556919bae3b719e67536b8 Author: Brad Spengler Date: Wed Oct 16 18:36:25 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause Signed-off-by: Brad Spengler kernel/audit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0e48ab30113de43958987e9f0d20fb816892c090 Author: Brad Spengler Date: Wed Oct 16 19:02:32 2013 -0400 add 2nd chunk of audit nlmsg_len() fix from minipli Signed-off-by: Brad Spengler kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5e6b4bcb3a38c94605e9fa68d6c5936438fb0d8 Author: Brad Spengler Date: Wed Oct 16 18:37:59 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd Signed-off-by: Brad Spengler kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb491ad409ee7efadcb00041cd31e9e411efebb Author: Brad Spengler Date: Wed Oct 16 18:41:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , Bart De Schuymer Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Bart De Schuymer Signed-off-by: Mathias Krause Conflicts: net/bridge/netfilter/ebt_ulog.c Signed-off-by: Brad Spengler net/bridge/netfilter/ebt_ulog.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 637ef6f911201af0136b794b5b602eb14efb6b7c Author: Brad Spengler Date: Wed Oct 16 18:43:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Signed-off-by: Mathias Krause Conflicts: net/ipv4/netfilter/ipt_ULOG.c Signed-off-by: Brad Spengler net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 103af82880576436f1fceafec93da69f0d55d019 Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change Signed-off-by: Brad Spengler grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit 7749496c3667613ea505823948c0f4f4d9c1d90c Author: Brad Spengler Date: Sun Sep 22 18:14:07 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 4463e68a60d4fb557d37f993f42e3039041550fc Author: Brad Spengler Date: Sun Sep 15 09:19:21 2013 -0400 remove unnecessary check from when protocol was signed Signed-off-by: Brad Spengler net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit efafe8039b3287f73e0abcb4f7be18e83a5c9a2e Author: Brad Spengler Date: Sun Sep 15 08:53:27 2013 -0400 resync with PaX Signed-off-by: Brad Spengler security/selinux/hooks.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 79b41d988ecb86d7dd46f3319b50f4c4d46e65a7 Author: Brad Spengler Date: Sat Sep 14 21:12:45 2013 -0400 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) Signed-off-by: Brad Spengler lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0f3840d1103e4bf77d4e2098afc4750bb6440ecc Author: Brad Spengler Date: Sat Sep 14 19:16:48 2013 -0400 Fix a bad git merge, re-applied a previously reverted patch Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit c5f66cfeabad4b64a521d1442f7ea9149c011320 Author: Brad Spengler Date: Sat Sep 14 16:56:37 2013 -0400 finish porting namei.c Signed-off-by: Brad Spengler fs/namei.c | 50 +++++++++++--------------------------------------- 1 files changed, 11 insertions(+), 39 deletions(-) commit c264c5b4c33c462b41d224091602fe5c9acb163b Author: Brad Spengler Date: Sat Sep 14 16:44:08 2013 -0400 cred->user -> current_user() Signed-off-by: Brad Spengler fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af7bdc7d41a1a8b631802772088968ceacd0d6b4 Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 00eb4028fcc737e2451332e3177705913c9b1bb1 Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7adc4a28e2a0ef38f89bbd648a2e1ba70cad852e Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 472e0e1d1516b3002ce1e256dfcd58701358d5f8 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) commit 92745146ec948d5761ac00f98c4a1612c8e6037e Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit eac5b7076235de7b21757cab257415ab779cc7c8 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() Signed-off-by: Brad Spengler grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8e4ea40613a9763d1dc128fdf29c0279001b5e04 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Signed-off-by: Brad Spengler drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 0996966348dc3c3f7515567d3245292785d484fc Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 91bfda18a5711db32c984c632f47fa57458d993a Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 8aeb7645473b408fc6b2bd78a72671351fc8e684 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 1a624940a4733c04c0f997820c1dcd1eebfcd5bc Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs Signed-off-by: Brad Spengler arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit acca67efb4aeee03672b5d2947da311dcfc2a1d6 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit cb33df1c5ce5f74fcb7d4a2f5b2d07d54d4e1fd8 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 72e55282becb58c925f9034fe717cad96f7fc51d Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 2f8d8b1de901cce7ac5a5dc4f3b8731ba58653d9 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Signed-off-by: Brad Spengler arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit c414e04ef91fca7dfd260ae307272b1b9a29d1bd Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 Signed-off-by: Brad Spengler include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit b11ccf0d90b1244a91e0422ecd1a1b4918384ff7 Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages Signed-off-by: Brad Spengler arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 81c244a4d186918eb5bde824945878803fb5aeeb Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 Signed-off-by: Brad Spengler security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0f32f992d91442e87628fa805f488c2431930df7 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! Signed-off-by: Brad Spengler kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) commit b570e8d61ff1670d0737acd9919316ac32fce732 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f580da3b1ddbecc3f65a7957986742bea34c5851 Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs Signed-off-by: Brad Spengler mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2b23c36d322e9ebea5621652b77ad2569a3826d Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include Signed-off-by: Brad Spengler grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ecb7724fd1bcd4fa57059d6297d4f74d4ec93fe6 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation Signed-off-by: Brad Spengler include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a2d7b00383303a5d537e64519dbd31d51645d28e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping Signed-off-by: Brad Spengler fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit 9513c974076339e5b4ba8974b50fd3e9fe18a0d8 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define Signed-off-by: Brad Spengler grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 97af65d0dbfaf8680a7f9a17c45a10892fe907d0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit b2362a07aecb8b86d3dd5e0696ea6dc546ea3144 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 9c0a788e099e0a78bb83961bf02d82ac2c32e21c Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1975575638ae15faba25f749a9040345a73e12e1 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 1282e76e8da58821760a5519cd7bd2510ad7deaf Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit 6aa728a7c77d5fe62dd0b731e76b518f85db7808 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t Signed-off-by: Brad Spengler include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 176f65b9498eb83576294934d94bb80f3830e99a Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit f039eddf22e143d336421325eb689a76227956b3 Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 4594be163c41c9a400f0b377e6c35d8fb5599387 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 54a18c9ea152b14381ed3fb4b0a86ef78bd611af Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 166e0c9ff369a931bec65abda32811bb0b548506 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit ee1e4712f5b32f43da0130efedbeb158d7f63562 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit a629a151f557380fed415b226fe5e0e234a285eb Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 218c33ffd6a34fe09037784138dda02b817c1c20 Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit e7291feaff2e3dd3d4d01016419cc1dd16ab9658 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 527c8e008b6729ad595c652119128c0a858c0f7e Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 0a6c24237be46318780bd5aa0a0c37837336e40a Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 0c11bf85db37db5667cfb61caf0c72e8437e4197 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit c32fb26e578c2b1b98654e72ceeafc58906acf06 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 80bb153435dac25476b0da4a61238b229ba2b631 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit d7f8a40e0fc1dc1466a271ac33074b6f90226a1a Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship Signed-off-by: Brad Spengler grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 00e035016762dfa49b15cf310ab57fc7011fb4dd Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT Signed-off-by: Brad Spengler fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a144fc9f2f2f6a1d5999b6bd226d964b8b551e31 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error Signed-off-by: Brad Spengler mm/madvise.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit 26dd795769f903add193b605f051bed55bf95507 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel Signed-off-by: Brad Spengler mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit c441e54c74284d2dac3aaaf282391f6572239e24 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit ecea885713f4d818032182d839c86dc74ac95b04 Author: Brad Spengler Date: Sat Sep 14 16:15:10 2013 -0400 Initial port of grsecurity to 3.11 using new git method Signed-off-by: Brad Spengler Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 12 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 128 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 256 ++- fs/namespace.c | 16 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 29 + kernel/capability.c | 40 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 69 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 341 +++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 228 files changed, 4141 insertions(+), 2027 deletions(-) commit 62c18efae524d4cd41939c1d63989d3582b1131a Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches Signed-off-by: Brad Spengler arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 718ed34658f4e4716ff3c9e6d098552d357d19f1 Author: Brad Spengler Date: Sun Nov 24 20:58:05 2013 -0500 Initial import of pax-linux-3.12.1-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 23 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 95 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/module.c | 31 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 24 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 4 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 134 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 185 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 728 ++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 16 +- arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 2 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 6 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 157 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 8 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 74 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 20 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 136 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 79 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/tlbflush.h | 74 +- arch/x86/include/asm/uaccess.h | 108 +- arch/x86/include/asm/uaccess_32.h | 96 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 69 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 130 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 +- arch/x86/kernel/entry_64.S | 666 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 138 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/jump_label.c | 6 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 5 +- arch/x86/kernel/setup.c | 63 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 28 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 63 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 89 +- arch/x86/lib/copy_user_nocache_64.S | 22 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 8 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 22 +- arch/x86/lib/memmove_64.S | 36 +- arch/x86/lib/memset_64.S | 11 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 359 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 564 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 139 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 38 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 11 +- arch/x86/xen/smp.c | 21 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 29 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 4 +- drivers/bluetooth/btwilink.c | 2 +- drivers/bus/arm-cci.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 9 +- drivers/cpufreq/acpi-cpufreq.c | 13 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 4 +- drivers/cpufreq/cpufreq_ondemand.c | 10 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 67 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdmac.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 2 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 8 +- drivers/gpu/drm/drm_fops.c | 16 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 20 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- drivers/gpu/drm/qxl/qxl_drv.h | 8 +- drivers/gpu/drm/qxl/qxl_irq.c | 16 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/host1x/drm/dc.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bcache/super.c | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stats.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 4 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 67 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/mmci.c | 4 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 2 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath10k/htc.c | 7 +- drivers/net/wireless/ath/ath10k/htc.h | 4 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 6 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/gdm724x/gdm_tty.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 12 +- drivers/tty/hvc/hvsi_lib.c | 6 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 8 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 15 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 6 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/host/ehci-hub.c | 4 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 8 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbmem.c | 6 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 2 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 6 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 656 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 18 +- fs/dcache.c | 3 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 +- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/ext4/xattr.c | 5 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 40 +- fs/fscache/internal.h | 200 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hostfs/hostfs_kern.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 2 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 4 +- fs/splice.c | 41 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_readdir.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/i915_pciids.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/audit.h | 2 +- include/linux/binfmts.h | 3 +- include/linux/bitops.h | 4 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 8 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 12 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 4 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 12 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/jiffies.h | 12 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 10 +- include/linux/mempolicy.h | 7 + include/linux/mm.h | 118 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 19 + include/linux/proc_ns.h | 2 +- include/linux/quota.h | 2 +- include/linux/random.h | 19 +- include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 - include/linux/semaphore.h | 2 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 14 +- include/linux/slub_def.h | 2 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 9 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 20 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 4 +- include/net/netns/ipv6.h | 4 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 13 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 10 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 12 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 166 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 10 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 26 +- kernel/rcutree_plugin.h | 30 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 49 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 14 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 1 - kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/percpu-refcount.c | 2 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 +- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 591 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 42 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 108 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 88 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 2 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 75 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 2 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 4 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 6 +- net/core/sock.c | 28 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ieee802154/6lowpan.c | 2 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 18 +- net/ipv6/addrconf.c | 12 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 28 +- net/ipv6/raw.c | 17 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 17 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 10 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/svcauth_unix.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 4 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 22 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/module-common.lds | 4 + scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 690 ++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 11 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 8 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 471 ++ tools/gcc/latent_entropy_plugin.c | 335 + tools/gcc/size_overflow_hash.data | 7613 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 3840 ++++++++++ tools/gcc/stackleak_plugin.c | 327 + tools/gcc/structleak_plugin.c | 277 + tools/lib/lk/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1701 files changed, 36050 insertions(+), 7719 deletions(-) commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466 Author: Brad Spengler Date: Sun Nov 24 17:50:21 2013 -0500 remove unnecessary code/comments after new reload method grsecurity/gracl.c | 4 ---- grsecurity/gracl_policy.c | 13 ------------- 2 files changed, 0 insertions(+), 17 deletions(-) commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d Author: Brad Spengler Date: Sun Nov 24 16:05:01 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3903 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 2 + 12 files changed, 3082 insertions(+), 2787 deletions(-) commit d8981a4fd03025434a466fd87a0eaea93755bc70 Author: Brad Spengler Date: Sun Nov 24 15:08:28 2013 -0500 compile fix for recent GRKERNSEC_CHROOT_INITRD change init/main.c | 12 +++--------- 1 files changed, 3 insertions(+), 9 deletions(-) commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit ecdd0610bef058fd33fee50b489d949c1a0db07a Author: Brad Spengler Date: Sat Nov 23 17:20:15 2013 -0500 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. Reported by acez on IRC arch/arm/mm/fault.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 3f4adfade80bba0d865b5c603bd58da555ca4553 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. Conflicts: init/main.c grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) commit d4a9bb63091852b5b49ebd216796b374e5c0dc71 Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit e727db195f8bed17c65d050e1772643d730fe565 Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb Merge: 2fcc3a5 2d1263b Author: Brad Spengler Date: Fri Nov 22 21:11:44 2013 -0500 Merge branch 'pax-test' into grsec-test commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1 Merge: d52f291 e0cd057 Author: Brad Spengler Date: Fri Nov 22 21:11:33 2013 -0500 Merge branch 'linux-3.11.y' into pax-test Conflicts: drivers/net/ethernet/chelsio/cxgb3/sge.c commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972 Author: Brad Spengler Date: Fri Nov 22 20:31:37 2013 -0500 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. It caused errors with traceroute, reported to upstream and fixed with http://patchwork.ozlabs.org/patch/293614/ But there's no reason for us to maintain this backport as we're already impervious to recvmsg/msg_name infoleaks Conflicts: net/ipv4/ping.c net/ieee802154/dgram.c | 3 ++- net/ipv4/ping.c | 11 +++++++++-- net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 8 files changed, 35 insertions(+), 12 deletions(-) commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b Author: Hannes Frederic Sowa Date: Mon Nov 18 07:07:45 2013 +0100 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 ping: prevent NULL pointer dereference on write to msg_name A plain read() on a socket does set msg->msg_name to NULL. So check for NULL pointer first. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv4/ping.c | 34 +++++++++++++++++++--------------- 1 files changed, 19 insertions(+), 15 deletions(-) commit 8bb32f2682953e1b748a59c4a4363b237c3510df Author: Hannes Frederic Sowa Date: Mon Nov 18 04:20:45 2013 +0100 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb Suggested-by: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ieee802154/dgram.c | 3 +-- net/ipv4/ping.c | 19 +++++++------------ net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- net/phonet/datagram.c | 9 ++++----- 8 files changed, 17 insertions(+), 38 deletions(-) commit 642d754081c130a151e7df27e5c07edf2f368106 Author: Jeff Layton Date: Wed Nov 13 09:08:21 2013 -0500 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. There is no guarantee that doing so will work however, so we can end up retrying the call in an infinite loop. Worse yet, we create the new client using rpc_clone_client_set_auth, which creates the new client as a child of the old one. Thus, we can end up with a *very* long lineage of rpc_clnts. When we go to put all of the references to them, we can end up with a long call chain that can smash the stack as each rpc_free_client() call can recurse back into itself. This patch fixes this by simply ensuring that the SETCLIENTID call will only be retried in this situation if the last attempt did not use RPC_AUTH_UNIX. Note too that with this change, we don't need the (i > 2) check in the -EACCES case since we now have a more reliable test as to whether we should reattempt. Cc: stable@vger.kernel.org # v3.10+ Cc: Chuck Lever Tested-by/Acked-by: Weston Andros Adamson Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2 Author: Chuck Lever Date: Wed Jul 24 12:28:28 2013 -0400 Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e NFS: Use root's credential for lease management when keytab is missing Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting" Fri Sep 14 17:24:32 2012 introduced Uniform Client String support, which forces our NFS client to establish a client ID immediately during a mount operation rather than waiting until a user wants to open a file. Normally machine credentials (eg. from a keytab) are used to perform a mount operation that is protected by Kerberos. Before 05fc350, SETCLIENTID used a machine credential, or fell back to a regular user's credential if no keytab is available. On clients that don't have a keytab, performing SETCLIENTID early means there's no user credential to fall back on, since no regular user has kinit'd yet. 05f4c350 seems to have broken the ability to mount with sec=krb5 on clients that don't have a keytab in kernels 3.7 - 3.10. To address this regression, commit 4edaa308 (NFS: Use "krb5i" to establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013, was merged in 3.10. This commit forces the NFS client to fall back to AUTH_SYS for lease management operations if no keytab is available. Neil Brown noticed that, since root is required to kinit to do a sec=krb5 mount when a client doesn't have a keytab, we can try to use root's Kerberos credential before AUTH_SYS. Now, when determining a principal and flavor to use for lease management, the NFS client tries in this order: 1. Flavor: AUTH_GSS, krb5i Principal: service principal (via keytab) 2. Flavor: AUTH_GSS, krb5i Principal: user principal established for UID 0 (via kinit) 3. Flavor: AUTH_SYS Principal: UID 0 / GID 0 Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 19 ++++++++++++++++++- 1 files changed, 18 insertions(+), 1 deletions(-) commit 6ebab64904f37af82e950b0c6d321437e810b248 Author: Trond Myklebust Date: Tue Nov 12 17:24:36 2013 -0500 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b SUNRPC: Avoid deep recursion in rpc_release_client In cases where an rpc client has a parent hierarchy, then rpc_free_client may end up calling rpc_release_client() on the parent, thus recursing back into rpc_free_client. If the hierarchy is deep enough, then we can get into situations where the stack simply overflows. The fix is to have rpc_release_client() loop so that it can take care of the parent rpc client hierarchy without needing to recurse. Reported-by: Jeff Layton Reported-by: Weston Andros Adamson Reported-by: Bruce Fields Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit fcb4306973aed105cc6d042077bf31e21b812008 Author: Trond Myklebust Date: Fri Nov 8 16:03:50 2013 -0500 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 SUNRPC: Fix a data corruption issue when retransmitting RPC calls The following scenario can cause silent data corruption when doing NFS writes. It has mainly been observed when doing database writes using O_DIRECT. 1) The RPC client uses sendpage() to do zero-copy of the page data. 2) Due to networking issues, the reply from the server is delayed, and so the RPC client times out. 3) The client issues a second sendpage of the page data as part of an RPC call retransmission. 4) The reply to the first transmission arrives from the server _before_ the client hardware has emptied the TCP socket send buffer. 5) After processing the reply, the RPC state machine rules that the call to be done, and triggers the completion callbacks. 6) The application notices the RPC call is done, and reuses the pages to store something else (e.g. a new write). 7) The client NIC drains the TCP socket send buffer. Since the page data has now changed, it reads a corrupted version of the initial RPC call, and puts it on the wire. This patch fixes the problem in the following manner: The ordering guarantees of TCP ensure that when the server sends a reply, then we know that the _first_ transmission has completed. Using zero-copy in that situation is therefore safe. If a time out occurs, we then send the retransmission using sendmsg() (i.e. no zero-copy), We then know that the socket contains a full copy of the data, and so it will retransmit a faithful reproduction even if the RPC call completes, and the application reuses the O_DIRECT buffer in the meantime. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- 1 files changed, 21 insertions(+), 7 deletions(-) commit 2c59d4080ae744532dbe595f6923dcba72279977 Merge: b2b99c6 d52f291 Author: Brad Spengler Date: Mon Nov 18 19:07:55 2013 -0500 Merge branch 'pax-test' into grsec-test commit d52f291621da9227cda5fd647e82dfe9bfc11265 Author: Brad Spengler Date: Mon Nov 18 19:07:14 2013 -0500 Update to pax-linux-3.11.8-test14.patch: - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878) mm/page_alloc.c | 2 +- tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 11 deletions(-) commit b2b99c6972e345565d561b722de210f071e5e259 Author: Brad Spengler Date: Thu Nov 14 20:47:37 2013 -0500 Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e ipv6: fix headroom calculation in udp6_ufo_fragment Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp fragmentation for tunnel traffic.") changed the calculation if there is enough space to include a fragment header in the skb from a skb->mac_header dervived one to skb_headroom. Because we already peeled off the skb to transport_header this is wrong. Change this back to check if we have enough room before the mac_header. This fixes a panic Saran Neti reported. He used the tbf scheduler which skb_gso_segments the skb. The offsets get negative and we panic in memcpy because the skb was erroneously not expanded at the head. Reported-by: Saran Neti Cc: Pravin B Shelar Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/udp_offload.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 012ee7647e16f464f8d1ad004e28eac2ba778158 Author: Dan Carpenter Date: Thu Nov 14 11:21:10 2013 +0300 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 isdnloop: use strlcpy() instead of strcpy() These strings come from a copy_from_user() and there is no way to be sure they are NUL terminated. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f Author: Eric Dumazet Date: Thu Nov 14 13:37:54 2013 -0800 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf ipv4: fix possible seqlock deadlock ip4_datagram_connect() being called from process context, it should use IP_INC_STATS() instead of IP_INC_STATS_BH() otherwise we can deadlock on 32bit arches, or get corruptions of SNMP counters. Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") Signed-off-by: Eric Dumazet Reported-by: Dave Jones Signed-off-by: David S. Miller net/ipv4/datagram.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1a642170613ae336331f2df38aa8f2c1227d3c96 Merge: 60c6423 84d78c7 Author: Brad Spengler Date: Thu Nov 14 20:28:51 2013 -0500 Merge branch 'pax-test' into grsec-test commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730 Author: Brad Spengler Date: Thu Nov 14 20:28:07 2013 -0500 Update to pax-linux-3.11.8-test13.patch: - forward port to 3.11.8 - removed some no longer used code from bpf jit - fixed some atomic_unchecked_t usage in oprofile and uio - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy arch/x86/include/asm/mmu_context.h | 8 ++++++++ arch/x86/kernel/setup.c | 2 +- drivers/bluetooth/btwilink.c | 2 +- drivers/md/dm-table.c | 2 +- drivers/message/i2o/i2o_proc.c | 16 ++++++++-------- drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/oprofilefs.c | 4 ++-- drivers/platform/x86/msi-wmi.c | 2 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++------------- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++---- drivers/usb/serial/console.c | 2 +- include/linux/filter.h | 4 ---- kernel/audit.c | 2 +- 20 files changed, 41 insertions(+), 45 deletions(-) commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43 Author: Brad Spengler Date: Thu Nov 14 19:07:11 2013 -0500 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ Will let this sit in -test for a while to weed out any app incompatibilities grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit 27c3b43bd5ad9c9b877016f26192dbc30da54018 Merge: 08e883f d0a09ad Author: Brad Spengler Date: Wed Nov 13 22:27:13 2013 -0500 Merge branch 'pax-test' into grsec-test commit d0a09ad6430008135b98da6e1941e98a6110b59e Merge: 4e826ac 02709ef Author: Brad Spengler Date: Wed Nov 13 22:27:03 2013 -0500 Merge branch 'linux-3.11.y' into pax-test commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 094c08532f9877a287ffac7a87b05841a56b4e5d Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e383790f8252620f52895e202cc057c4318da3f4 Author: Brad Spengler Date: Sun Nov 10 17:50:12 2013 -0500 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND arch/arm/mm/Kconfig | 2 +- grsecurity/Kconfig | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletions(-) commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26 Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 17f832897194f46c4759aa02e048ad5623a04eed Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20 Merge: fb281bd 4e826ac Author: Brad Spengler Date: Wed Nov 6 17:27:16 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/l2tp/l2tp_core.c commit 4e826ac763867707352d93b7d23ed86e4c6829cf Merge: e309bfb 39773be Author: Brad Spengler Date: Wed Nov 6 17:26:23 2013 -0500 Merge branch 'linux-3.11.y' into pax-test Conflicts: net/compat.c commit fb281bdee5ccb76facfe1172318a867b624011f4 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking Conflicts: security/Kconfig security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba Author: Dan Carpenter Date: Tue Oct 29 23:01:43 2013 +0300 Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 Staging: sb105x: info leak in mp_get_count() The icount.reserved[] array isn't initialized so it leaks stack information to userspace. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/sb105x/sb_pci_mp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de Author: Dan Carpenter Date: Tue Oct 29 22:06:04 2013 +0300 Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write() We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds arch/um/kernel/exitcode.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 1285d10ec38f216f3c5de7ce085ce43447c78916 Author: Jason Wang Date: Fri Nov 1 15:01:10 2013 +0800 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd net: flow_dissector: fail on evil iph->ihl We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae (rps: support IPIP encapsulation). Cc: Eric Dumazet Cc: Petr Matousek Cc: Michael S. Tsirkin Cc: Daniel Borkmann Signed-off-by: Jason Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/core/flow_dissector.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc Author: Ming Lei Date: Thu Oct 31 16:34:17 2013 -0700 Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper functions") introduces two sg buffer copy helpers, and calls flush_kernel_dcache_page() on pages in SG list after these pages are written to. Unfortunately, the commit may introduce a potential bug: - Before sending some SCSI commands, kmalloc() buffer may be passed to block layper, so flush_kernel_dcache_page() can see a slab page finally - According to cachetlb.txt, flush_kernel_dcache_page() is only called on "a user page", which surely can't be a slab page. - ARCH's implementation of flush_kernel_dcache_page() may use page mapping information to do optimization so page_mapping() will see the slab page, then VM_BUG_ON() is triggered. Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, and this patch fixes the bug by adding test of '!PageSlab(miter->page)' before calling flush_kernel_dcache_page(). Signed-off-by: Ming Lei Reported-by: Aaro Koskinen Tested-by: Simon Baatz Cc: Russell King - ARM Linux Cc: Will Deacon Cc: Aaro Koskinen Acked-by: Catalin Marinas Cc: FUJITA Tomonori Cc: Tejun Heo Cc: "James E.J. Bottomley" Cc: Jens Axboe Cc: [3.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/scatterlist.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4 Author: Dan Carpenter Date: Tue Oct 29 23:01:11 2013 +0300 Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba Staging: bcm: info leak in ioctl The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/bcm/Bcmchar.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a2ab9d69265a08280241a2f2152e535316d02f53 Author: Dan Carpenter Date: Tue Oct 29 22:11:06 2013 +0300 Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5 aacraid: missing capable() check in compat ioctl In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the check as well. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/scsi/aacraid/linit.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e Author: Dan Carpenter Date: Tue Oct 29 23:00:15 2013 +0300 Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054 staging: wlags49_h2: buffer overflow setting station name We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit afd645c1684265260b64ec8189cbc2703b91f6ab Author: Dan Carpenter Date: Tue Oct 29 22:07:47 2013 +0300 Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15 staging: ozwpan: prevent overflow in oz_cdev_write() We need to check "count" so we don't overflow the ei->data buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/ozwpan/ozcdev.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 4a907baeb462b7e0f50923be5a9d842aec93c97a Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds Date: Sun Oct 27 15:17:05 2013 -0400 Merge branch 'pax-test' into grsec-test commit e309bfbf7b506b2294b30233f7a3299173a75cf7 Author: Hugh Dickins Date: Wed Oct 16 13:47:09 2013 -0700 Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779 mm: revert mremap pud_free anti-fix Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail calling pmd_alloc()"). The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map() ensure that the pud, pmd, pt is already allocated, and seldom do they need to allocate; on failure, upper levels are freed if appropriate by the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an unconditional pud_free() of a most-likely still-in-use pud: saved only by the near-impossiblity of pmd_alloc() failing. Signed-off-by: Hugh Dickins Cc: Chen Gang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mremap.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 0970b16a9df08b8cca6929b6443f67df432ac3e5 Author: Eric Dumazet Date: Tue Oct 1 21:04:11 2013 -0700 Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693 net: do not call sock_put() on TIMEWAIT sockets commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. We should instead use inet_twsk_put() Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/inet_hashtables.c | 2 +- net/ipv6/inet6_hashtables.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28 Author: Andi Kleen Date: Mon Sep 30 13:29:08 2013 -0700 Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645 igb: Avoid uninitialized advertised variable in eee_set_cur eee_get_cur assumes that the output data is already zeroed. It can read-modify-write the advertised field: if (ipcnfg & E1000_IPCNFG_EEE_100M_AN) 2594 edata->advertised |= ADVERTISED_100baseT_Full; This is ok for the normal ethtool eee_get call, which always zeroes the input data before. But eee_set_cur also calls eee_get_cur and it did not zero the input field. Later on it then compares agsinst the field, which can contain partial stack garbage. Zero the input field in eee_set_cur() too. Cc: jeffrey.t.kirsher@intel.com Cc: netdev@vger.kernel.org Signed-off-by: Andi Kleen Acked-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 651730a8caabce37f78d8e6c84283b96e434d19f Author: Dan Carpenter Date: Thu Oct 3 00:27:20 2013 +0300 Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8 net: heap overflow in __audit_sockaddr() We need to cap ->msg_namelen or it leads to a buffer overflow when we to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to exploit this bug. The call tree is: ___sys_recvmsg() move_addr_to_user() audit_sockaddr() __audit_sockaddr() Reported-by: Jüri Aedla Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Conflicts: net/compat.c net/compat.c | 2 ++ net/socket.c | 24 ++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc Author: Salva Peiró Date: Wed Oct 16 12:46:50 2013 +0200 Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 wanxl: fix info leak in ioctl The wanxl_ioctl() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: David S. Miller drivers/net/wan/wanxl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f Author: Geyslan G. Bem Date: Fri Oct 11 16:49:16 2013 -0300 Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4 ecryptfs: Fix memory leakage in keystore.c In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem Signed-off-by: Tyler Hicks Cc: stable@vger.kernel.org # v2.6.28+ fs/ecryptfs/keystore.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 0ccb7b191245318a36bbd1f59a1846dda72cb738 Author: Colin Ian King Date: Thu Oct 24 14:08:07 2013 +0000 Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e eCryptfs: fix 32 bit corruption issue Shifting page->index on 32 bit systems was overflowing, causing data corruption of > 4GB files. Fix this by casting it first. https://launchpad.net/bugs/1243636 Signed-off-by: Colin Ian King Reported-by: Lars Duesing Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Tyler Hicks fs/ecryptfs/crypto.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4 Author: Brad Spengler Date: Sun Oct 27 13:29:49 2013 -0400 This is a replacement patch only for stable which does fix the problems handled by the following two commits in -net: "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) Three frames are written on a corked udp socket for which the output netdevice has UFO enabled. If the first and third frame are smaller than the mtu and the second one is bigger, we enqueue the second frame with skb_append_datato_frags without initializing the gso fields. This leads to the third frame appended regulary and thus constructing an invalid skb. This fixes the problem by always using skb_append_datato_frags as soon as the first frag got enqueued to the skb without marking the packet as SKB_GSO_UDP. The problem with only two frames for ipv6 was fixed by "ipv6: udp packets following an UFO enqueued packet need also be handled by UFO" (2811ebac2521ceac84f2bdae402455baa6a7fb47). Cc: Jiri Pirko Cc: Eric Dumazet Cc: David Miller Signed-off-by: Hannes Frederic Sowa include/linux/skbuff.h | 5 +++++ net/ipv4/ip_output.c | 2 +- net/ipv6/ip6_output.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) commit aead8ff29424c6a5d25eb4614be91a01f9f6af00 Merge: 5cf8361 ddadc82 Author: Brad Spengler Date: Sat Oct 26 08:42:26 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec Author: Brad Spengler Date: Sat Oct 26 08:41:24 2013 -0400 - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs and Natanael Copa (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e) - updated config help for latent entropy to reflect recent changes arch/x86/include/asm/uaccess_64.h | 4 ++-- security/Kconfig | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad Author: Johannes Weiner Date: Wed Oct 16 13:47:00 2013 -0700 Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc fs: buffer: move allocation failure loop into the allocator Buffer allocation has a very crude indefinite loop around waking the flusher threads and performing global NOFS direct reclaim because it can not handle allocation failures. The most immediate problem with this is that the allocation may fail due to a memory cgroup limit, where flushers + direct reclaim might not make any progress towards resolving the situation at all. Because unlike the global case, a memory cgroup may not have any cache at all, only anonymous pages but no swap. This situation will lead to a reclaim livelock with insane IO from waking the flushers and thrashing unrelated filesystem cache in a tight loop. Use __GFP_NOFAIL allocations for buffers for now. This makes sure that any looping happens in the page allocator, which knows how to orchestrate kswapd, direct reclaim, and the flushers sensibly. It also allows memory cgroups to detect allocations that can't handle failure and will allow them to ultimately bypass the limit if reclaim can not make progress. Reported-by: azurIt Signed-off-by: Johannes Weiner Cc: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/buffer.c | 14 ++++++++++++-- mm/memcontrol.c | 2 ++ 2 files changed, 14 insertions(+), 2 deletions(-) commit 799326c8683d8d70b2035b1e5ab913c159112b6b Author: Miklos Szeredi Date: Thu Oct 10 16:48:19 2013 +0200 Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 ext[34]: fix double put in tmpfile d_tmpfile() already swallowed the inode ref. Signed-off-by: Miklos Szeredi Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ext3/namei.c | 5 ++--- fs/ext4/namei.c | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3 Author: Jan Klos Date: Sun Oct 6 21:08:20 2013 +0200 Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20 cifs: Fix inability to write files >2GB to SMB2/3 shares When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super(). The patch fixes this by checking for the correct bit according to the protocol version. CC: Stable Signed-off-by: Jan Klos Reviewed-by: Jeff Layton Signed-off-by: Steve French fs/cifs/cifsfs.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22 Author: Tim Gardner Date: Sun Oct 13 13:29:03 2013 -0600 Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a cifs: ntstatus_to_dos_map[] is not terminated Functions that walk the ntstatus_to_dos_map[] array could run off the end. For example, ntstatus_to_dos() loops while ntstatus_to_dos_map[].ntstatus is not 0. Granted, this is mostly theoretical, but could be used as a DOS attack if the error code in the SMB header is bogus. [Might consider adding to stable, as this patch is low risk - Steve] Reviewed-by: Jeff Layton Signed-off-by: Tim Gardner Signed-off-by: Steve French fs/cifs/netmisc.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit ed8c09a96fa260e1864c632e1dd91b1320876305 Author: Eric Dumazet Date: Tue Oct 15 11:54:30 2013 -0700 Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9 tcp: must unclone packets before mangling them TCP stack should make sure it owns skbs before mangling them. We had various crashes using bnx2x, and it turned out gso_size was cleared right before bnx2x driver was populating TC descriptor of the _previous_ packet send. TCP stack can sometime retransmit packets that are still in Qdisc. Of course we could make bnx2x driver more robust (using ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. We have identified two points where skb_unclone() was needed. This patch adds a WARN_ON_ONCE() to warn us if we missed another fix of this kind. Kudos to Neal for finding the root cause of this bug. Its visible using small MSS. Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Cc: Yuchung Cheng Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit e5dcf1772ca2a85952da10a21d0650507dc061d3 Author: Dan Carpenter Date: Mon Oct 14 15:28:38 2013 +0300 Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5 yam: integer underflow in yam_ioctl() We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be negative. I don't know the impact of using a negative bitrate but let's prevent it. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller include/linux/yam.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1f5d72d633f317248bba25158c326a61394aebf2 Merge: 7ca4328 4df1b96 Author: Brad Spengler Date: Fri Oct 18 19:36:17 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: ipc/shm.c commit 4df1b965687831808af2548487e0f35a2ccc5c29 Merge: e41125e 5070441 Author: Brad Spengler Date: Fri Oct 18 19:35:31 2013 -0400 Merge branch 'linux-3.11.y' into pax-test Conflicts: arch/x86/kernel/setup.c commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525 Author: Brad Spengler Date: Wed Oct 16 18:35:00 2013 -0400 From: Mathias Krause To: Evgeniy Polyakov Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org # v2.6.14+ Signed-off-by: Mathias Krause drivers/connector/connector.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489 Author: Brad Spengler Date: Wed Oct 16 18:36:25 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause kernel/audit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9557a8727fd46e68f092dec0830a982e85b231f7 Author: Brad Spengler Date: Wed Oct 16 19:02:32 2013 -0400 add 2nd chunk of audit nlmsg_len() fix from minipli kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd Author: Brad Spengler Date: Wed Oct 16 18:37:59 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7547b29750381c776dfd47f4b1277a492d5b0f72 Author: Brad Spengler Date: Wed Oct 16 18:41:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , Bart De Schuymer Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Bart De Schuymer Signed-off-by: Mathias Krause Conflicts: net/bridge/netfilter/ebt_ulog.c net/bridge/netfilter/ebt_ulog.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528 Author: Brad Spengler Date: Wed Oct 16 18:43:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Signed-off-by: Mathias Krause Conflicts: net/ipv4/netfilter/ipt_ULOG.c net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 2965f6e6122325a18e69296ad3817c66ca59b7e3 Author: Brad Spengler Date: Wed Oct 16 18:49:45 2013 -0400 From: Mathias Krause To: "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH net] unix_diag: fix info leak When filling the netlink message we miss to wipe the pad field, therefore leak one byte of heap memory to userland. Fix this by setting pad to 0. Signed-off-by: Mathias Krause net/unix/diag.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc Author: Mathias Krause Date: Mon Sep 30 22:03:06 2013 +0200 Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682 proc connector: fix info leaks Initialize event_data for all possible message types to prevent leaking kernel stack contents to userland (up to 20 bytes). Also set the flags member of the connector message to 0 to prevent leaking two more stack bytes this way. Cc: stable@vger.kernel.org # v2.6.15+ Signed-off-by: Mathias Krause Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04 Author: AKASHI Takahiro Date: Wed Oct 9 15:58:29 2013 +0100 Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() In ftrace_syscall_enter(), syscall_get_arguments(..., 0, n, ...) if (i == 0) { ...; n--;} memcpy(..., n * sizeof(args[0])); If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in syscall_get_arguments(), none of arguments should be copied by memcpy(). Otherwise 'n--' can be a big positive number and unexpected amount of data will be copied. Tracing system calls which take no argument, say sync(void), may hit this case and eventually make the system corrupted. This patch fixes the issue both in syscall_get_arguments() and syscall_set_arguments(). Cc: Acked-by: Will Deacon Signed-off-by: AKASHI Takahiro Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/include/asm/syscall.h | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2 Author: Dave Jones Date: Thu Oct 10 20:05:35 2013 -0400 Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc ext4: fix memory leak in xattr If we take the 2nd retry path in ext4_expand_extra_isize_ea, we potentionally return from the function without having freed these allocations. If we don't do the return, we over-write the previous allocation pointers, so we leak either way. Spotted with Coverity. [ Fixed by tytso to set is and bs to NULL after freeing these pointers, in case in the retry loop we later end up triggering an error causing a jump to cleanup, at which point we could have a double free bug. -- Ted ] Signed-off-by: Dave Jones Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Cc: stable@vger.kernel.org fs/ext4/xattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 224e55268fbd4f81fca479e315c9483df591411d Author: Salva Peiró Date: Fri Oct 11 12:50:03 2013 +0300 Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194 farsync: fix info leak in ioctl The fst_get_iface() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/wan/farsync.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9 Author: James Hogan Date: Mon Oct 7 12:14:26 2013 +0100 Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92 MIPS: stack protector: Fix per-task canary switch Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary per task) was merged in v3.11 and introduced assembly in the MIPS resume functions to update the value of the current canary in __stack_chk_guard. However it used PTR_L resulting in a load of the canary value, instead of PTR_LA to construct its address. The value is intended to be random but is then treated as an address in the subsequent LONG_S (store). This was observed to cause a fault and panic: CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4 Oops[#1]: ... $24 : 139fea20 1e1f7cb6 ... Call Trace: [<8000cc0c>] resume+0xac/0x118 [<8034f2a4>] __schedule+0x5f8/0x78c [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c [<80348eec>] rest_init+0x74/0x84 [<804dc990>] start_kernel+0x43c/0x454 Code: 3c18804b 8f184030 8cb901f8 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc This can also be forced by modifying arch/mips/include/asm/stackprotector.h so that the default __stack_chk_guard value is more likely to be a bad (or unaligned) pointer. Fix it to use PTR_LA instead, to load the address of the canary value, which the LONG_S can then use to write into it. Reported-by: bobjones (via #mipslinux on IRC) Signed-off-by: James Hogan Cc: Ralf Baechle Cc: Gregory Fong Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/6026/ Signed-off-by: Ralf Baechle arch/mips/kernel/octeon_switch.S | 2 +- arch/mips/kernel/r2300_switch.S | 2 +- arch/mips/kernel/r4k_switch.S | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c Author: Fan Du Date: Tue Sep 17 15:14:13 2013 +0800 Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda xfrm: Guard IPsec anti replay window against replay bitmap For legacy IPsec anti replay mechanism: bitmap in struct xfrm_replay_state could only provide a 32 bits window size limit in current design, thus user level parameter sadb_sa_replay should honor this limit, otherwise misleading outputs("replay=244") by setkey -D will be: 192.168.25.2 192.168.22.2 esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=1 pid=4854 refcnt=0 192.168.22.2 192.168.25.2 esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=0 pid=4854 refcnt=0 And also, optimizing xfrm_replay_check window checking by setting the desirable x->props.replay_window with only doing the comparison once for all when xfrm_state is first born. Signed-off-by: Fan Du Signed-off-by: Steffen Klassert net/key/af_key.c | 3 ++- net/xfrm/xfrm_replay.c | 3 +-- net/xfrm/xfrm_user.c | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541 Author: Thomas Egerer Date: Thu Sep 19 13:19:19 2013 +0200 Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c xfrm: Fix aevent generation for each received packet If asynchronous events are enabled for a particular netlink socket, the notify function is called by the advance function. The notify function creates and dispatches a km_event if a replay timeout occurred, or at least replay_maxdiff packets have been received since the last asynchronous event has been sent. The function is supposed to return if neither of the two events were detected for a state, or replay_maxdiff is equal to zero. Replay_maxdiff is initialized in xfrm_state_construct to the value of the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state if the netlink attribute XFRMA_REPLAY_THRESH is set. If, however, replay_maxdiff is set to zero, then all of the three notify implementations perform a break from the switch statement instead of checking whether a timeout occurred, and -- if not -- return. As a result an asynchronous event is generated for every replay update of a state that has a zero replay_maxdiff value. This patch modifies the notify functions such that they immediately return if replay_maxdiff has the value zero, unless a timeout occurred. Signed-off-by: Thomas Egerer Signed-off-by: Steffen Klassert net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++---------------------- 1 files changed, 27 insertions(+), 24 deletions(-) commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8 Author: Steffen Klassert Date: Tue Oct 8 10:49:45 2013 +0200 Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee xfrm: Add refcount handling to queued policies We need to ensure that policies can't go away as long as the hold timer is armed, so take a refcont when we arm the timer and drop one if we delete it. Bug was introduced with git commit a0073fe18 ("xfrm: Add a state resolution packet queue") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 24 +++++++++++++++++------- 1 files changed, 17 insertions(+), 7 deletions(-) commit b4948dc963442682534b3a039664b564c764e4f8 Author: Steffen Klassert Date: Tue Oct 8 10:49:51 2013 +0200 Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0 xfrm: check for a vaild skb in xfrm_policy_queue_process We might dreference a NULL pointer if the hold_queue is empty, so add a check to avoid this. Bug was introduced with git commit a0073fe18 ("xfrm: Add a state resolution packet queue") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit fad7f264b264b0b17a307aa16162cb43c7688a30 Author: Marc Kleine-Budde Date: Mon Oct 7 23:19:58 2013 +0200 Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89 net: vlan: fix nlmsg size calculation in vlan_get_size() This patch fixes the calculation of the nlmsg size, by adding the missing nla_total_size(). Cc: Patrick McHardy Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller net/8021q/vlan_netlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd Author: François Cachereul Date: Wed Oct 2 10:16:02 2013 +0200 Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses IPv4 mapped addresses cause kernel panic. The patch juste check whether the IPv6 address is an IPv4 mapped address. If so, use IPv4 API instead of IPv6. [ 940.026915] general protection fault: 0000 [#1] [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 [ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 [ 940.026915] Stack: [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 [ 940.026915] Call Trace: [ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 [ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] [ 940.026915] [] ? pskb_expand_head+0x161/0x214 [ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] [ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] [ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] [ 940.026915] [] ? vfs_write+0xa2/0x106 [ 940.026915] [] ? SyS_write+0x56/0x8a [ 940.026915] [] ? system_call_fastpath+0x16/0x1b [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 [ 940.026915] RIP [] ip6_xmit+0x276/0x326 [ 940.026915] RSP [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: François CACHEREUL Signed-off-by: David S. Miller net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- net/l2tp/l2tp_core.h | 3 +++ 2 files changed, 26 insertions(+), 4 deletions(-) commit 2db6fe58460d400bc8b995fa2328be03e27e55e1 Merge: 28f9622 e41125e Author: Brad Spengler Date: Tue Oct 15 10:00:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/ds.c net/sysctl_net.c commit e41125e4742f332cd8cd8cf0c00cb189dba0e037 Merge: 740e5ec a145cb9 Author: Brad Spengler Date: Tue Oct 15 09:58:29 2013 -0400 Merge branch 'linux-3.11.y' into pax-test commit 28f9622091224541efadf3ae006f0e5651c7fa45 Author: Brad Spengler Date: Tue Oct 1 22:48:34 2013 -0400 Fix this strlcpy crap properly arch/sparc/kernel/ds.c | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) commit 837193210e4125fe4e9e554b28d7bc33985f3554 Author: David S. Miller Date: Fri Sep 27 13:46:04 2013 -0700 Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355 sparc64: Fix buggy strlcpy() conversion in ldom_reboot(). Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using strlcpy() instead of strcpy()") added a bug to ldom_reboot in arch/sparc/kernel/ds.c - strcpy(full_boot_str + strlen("boot "), boot_command); + strlcpy(full_boot_str + strlen("boot "), boot_command, + sizeof(full_boot_str + strlen("boot "))); That last sizeof() expression evaluates to sizeof(size_t) which is not what was intended. Also even the corrected: sizeof(full_boot_str) + strlen("boot ") is not right as the destination buffer length is just plain "sizeof(full_boot_str)" and that's what the final argument should be. Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249 Author: Hannes Frederic Sowa Date: Sun Sep 29 05:40:50 2013 +0200 Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae ipv6: gre: correct calculation of max_headroom gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header, so initialize max_headroom to zero. Otherwise the if (encap_limit >= 0) { max_headroom += 8; mtu -= 8; } increments an uninitialized variable before max_headroom was reset. Found with coverity: 728539 Cc: Dmitry Kozlov Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller Conflicts: net/ipv6/ip6_gre.c net/ipv6/ip6_gre.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0d68ac550952d0eaf60851497ceee68dbba24516 Merge: 64257ad 740e5ec Author: Brad Spengler Date: Tue Oct 1 18:11:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/hid/hid-core.c drivers/hid/hid-lg2ff.c drivers/hid/hid-lg3ff.c drivers/hid/hid-lg4ff.c drivers/hid/hid-lgff.c drivers/hid/hid-logitech-dj.c drivers/hid/hid-steelseries.c drivers/hid/hid-zpff.c include/linux/hid.h commit 740e5ec087969afd43ae0b552b4e05914437ed32 Merge: c38c6b0 db20388 Author: Brad Spengler Date: Tue Oct 1 17:40:46 2013 -0400 Merge branch 'linux-3.11.y' into pax-test commit 64257ad95c51285d415f93ebdd486fae6bb9415d Author: Hannes Frederic Sowa Date: Sat Sep 21 06:27:00 2013 +0200 Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47 ipv6: udp packets following an UFO enqueued packet need also be handled by UFO In the following scenario the socket is corked: If the first UDP packet is larger then the mtu we try to append it to the write queue via ip6_ufo_append_data. A following packet, which is smaller than the mtu would be appended to the already queued up gso-skb via plain ip6_append_data. This causes random memory corruptions. In ip6_ufo_append_data we also have to be careful to not queue up the same skb multiple times. So setup the gso frame only when no first skb is available. This also fixes a shortcoming where we add the current packet's length to cork->length but return early because of a packet > mtu with dontfrag set (instead of sutracting it again). Found with trinity. Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 53 ++++++++++++++++++++---------------------------- 1 files changed, 22 insertions(+), 31 deletions(-) commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6 Author: Dan Carpenter Date: Tue Sep 24 15:27:45 2013 -0700 Just a whitespace fix to sync with upstream as we already applied this fix via Vasiliy Kulikov in 2010. It fell through the cracks upstream cciss: fix info leak in cciss_ioctl32_passthru() The arg64 struct has a hole after ->buf_size which isn't cleared. Or if any of the calls to copy_from_user() fail then that would cause an information leak as well. This was assigned CVE-2013-2147. Signed-off-by: Dan Carpenter Acked-by: Mike Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: drivers/block/cciss.c drivers/block/cciss.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e Author: Paul E. McKenney Date: Tue Sep 24 18:29:11 2013 -0700 Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b mm: Place preemption point in do_mlockall() loop There is a loop in do_mlockall() that lacks a preemption point, which means that the following can happen on non-preemptible builds of the kernel. Dave Jones reports: "My fuzz tester keeps hitting this. Every instance shows the non-irq stack came in from mlockall. I'm only seeing this on one box, but that has more ram (8gb) than my other machines, which might explain it. INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0) sending NMI to all CPUs: NMI backtrace for cpu 3 CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32 Call Trace: lru_add_drain_all+0x15/0x20 SyS_mlockall+0xa5/0x1a0 tracesys+0xdd/0xe2" This commit addresses this problem by inserting the required preemption point. Reported-by: Dave Jones Signed-off-by: Paul E. McKenney Cc: KOSAKI Motohiro Cc: Michel Lespinasse Cc: Andrew Morton Signed-off-by: Linus Torvalds mm/mlock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9 Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit 55f1e409275973513a3314fe5bfa76a4781c0db7 Merge: 2eac654 c38c6b0 Author: Brad Spengler Date: Fri Sep 27 20:35:04 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/hid/hid-picolcd_core.c commit c38c6b0bbbe53bd528aeeb4a059764abc028c276 Merge: 115bf6a a3308b5 Author: Brad Spengler Date: Fri Sep 27 20:34:15 2013 -0400 Merge branch 'linux-3.11.y' into pax-test Conflicts: arch/x86/ia32/ia32_signal.c arch/x86/include/asm/checksum_32.h arch/x86/include/asm/mmu_context.h arch/x86/kernel/signal.c arch/x86/lib/csum-wrappers_64.c include/linux/compat.h commit 2eac65435fdffca548a56e5187840908438fc95c Merge: ba0ebde 115bf6a Author: Brad Spengler Date: Thu Sep 26 20:00:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit 115bf6af0083ea28c751d551a39cfdba1798e9dc Author: Brad Spengler Date: Thu Sep 26 19:59:14 2013 -0400 Update to pax-linux-3.11.1-test10.patch: - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040) - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released) - beefed up latent entropy extraction - latent_entropy itself will be initialized to a compile-time random value (instead of 0) - entropy will be collected from various irq and softirq handlers arch/arm/kernel/module.c | 2 ++ arch/arm/kernel/vmlinux.lds.S | 2 +- block/blk-iopoll.c | 2 +- block/blk-softirq.c | 2 +- fs/binfmt_elf.c | 8 +++++--- include/linux/genhd.h | 2 +- include/linux/random.h | 4 ++-- kernel/hrtimer.c | 2 +- kernel/rcutiny.c | 2 +- kernel/rcutree.c | 2 +- kernel/sched/fair.c | 2 +- kernel/softirq.c | 4 ++-- kernel/timer.c | 2 +- lib/percpu-refcount.c | 2 +- net/core/dev.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 2 +- 16 files changed, 24 insertions(+), 20 deletions(-) commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6 Author: Brad Spengler Date: Sun Sep 22 18:14:07 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35 Merge: f1e4228 90db383 Author: Brad Spengler Date: Wed Sep 18 17:34:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 90db383fd7d650172d52229b0116ad7604c9bec1 Author: Brad Spengler Date: Wed Sep 18 17:32:42 2013 -0400 Update to pax-linux-3.11.1-test9.patch: - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer - better implementation of __read_only for modules - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard arch/arm/kernel/entry-common.S | 12 ++++++------ arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++-- arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++- arch/x86/include/asm/cache.h | 4 ---- drivers/bus/arm-cci.c | 2 +- drivers/clk/socfpga/clk.c | 2 +- drivers/mmc/host/mmci.c | 4 +++- drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +- include/linux/cache.h | 4 ++++ net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- scripts/module-common.lds | 4 ++++ 12 files changed, 49 insertions(+), 19 deletions(-) commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810 Author: Brad Spengler Date: Wed Sep 18 17:32:25 2013 -0400 Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error" This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f. net/sctp/protocol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f1e42285e17479067b6cbcffc43916720e6dedd3 Merge: 456ca17 5e30989 Author: Brad Spengler Date: Mon Sep 16 21:42:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5e30989102e2d0df166ab6ff915b90f675f8786f Author: Brad Spengler Date: Mon Sep 16 21:41:44 2013 -0400 mark sctp_af_inet forward declaration as __read_only to fix compile error net/sctp/protocol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 456ca176141f10355c1569b29225c9ce4b7db18e Merge: b406eac 5df8f36 Author: Brad Spengler Date: Mon Sep 16 20:02:05 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6 Author: Brad Spengler Date: Mon Sep 16 20:01:38 2013 -0400 Update to pax-linux-3.11.1-test7.patch: - fixed arm compile error, reported by Arnaud Ebalard - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743) - fixed od_ops constification, fixes cpufreq ondemand on AMD - latent entropy will now be gathered from module init code as well (i.e., at module load/init time) - __read_only will now be enforced in modules as well - removed unneccessary __read_only from ntfs arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/x86/include/asm/cache.h | 4 ++++ drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 2 +- fs/ntfs/file.c | 4 ++-- include/linux/init.h | 5 ----- include/net/xfrm.h | 5 ++++- init/main.c | 9 +++------ mm/page_alloc.c | 1 + net/ipv4/xfrm4_policy.c | 4 ++-- net/ipv6/xfrm6_policy.c | 4 ++-- net/xfrm/xfrm_policy.c | 11 ++--------- 12 files changed, 23 insertions(+), 30 deletions(-) commit b406eac579bb3a5faa1c9d73b8af5530f942009a Author: Brad Spengler Date: Mon Sep 16 12:53:22 2013 -0400 Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce author Steffen Klassert 2013-09-09 07:39:01 (GMT) committer Steffen Klassert 2013-09-16 07:39:37 (GMT) xfrm: Fix replay size checking on async events We pass the wrong netlink attribute to xfrm_replay_verify_len(). It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as we currently doing. This causes memory corruptions if the replay esn attribute has incorrect length. Fix this by passing the right attribute to xfrm_replay_verify_len(). Reported-by: Michael Rossberg Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9 Merge: 84843a3 0a0ced6 Author: Brad Spengler Date: Sun Sep 15 11:24:30 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/wireless/ath/ath10k/core.c drivers/net/wireless/ath/ath10k/htc.c commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d Author: Brad Spengler Date: Sun Sep 15 11:21:43 2013 -0400 Update to pax-linux-3.11.1-test6.patch: - forward port to 3.11.1 - fixed some CONSTIFY fallout, reported by spender - fixed INVPCID on i386, reported by spender - simplified/consolidated the recent security_ops change arch/x86/include/asm/mmu_context.h | 4 ++-- arch/x86/include/asm/tlbflush.h | 6 +++--- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- drivers/net/wireless/ath/ath10k/core.c | 6 +++--- drivers/net/wireless/ath/ath10k/htc.c | 7 ++++--- include/linux/security.h | 2 -- security/security.c | 3 --- security/selinux/hooks.c | 5 +++-- 8 files changed, 16 insertions(+), 19 deletions(-) commit 84843a394cde0578be728cb5fd34da9859dcf110 Author: Brad Spengler Date: Sun Sep 15 09:19:21 2013 -0400 remove unnecessary check from when protocol was signed net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cc7c916cac4c2eb0ec243690627e2b6a13234fef Author: Brad Spengler Date: Sun Sep 15 08:53:27 2013 -0400 resync with PaX security/selinux/hooks.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit fdeadf7ba061242685e07a2504c6be99161f292c Author: Brad Spengler Date: Sat Sep 14 23:04:53 2013 -0400 Fix constification of ath10k_hif_cb struct located on stack drivers/net/wireless/ath/ath10k/hif.h | 1 + drivers/net/wireless/ath/ath10k/htc.c | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-) commit 73c6875760e610cb636f86566a1be7a744d89b82 Author: Brad Spengler Date: Sat Sep 14 22:41:06 2013 -0400 use a no_const typedef for ath10k_htc_ops, which is located on the stack drivers/net/wireless/ath/ath10k/core.c | 6 +++--- drivers/net/wireless/ath/ath10k/htc.h | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) commit bffb0279b95b717c739365a5a25ca0391e7479b1 Author: Brad Spengler Date: Sat Sep 14 22:13:46 2013 -0400 fix compilation error under constify drivers/net/wireless/ath/ath10k/core.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1044c726fd98de89a711c6655f811600d4051e46 Merge: ffc8003 e39d12a Author: Brad Spengler Date: Sat Sep 14 21:57:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit e39d12a3b877293ba677bf7642c8887144ae1576 Author: Brad Spengler Date: Sat Sep 14 21:56:56 2013 -0400 Update to pax-linux-3.11-test5.patch: - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd) - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin mm/mremap.c | 5 ++++- tools/gcc/kernexec_plugin.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b Author: Brad Spengler Date: Sat Sep 14 21:48:03 2013 -0400 fix compile error introduced by pipacs security/selinux/hooks.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 874e80f445b1325df45f04cc317f67587e241218 Author: Brad Spengler Date: Sat Sep 14 21:12:45 2013 -0400 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a Author: Brad Spengler Date: Sat Sep 14 19:53:56 2013 -0400 change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs arch/x86/include/asm/tlbflush.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838 Author: Daniel Borkmann Date: Sat Sep 7 16:44:59 2013 +0200 Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95 net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE If we do not add braces around ... mask |= POLLERR | sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0; ... then this condition always evaluates to true as POLLERR is defined as 8 and binary or'd with whatever result comes out of sock_flag(). Hence instead of (X | Y) ? A : B, transform it into X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix smatch warnings inside datagram_poll") forgot about SCTP. :-( Introduced by 7d4c04fc170 ("net: add option to enable error queue packets waking select"). Signed-off-by: Daniel Borkmann Cc: Jacob Keller Acked-by: Neil Horman Acked-by: Vlad Yasevich Acked-by: Jacob Keller Signed-off-by: David S. Miller net/sctp/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986 Author: Jason Wang Date: Wed Sep 11 18:09:48 2013 +0800 Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0 tuntap: correctly handle error in tun_set_iff() Commit c8d68e6be1c3b242f1c598595830890b65cea64a (tuntap: multiqueue support) only call free_netdev() on error in tun_set_iff(). This causes several issues: - memory of tun security were leaked - use after free since the flow gc timer was not deleted and the tfile were not detached This patch solves the above issues. Reported-by: Wannes Rombouts Cc: Michael S. Tsirkin Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/net/tun.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit b504140d8590bd67ed481ea84824a9846dde2d74 Author: Herbert Xu Date: Sun Sep 8 14:33:50 2013 +1000 Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa crypto: api - Fix race condition in larval lookup crypto_larval_lookup should only return a larval if it created one. Any larval created by another entity must be processed through crypto_larval_wait before being returned. Otherwise this will lead to a larval being killed twice, which will most likely lead to a crash. Cc: stable@vger.kernel.org Reported-by: Kees Cook Tested-by: Kees Cook Signed-off-by: Herbert Xu crypto/api.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit f4212fa9ec1c34c59fabc43904e16112b776b6b2 Author: Daniel Borkmann Date: Wed Sep 11 16:58:36 2013 +0200 Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7 net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport does not seem to have the desired effect: SCTP + IPv4: 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): SCTP + IPv6: 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] Moreover, Alan says: This problem was seen with both Racoon and Racoon2. Other people have seen this with OpenSwan. When IPsec is configured to encrypt all upper layer protocols the SCTP connection does not initialize. After using Wireshark to follow packets, this is because the SCTP packet leaves Box A unencrypted and Box B believes all upper layer protocols are to be encrypted so it drops this packet, causing the SCTP connection to fail to initialize. When IPsec is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" string on the other end, results in cleartext on the wire where SCTP eventually does not report any errors, thus in the latter case that Alan reports, the non-paranoid user might think he's communicating over an encrypted transport on SCTP although he's not (tcpdump ... -X): ... 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the receiver side. Initial follow-up analysis from Alan's bug report was done by Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). This has the implication that it probably never really got updated along with changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since a call to inet6_csk_xmit() would solve this problem, but result in unecessary route lookups, let us just use the cached flowi6 instead that we got through sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), we do the route lookup / flow caching in sctp_transport_route(), hold it in tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() instead to get the correct source routed dst entry, which we assign to the skb. Also source address routing example from 625034113 ("sctp: fix sctp to work with ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 it is actually 'recommended' to not use that anyway due to traffic amplification [1]. So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if we overwrite the flow destination here, the lower IPv6 layer will be unable to put the correct destination address into IP header, as routing header is added in ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, result of this patch is that we do not have any XfrmInTmplMismatch increase plus on the wire with this patch it now looks like: SCTP + IPv6: 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 This fixes Kernel Bugzilla 24412. This security issue seems to be present since 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have its fun with that. lksctp-tools IPv6 regression test suite passes as well with this patch. [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf Reported-by: Alan Chester Reported-by: Alexey Dobriyan Signed-off-by: Daniel Borkmann Cc: Steffen Klassert Cc: Hannes Frederic Sowa Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/ipv6.c | 42 +++++++++++++----------------------------- 1 files changed, 13 insertions(+), 29 deletions(-) commit 726915e42b1a23b88cd420029003d82208a30006 Author: Kees Cook Date: Fri Sep 13 14:52:04 2013 -0700 Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7 isdn: clean up debug format string usage Avoid unneeded local string buffers for constructing debug output. Also cleans up debug calls that contain a single parameter so that they cannot be accidentally parsed as format strings. Signed-off-by: Kees Cook Cc: Karsten Keil Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: David S. Miller drivers/isdn/hisax/amd7930_fn.c | 4 +- drivers/isdn/hisax/avm_pci.c | 4 +- drivers/isdn/hisax/config.c | 2 +- drivers/isdn/hisax/diva.c | 4 +- drivers/isdn/hisax/elsa.c | 2 +- drivers/isdn/hisax/elsa_ser.c | 2 +- drivers/isdn/hisax/hfc_pci.c | 2 +- drivers/isdn/hisax/hfc_sx.c | 2 +- drivers/isdn/hisax/hscx_irq.c | 4 +- drivers/isdn/hisax/icc.c | 4 +- drivers/isdn/hisax/ipacx.c | 8 +++--- drivers/isdn/hisax/isac.c | 4 +- drivers/isdn/hisax/isar.c | 6 ++-- drivers/isdn/hisax/jade.c | 18 ++++---------- drivers/isdn/hisax/jade_irq.c | 4 +- drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++------------------------- drivers/isdn/hisax/netjet.c | 2 +- drivers/isdn/hisax/q931.c | 6 ++-- drivers/isdn/hisax/w6692.c | 8 +++--- 19 files changed, 57 insertions(+), 79 deletions(-) commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3 Author: Brad Spengler Date: Sat Sep 14 19:16:48 2013 -0400 Fix a bad git merge, re-applied a previously reverted patch arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 5dea4b212b0405d6bcbea57516d77b21035d1178 Author: Brad Spengler Date: Sat Sep 14 16:56:37 2013 -0400 finish porting namei.c fs/namei.c | 50 +++++++++++--------------------------------------- 1 files changed, 11 insertions(+), 39 deletions(-) commit a7d5c5e2d0fd4831df19247e41c73c362809b00f Author: Brad Spengler Date: Sat Sep 14 16:44:08 2013 -0400 cred->user -> current_user() fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit be3db5fa6532557384fb66d2d9297d77666912cf Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce9afc12137b65991bfc7cce70e28d86bbb76956 Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 84aa149aa0f178516f5784d028522d60d35696c9 Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1145b56059535549be226da9891b56ab2d902b2f Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4 Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 74dc00678ec84a254617b500a2880974dac95220 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() Signed-off-by: Brad Spengler grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Signed-off-by: Brad Spengler drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 889852764d245f44e416da4eb203fda0bd327584 Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit f30e932a87f25b53779d1f92b49923f8a2dc9834 Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit f9eac59133855befee23d0c899e0d0e6ebcd3d44 Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9f5ae466957014bc300929374ebb7afdd9d116d6 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit b643b8f8af23488d92f16a817bf16c162d612ce1 Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 975723a41239b1befae172e88082ff4422753508 Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 05c3db7daee82d79c628c15b304f8621159e14f3 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a79f25f59fdd0abaf4ecfab93017aa49de089498 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 6fe8eb06e432f165872d3486fdce0d09de1515b3 Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c147e32922dd91edf1969b8a6eb333aafb4abb79 Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683 Author: Kees Cook Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs Signed-off-by: Brad Spengler arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit abde07f6c047c0331f511318cb49a36d49218dfc Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Signed-off-by: Brad Spengler arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit d502375416b17270008ebdf11f1c3be7837f7c50 Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 Signed-off-by: Brad Spengler include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit f6c363aba68cccff2815a488a7e9ed68990100d2 Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages Signed-off-by: Brad Spengler arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 Signed-off-by: Brad Spengler security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! Signed-off-by: Brad Spengler kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) commit 5c0737b045d057152a39154746d8c8e5d59185ed Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8 Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs Signed-off-by: Brad Spengler mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6 Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include Signed-off-by: Brad Spengler grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation Signed-off-by: Brad Spengler include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d4d49138661d5cb646f0dd012178447380b79956 Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping Signed-off-by: Brad Spengler fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define Signed-off-by: Brad Spengler grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4a307f7d3ff3ab232c0b6341415088e7618c494e Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 78011eb5c2454b8afc96b98bd86ac172e589b13c Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e670dc535e4501fd12d8bf00f1e1306c44266fe7 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 2834fe28e69176da6ac4989c6e3dc713faafefe5 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit 2669672647f6955f0e5154596492c73cd4fda330 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t Signed-off-by: Brad Spengler include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 75de5da79f5e03936a79ffe2c827462000001985 Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 9055a8feb8493a30d1ad0fcef25eb496630d223f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 129b6204587740fd082e731a54d00e8a9fc35f8b Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit 67fc73af0876d311c0d01d3b16fa429f44af12b9 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 798adb5cab6c3a8056e1b415e6f34a270f369721 Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 4d4945ce90d83784634b898f83cb5a7699537733 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6db464f72eff84f77335b69dc2748a3759e151d1 Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit e78a78dcfc089142273243b54509840d3b50c538 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b27005e62bebc09e6604a6f5dc099742bb6b4434 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 101b84a778c254dfd7399f5bcd6264ff437f1176 Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship Signed-off-by: Brad Spengler grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT Signed-off-by: Brad Spengler fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3e182e4da46de4c6b9a9f45d41030bef19260954 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error Signed-off-by: Brad Spengler mm/madvise.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel Signed-off-by: Brad Spengler mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 32537d92b8da84f38bf45eb85b6953f452064936 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70 Author: Brad Spengler Date: Sat Sep 14 16:15:10 2013 -0400 Initial port of grsecurity to 3.11 using new git method Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 12 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 128 ++- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++--------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 256 +++- fs/namespace.c | 16 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 ++- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 69 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 341 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 +++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 235 files changed, 4384 insertions(+), 1312 deletions(-) commit a76b033c58b4886552911442f1b89e0cee041dae Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches Signed-off-by: Brad Spengler arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit d1cf217118e0750f54aca9136d8c6a41f0ae439c Author: Brad Spengler Date: Sat Sep 14 14:36:40 2013 -0400 Initial import of pax-linux-3.11-test4.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 23 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 95 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 104 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 185 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 728 +++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 16 +- arch/x86/ia32/ia32entry.S | 157 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 74 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 20 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 128 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 82 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/tlbflush.h | 74 +- arch/x86/include/asm/uaccess.h | 112 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 130 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 +- arch/x86/kernel/entry_64.S | 669 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 138 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 5 +- arch/x86/kernel/setup.c | 65 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 19 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 28 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 89 +- arch/x86/lib/copy_user_nocache_64.S | 22 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 13 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 22 +- arch/x86/lib/memmove_64.S | 36 +- arch/x86/lib/memset_64.S | 11 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 571 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 139 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 39 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 7 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 24 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/host1x/drm/dc.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bcache/super.c | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 2 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.h | 4 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 12 +- drivers/tty/hvc/hvsi_lib.c | 6 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 648 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 18 +- fs/dcache.c | 3 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 38 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 6 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 41 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 5 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 17 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 8 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 19 + include/linux/proc_ns.h | 2 +- include/linux/random.h | 15 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 +- include/linux/seq_file.h | 1 + include/linux/signal.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 32 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 18 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 84 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 12 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 170 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 10 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 74 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 49 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 32 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 14 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 588 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 108 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 88 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 10 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 2 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 6 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ieee802154/6lowpan.c | 2 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 28 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 10 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 4 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 690 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 12 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 6 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 8 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 471 ++ tools/gcc/latent_entropy_plugin.c | 321 + tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2113 +++++++ tools/gcc/stackleak_plugin.c | 327 + tools/gcc/structleak_plugin.c | 277 + tools/lib/lk/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1664 files changed, 32957 insertions(+), 7636 deletions(-) commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c Merge: c3ccfb2 777e08c Author: Brad Spengler Date: Sun Sep 8 19:49:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 Author: Brad Spengler Date: Sun Sep 8 19:47:32 2013 -0400 Update to pax-linux-3.10.11-test26.patch: - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 14 +- tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- 3 files changed, 247 insertions(+), 194 deletions(-) commit 5c3161364270c842d901789faac731f79a9f9cd6 Merge: cf9c476 85cdabb Author: Brad Spengler Date: Sun Sep 8 19:24:25 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c3ccfb29794a03413095422100ce90d40ef7df0f Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit d260badf708d6aa16c44f56f54727532dcae826e Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 Author: Dan Carpenter Date: Thu Aug 29 11:47:00 2013 +0300 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 mISDN: return -EINVAL on error in dsp_control_req() If skb->len is too short then we should return an error. Otherwise we read beyond the end of skb->data for several bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/mISDN/dsp_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit da68dbcd96c617923a0aedb177d36b2701f9c858 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit ce0e893adc830ee110f97071cc17e661fb35ae3d Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd Merge: 7ee3899 cf9c476 Author: Brad Spengler Date: Sun Sep 1 13:56:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit cf9c47690fa0f3da590de766ea8c6a543984ee3c Author: Brad Spengler Date: Sun Sep 1 13:56:16 2013 -0400 Update to pax-linux-3.10.10-test25.patch: - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop block/blk-cgroup.c | 4 ++-- drivers/video/hyperv_fb.c | 4 ++-- fs/namespace.c | 4 ++-- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/output_core.c | 15 ++++++--------- net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- 7 files changed, 21 insertions(+), 27 deletions(-) commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa Merge: fd0338c 2bdeae7 Author: Brad Spengler Date: Sat Aug 31 22:07:38 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 Author: Brad Spengler Date: Sat Aug 31 22:06:55 2013 -0400 Update to pax-linux-3.10.10-test24.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users drivers/acpi/apei/ghes.c | 4 ++-- drivers/ata/libata-core.c | 4 ++-- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/block/drbd/drbd_nl.c | 4 ++-- drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/hv/hv_balloon.c | 18 +++++++++--------- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/input/misc/ims-pcu.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/v4l2-core/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/pci/hotplug/pciehp_hpc.c | 4 +--- drivers/regulator/core.c | 4 ++-- drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ drivers/staging/android/timed_output.c | 6 +++--- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/target/sbp/sbp_target.c | 4 ++-- drivers/tty/hvc/hvsi.c | 12 ++++++------ drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/btrfs/delayed-inode.c | 6 +++--- fs/btrfs/delayed-inode.h | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- net/ceph/messenger.c | 4 ++-- net/core/netpoll.c | 4 ++-- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 43 files changed, 93 insertions(+), 95 deletions(-) commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 Merge: 1bdf7ec 85099d2 Author: Brad Spengler Date: Sat Aug 31 21:07:29 2013 -0400 Merge branch 'pax-test' into grsec-test commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed Author: Brad Spengler Date: Sat Aug 31 21:06:55 2013 -0400 Update to pax-linux-3.10.10-test23.patch: - added the necessary atomic_unchecked_t conversion for mips - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/arm/kvm/arm.c | 8 ++++---- arch/arm/mm/context.c | 10 +++++----- arch/mips/kernel/irq.c | 6 +++--- arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- 8 files changed, 45 insertions(+), 45 deletions(-) commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 Merge: 995a168 38ee86c Author: Brad Spengler Date: Fri Aug 30 19:23:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 38ee86c05df0f8db582df8776b9f23f317d42bbb Author: Brad Spengler Date: Fri Aug 30 19:23:11 2013 -0400 Update to pax-linux-3.10.10-test22.patch: - fixed !REFCOUNT/mips compilation, by Corey Minyard - fixed a few more format strings arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- drivers/md/bcache/super.c | 2 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- drivers/pci/hotplug/pciehp_hpc.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- drivers/vfio/vfio.c | 4 ++-- fs/ntfs/super.c | 6 +++--- include/linux/workqueue.h | 6 +++--- net/mac80211/main.c | 2 +- sound/pci/hda/hda_codec.c | 8 ++------ 11 files changed, 32 insertions(+), 25 deletions(-) commit 995a16841e2097c3a9dfc652e856469679c4a0ba Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 Merge: be2497c 1052971 Author: Brad Spengler Date: Thu Aug 29 20:44:29 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/sched.h commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 Merge: e902dad 8bf3379 Author: Brad Spengler Date: Thu Aug 29 20:39:50 2013 -0400 Update to pax-linux-3.10.10-test21.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 Merge: 081c22b e902dad Author: Brad Spengler Date: Wed Aug 28 20:52:44 2013 -0400 Merge branch 'pax-test' into grsec-test commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 Author: Brad Spengler Date: Wed Aug 28 20:51:21 2013 -0400 Update to pax-linux-3.10.9-test21.patch: - removed unnecessary type cast in do_PrefetchAbort, noticed by spender - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov - fixed a REFCOUNT false positive in UHID - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network arch/arm/mm/fault.c | 2 +- arch/mips/kernel/traps.c | 2 -- drivers/hid/uhid.c | 6 +++--- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/usb/dwc3/gadget.c | 2 -- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- 10 files changed, 14 insertions(+), 16 deletions(-) commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 8044382257ec75a03f3d784ce048ef14e94b90ca Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 270ba9096ddecdc3cf6c4d76e6892184820116be Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 60115e8108e508060815bce5ef9504233c81898c Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38627769bb2b9a550e251b2caf1babda7566fb4a Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 813f51e0881e4ea6d221da828b1cced02ad9694d Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 95e3cfb5a995dabe45b98cafb77e59d074de151f Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 96a55ce1b2f3af376c400a02059174e79ce4399c Author: Brad Spengler Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit eb1106eef5f17bfda833ca3cf89e315919173257 Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 Author: Brad Spengler Date: Wed Aug 28 17:01:21 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 Author: Andy Lutomirski Date: Thu Aug 22 11:39:15 2013 -0700 Upstream commit: d661684cf6820331feae71146c35da83d794467e net: Check the correct namespace when spoofing pid over SCM_RIGHTS This is a security bug. The follow-up will fix nsproxy to discourage this type of issue from happening again. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/core/scm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 8333e0981469a226a47d0142ff31090a48db95a4 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 xen/events: initialize local per-cpu mask for all possible events The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk CC: stable@vger.kernel.org drivers/xen/events.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2a9a83768433937a2b7a97001ba1627156c0efed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit e6fe57dee152671afd618d6bc8cbf23155be6c34 Merge: cdc8f7d f2095a4 Author: Brad Spengler Date: Tue Aug 27 18:13:35 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c security/Kconfig commit f2095a4787f7d332e5919f0bd00f8de6021ad612 Author: Brad Spengler Date: Tue Aug 27 18:08:23 2013 -0400 Update to pax-linux-3.10.9-test20.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - added REFCOUNT support for mips, by Corey Minyard - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) arch/arm/mm/fault.c | 11 +- arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- arch/mips/kernel/traps.c | 14 +- arch/x86/include/asm/tlbflush.h | 4 + arch/x86/include/asm/uaccess_64.h | 2 +- fs/ntfs/file.c | 2 +- kernel/events/internal.h | 4 +- kernel/events/uprobes.c | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 +- security/Kconfig | 2 +- tools/gcc/kernexec_plugin.c | 18 +- tools/gcc/latent_entropy_plugin.c | 26 +- tools/gcc/size_overflow_plugin.c | 3 +- 14 files changed, 750 insertions(+), 70 deletions(-) commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 Merge: 5a9ae57 745975e Author: Brad Spengler Date: Mon Aug 26 20:27:33 2013 -0400 Merge branch 'pax-test' into grsec-test commit 745975e3b3b74b64e00e85778f9a22714d1274f2 Author: Brad Spengler Date: Mon Aug 26 20:26:33 2013 -0400 Fix compilation when UDEREF is enabled and KERNEXEC is disabled, as reported by fabled on the forums: http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 arch/arm/include/asm/pgtable.h | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 Merge: 486ec00 f68df21 Author: Brad Spengler Date: Tue Aug 20 20:15:20 2013 -0400 Merge branch 'pax-test' into grsec-test commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 Author: Brad Spengler Date: Tue Aug 20 20:14:50 2013 -0400 Update to pax-linux-3.10.9-test18.patch: - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) - forward port to 3.10.9 arch/x86/kernel/entry_64.S | 18 +++++++++--------- arch/x86/kernel/i386_ksyms_32.c | 4 ++++ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f Merge: f47a293 d8fed0e Author: Brad Spengler Date: Tue Aug 20 20:12:47 2013 -0400 Merge branch 'pax-test' into grsec-test commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 Merge: f6ace8e 0a4b6d4 Author: Brad Spengler Date: Tue Aug 20 20:12:33 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit f47a293a1440da2a3e2c239d43d636e37ca74f10 Merge: f1e8ec7 f6ace8e Author: Brad Spengler Date: Tue Aug 20 18:20:05 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/kernel/perf_event.c include/linux/sched.h commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 Merge: b4fa847 6f54059 Author: Brad Spengler Date: Tue Aug 20 18:18:02 2013 -0400 Update to pax-linux-3.10.8-test18.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca Merge: 6f88011 b4fa847 Author: Brad Spengler Date: Tue Aug 20 18:05:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 Author: Brad Spengler Date: Tue Aug 20 18:04:14 2013 -0400 Update to pax-linux-3.10.7-test18.patch: - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) - fixed a UDEREF resume regression due to the constification of clone_pgd_mask - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause arch/arm/kernel/process.c | 2 +- arch/x86/include/asm/processor.h | 25 ++----------------------- arch/x86/kernel/cpu/common.c | 4 ++++ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/staging/zcache/tmem.c | 4 ++-- drivers/staging/zcache/tmem.h | 6 ++---- 6 files changed, 47 insertions(+), 30 deletions(-) commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 Merge: 6eba999 5de93c8 Author: Brad Spengler Date: Sun Aug 18 22:03:19 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db Author: Brad Spengler Date: Sun Aug 18 22:02:47 2013 -0400 Update to pax-linux-3.10.7-test15.patch: - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) - fixed some new REFCOUNT false positives, caught by inspection arch/x86/kernel/cpu/common.c | 5 +++-- arch/x86/kernel/entry_64.S | 11 +++++++---- fs/ceph/super.c | 4 ++-- mm/backing-dev.c | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) commit 94c119587c76723c1072237b98fff9886ccb7689 Author: Brad Spengler Date: Sun Aug 18 20:49:39 2013 -0400 fix pipacs' DEMORGAN typo arch/x86/include/asm/tlbflush.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 Merge: df347f6 64a293e Author: Brad Spengler Date: Sun Aug 18 18:13:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 Author: Brad Spengler Date: Sun Aug 18 18:12:37 2013 -0400 Update to pax-linux-3.10.7-test14.patch: - fixed compile error introduced by the previous PCID change - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) arch/x86/include/asm/tlbflush.h | 2 +- kernel/posix-timers.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 Merge: d8efbc5 e11b314 Author: Brad Spengler Date: Sun Aug 18 08:15:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit e11b314734c5b7317f5468be75305ad812e78c2b Author: Brad Spengler Date: Sun Aug 18 08:14:26 2013 -0400 Update to pax-linux-3.10.7-test13.patch: - always enable the use of PCID and INVPCID when available in the CPU - kvm guest kernels can use these features even if the host kernel lacks UDEREF arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- 2 files changed, 70 insertions(+), 47 deletions(-) commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c8feffa95ce2db280160015027b52bb41a344c8 Merge: dbf6930 0bb1c2b Author: Brad Spengler Date: Sat Aug 17 11:57:50 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 Author: Brad Spengler Date: Sat Aug 17 11:56:43 2013 -0400 Update to pax-linux-3.10.7-test12.patch: - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause - fixed some arm compile problems arch/x86/include/asm/tlbflush.h | 2 +- drivers/clocksource/bcm_kona_timer.c | 2 +- kernel/signal.c | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) commit dbf69305ad4f8a037aae95af90f9201f556dcb48 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 Merge: 68bd16f f562e3e Author: Brad Spengler Date: Sat Aug 17 10:35:02 2013 -0400 Merge branch 'pax-test' into grsec-test commit f562e3ef7737ea8d80431a722479b36a12504ace Author: Brad Spengler Date: Sat Aug 17 10:34:51 2013 -0400 add uderef_64.c arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ 1 files changed, 37 insertions(+), 0 deletions(-) commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 Author: Asbjoern Sloth Toennesen Date: Mon Aug 12 16:30:09 2013 +0000 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by: Asbjoern Sloth Toennesen Reviewed-by: Vlad Yasevich Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c7bc5bafddddff55ed4687203a977e96f72540a Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb Author: Daniel Borkmann Date: Fri Aug 9 16:25:21 2013 +0200 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/transport.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3925eab5483946fd746575a46f97bee9d566bb77 Author: Stephane Grosjean Date: Fri Aug 9 11:44:06 2013 +0200 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e can: pcan_usb: fix wrong memcpy() bytes length Fix possibly wrong memcpy() bytes length since some CAN records received from PCAN-USB could define a DLC field in range [9..15]. In that case, the real DLC value MUST be used to move forward the record pointer but, only 8 bytes max. MUST be copied into the data field of the struct can_frame object of the skb given to the network core. Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c1ac6642baae4a400d1f87115024d1bb1ef53598 Author: Linus Lüssing Date: Tue Aug 6 20:21:15 2013 +0200 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 batman-adv: fix potential kernel paging errors for unicast transmissions There are several functions which might reallocate skb data. Currently some places keep reusing their old ethhdr pointer regardless of whether they became invalid after such a reallocation or not. This potentially leads to kernel paging errors. This patch fixes these by refetching the ethdr pointer after the potential reallocations. Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli net/batman-adv/bridge_loop_avoidance.c | 2 ++ net/batman-adv/gateway_client.c | 13 ++++++++++++- net/batman-adv/gateway_client.h | 3 +-- net/batman-adv/soft-interface.c | 9 ++++++++- net/batman-adv/unicast.c | 13 ++++++++++--- 5 files changed, 33 insertions(+), 7 deletions(-) commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue_core.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f Author: Pablo Neira Ayuso Date: Thu Jul 25 10:46:46 2013 +0200 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 netfilter: xt_TCPOPTSTRIP: fix possible off by one access Fix a possible off by one access since optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen that stores the TCP header length, to save some cycles. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 4634def261cf5f635bc60afe8a6ad436b3ec151e Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 Author: Dave Jones Date: Fri Aug 9 11:16:34 2013 -0700 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e 8139cp: Fix skb leak in rx_status_loop failure path. Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 ("8139cp: Add dma_mapping_error checking") Signed-off-by: Dave Jones Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 227b279491a0bbcc70ca3654f34903282c378600 Author: Timo Teräs Date: Tue Aug 6 13:45:43 2013 +0300 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b ip_gre: fix ipgre_header to return correct offset Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar Signed-off-by: Timo Teräs Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit f02bce292d1c2fe610be509c96593e70b3de387b Author: Julia Lawall Date: Mon Aug 5 16:47:38 2013 +0200 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 net/vmw_vsock/af_vsock.c: drop unneeded semicolon Drop the semicolon at the end of the list_for_each_entry loop header. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 Author: Tiger Yang Date: Tue Aug 13 16:00:58 2013 -0700 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as the struct file pointer, it finally result in a null pointer dereference in ocfs2_duplicate_clusters_by_page. This patch replace file pointer with inode pointer in cow_duplicate_clusters to fix this issue. [jeff.liu@oracle.com: rebased patch against linux-next tree] Signed-off-by: Tiger Yang Signed-off-by: Jie Liu Cc: Joel Becker Cc: Mark Fasheh Acked-by: Tao Ma Tested-by: David Weber Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 2 +- fs/ocfs2/file.c | 6 ++-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- fs/ocfs2/refcounttree.h | 6 ++-- 5 files changed, 16 insertions(+), 53 deletions(-) commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 Author: Dan Carpenter Date: Thu Aug 15 15:52:57 2013 +0300 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 26ad267ddda451919357965a0cf271ca24d1bcf2 Author: Weiping Pan Date: Tue Aug 13 21:46:56 2013 +0800 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 tun: compare with 0 instead of total_len Since we set "len = total_len" in the beginning of tun_get_user(), so we should compare the new len with 0, instead of total_len, or the if statement always returns false. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller drivers/net/tun.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 Author: Guenter Roeck Date: Fri Aug 16 20:50:55 2013 -0700 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 s390: Fix broken build Fix this build error: In file included from fs/exec.c:61:0: arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range invalidation corner cases"). Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] Signed-off-by: Linus Torvalds arch/s390/include/asm/tlb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4e57312c2de2a25ddb181d129dafbc0251062c33 Author: Linus Torvalds Date: Thu Aug 15 11:42:25 2013 -0700 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce Fix TLB gather virtual address range invalidation corner cases Ben Tebulin reported: "Since v3.7.2 on two independent machines a very specific Git repository fails in 9/10 cases on git-fsck due to an SHA1/memory failures. This only occurs on a very specific repository and can be reproduced stably on two independent laptops. Git mailing list ran out of ideas and for me this looks like some very exotic kernel issue" and bisected the failure to the backport of commit 53a59fc67f97 ("mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). That commit itself is not actually buggy, but what it does is to make it much more likely to hit the partial TLB invalidation case, since it introduces a new case in tlb_next_batch() that previously only ever happened when running out of memory. The real bug is that the TLB gather virtual memory range setup is subtly buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: enable tlb flush range in generic mmu_gather"), and the range handling was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots"), but that fix was not complete. The problem with the TLB gather virtual address range is that it isn't set up by the initial tlb_gather_mmu() initialization (which didn't get the TLB range information), but it is set up ad-hoc later by the functions that actually flush the TLB. And so any such case that forgot to update the TLB range entries would potentially miss TLB invalidates. Rather than try to figure out exactly which particular ad-hoc range setup was missing (I personally suspect it's the hugetlb case in zap_huge_pmd(), which didn't have the same logic as zap_pte_range() did), this patch just gets rid of the problem at the source: make the TLB range information available to tlb_gather_mmu(), and initialize it when initializing all the other tlb gather fields. This makes the patch larger, but conceptually much simpler. And the end result is much more understandable; even if you want to play games with partial ranges when invalidating the TLB contents in chunks, now the range information is always there, and anybody who doesn't want to bother with it won't introduce subtle bugs. Ben verified that this fixes his problem. Reported-bisected-and-tested-by: Ben Tebulin Build-testing-by: Stephen Rothwell Build-testing-by: Richard Weinberger Reviewed-by: Michal Hocko Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/arm/include/asm/tlb.h | 7 +++++-- arch/arm64/include/asm/tlb.h | 7 +++++-- arch/ia64/include/asm/tlb.h | 9 ++++++--- arch/s390/include/asm/tlb.h | 8 ++++++-- arch/sh/include/asm/tlb.h | 6 ++++-- arch/um/include/asm/tlb.h | 6 ++++-- fs/exec.c | 4 ++-- include/asm-generic/tlb.h | 2 +- mm/hugetlb.c | 2 +- mm/memory.c | 36 +++++++++++++++++++++--------------- mm/mmap.c | 4 ++-- 11 files changed, 57 insertions(+), 34 deletions(-) commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 Merge: 5568c80 ffceabf Author: Brad Spengler Date: Sat Aug 17 09:11:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit ffceabfcc65c60109ba5fca694d78d4dc7047809 Author: Brad Spengler Date: Sat Aug 17 09:10:44 2013 -0400 Update to pax-linux-3.10.7-test11.patch: - simplified some arm code - disabled preemption when calling show_regs, reported by Corey Minyard - added PCID based support for UDEREF on amd64 (blog will have more details) - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc - nopcid turns it off - by default a strong form of UDEREF is used under PCID - pax_weakuderef switches to the older, less secure UDEREF - fixed several bugs that would also have manifested under SMAP - INVPCID is used when available (Haswell) - added a few more return insn instrumentation in new amd64 crypto code Documentation/kernel-parameters.txt | 7 + arch/arm/include/asm/uaccess.h | 3 + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ arch/x86/ia32/ia32_signal.c | 2 +- arch/x86/ia32/ia32entry.S | 24 ++++- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/fpu-internal.h | 2 + arch/x86/include/asm/futex.h | 4 + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- arch/x86/include/asm/pgtable.h | 10 +- arch/x86/include/asm/processor.h | 15 +++- arch/x86/include/asm/segment.h | 5 +- arch/x86/include/asm/smap.h | 64 +++++++++++- arch/x86/include/asm/tlbflush.h | 63 +++++++++-- arch/x86/include/asm/uaccess.h | 18 +++- arch/x86/include/asm/xsave.h | 4 + arch/x86/kernel/cpu/common.c | 38 +++++++ arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- arch/x86/kernel/head_32.S | 2 +- arch/x86/kernel/head_64.S | 8 +- arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/setup.c | 8 +- arch/x86/kernel/signal.c | 4 +- arch/x86/kernel/smpboot.c | 15 ++- arch/x86/lib/copy_user_64.S | 50 +-------- arch/x86/lib/copy_user_nocache_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 11 ++- arch/x86/lib/memcpy_64.S | 4 +- arch/x86/lib/memmove_64.S | 2 +- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/usercopy_64.c | 5 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/fault.c | 29 ++++-- arch/x86/mm/init.c | 7 +- arch/x86/mm/init_64.c | 9 ++- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 3 + arch/x86/platform/efi/efi_32.c | 2 +- arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/realmode/rm/trampoline_64.S | 1 + fs/exec.c | 2 + include/asm-generic/uaccess.h | 8 ++ include/linux/compat.h | 1 + include/linux/preempt.h | 19 +++ include/linux/signal.h | 1 + include/linux/smp.h | 2 + init/main.c | 14 ++- kernel/signal.c | 16 +++ security/Kconfig | 5 + tools/lib/lk/Makefile | 2 +- tools/perf/Makefile | 2 +- 64 files changed, 673 insertions(+), 136 deletions(-) commit 5568c8059e78d6d002815409df4e90c83b3b08a8 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 Author: Brad Spengler Date: Fri Aug 16 22:55:24 2013 -0400 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b arch/arm/kernel/perf_event.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3637bc893b57a227b01852fe34685ab237285b10 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 11802e1f961a088c39af58d1c1b14d861eedfb35 Author: Brad Spengler Date: Fri Aug 16 22:53:30 2013 -0400 More ARM backports arch/arm/kernel/entry-armv.S | 3 ++- arch/arm/kernel/fiq.c | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0a3dac834746de241c10d4978bf61b4f146ba89d Merge: dc19474 e12de30 Author: Brad Spengler Date: Fri Aug 16 17:39:01 2013 -0400 Merge branch 'pax-test' into grsec-test commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 Author: Brad Spengler Date: Fri Aug 16 17:34:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch: - Emese fixed a size overflow false positive reported by Sven Vermeulen - fixed some arm compile problems reported by spender - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard eventually we'll have full REFCOUNT support on mips arch/arm/kernel/process.c | 5 ++- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 3 ++ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ mm/internal.h | 2 +- 5 files changed, 65 insertions(+), 4 deletions(-) commit dc19474d0ea6ea3c939544ae5f906067b1784a10 Merge: 51b78c0 82266f9 Author: Brad Spengler Date: Thu Aug 15 21:47:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 82266f90a3f87ab5017329fb539aebf94c42253a Author: Brad Spengler Date: Thu Aug 15 21:14:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch arch/arm/kernel/process.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 51b78c06d1f41614f593cd36456b4af559e9d7fa Merge: e32d904 cb77ead Author: Brad Spengler Date: Thu Aug 15 20:53:45 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit cb77ead0eccb5abb75f7e437a3725d0254558ccd Merge: 13675b8 519be45 Author: Brad Spengler Date: Thu Aug 15 20:50:47 2013 -0400 Update to pax-linux-3.10.7-test8.patch Merge branch 'linux-3.10.y' into pax-test commit e32d904b87292288e74e2637b900fd1115687b8e Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c Author: Oleg Nesterov Date: Thu Aug 8 18:55:32 2013 +0200 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 another local DoS found in reaction to the one I reported, we don't allow unpriv user ns use so this doesn't matter much to us userns: limit the maximum depth of user_namespace->parent chain Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/user_namespace.h | 1 + kernel/user_namespace.c | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) commit 223ac007ef18bf3a5095ba0a56675c1f16200149 Merge: 1c92de4 13675b8 Author: Brad Spengler Date: Thu Aug 8 20:45:24 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 13675b848cf02bffd26924b2b84d927095bc253d Author: Brad Spengler Date: Thu Aug 8 20:43:52 2013 -0400 Update to pax-linux-3.10.5-test8.patch: - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard arch/arm/include/asm/pgtable-2level.h | 4 +++- arch/arm/mm/proc-v7-2level.S | 3 --- arch/mips/mm/fault.c | 8 ++++++++ arch/x86/include/asm/processor.h | 3 ++- include/linux/math64.h | 2 +- security/Kconfig | 2 -- 6 files changed, 14 insertions(+), 8 deletions(-) commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 Merge: e65aa3d 1660f49 Author: Brad Spengler Date: Mon Aug 5 18:50:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 1660f496848b8400d263f7920989dae15e72185a Merge: 7f91ba1 dc51cd2 Author: Brad Spengler Date: Mon Aug 5 18:50:12 2013 -0400 Update to pax-linux-3.10.5-test7.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/head_64.S mm/mempolicy.c commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 50d20ebce56b6e0b9622685930e007e46c7c04bb Author: Daniel Borkmann Date: Fri Aug 2 11:32:43 2013 +0200 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by: Daniel Borkmann Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/devinet.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 Author: Himanshu Madhani Date: Fri Aug 2 23:15:56 2013 -0400 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 qlcnic: Free up memory in error path. Signed-off-by: Himanshu Madhani Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a Author: Shahed Shaikh Date: Fri Aug 2 23:15:54 2013 -0400 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f qlcnic: Fix MAC address filter issue on 82xx adapter Driver was passing the address of a pointer instead of the pointer itself. Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 24 ++++++++++++++++++++++-- 2 files changed, 22 insertions(+), 19 deletions(-) commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b8966a5d577e9220fbc63306eee978f819f24e2e Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1704c23fdc55b68f512dc9927940e72237f3f43e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit faf81c100c8565524e21c9af780a0ad2ce3fd925 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c Merge: 65019c9 7f91ba1 Author: Brad Spengler Date: Wed Jul 31 17:47:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 65019c9bd05f860437071cbf00e2027fd2d68615 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 Author: Brad Spengler Date: Wed Jul 31 17:46:00 2013 -0400 Update to pax-linux-3.10.4-test7.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - fixed a UDEREF/i386 regression, __get_user_8 would always fail arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/lib/getuser.S | 4 +- arch/x86/xen/smp.c | 2 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- fs/exec.c | 50 +++++++++++++-------------- include/linux/sched.h | 2 + 14 files changed, 88 insertions(+), 47 deletions(-) commit 043130da54cb7cc8dc44e0ce889d426e889a0532 Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ed0a195abd4e41c2449a020a53a19c74dc866d78 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit e75b3f504692b97960a7530ad0855d91441d79c0 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e5abbaf95313066a724e1a843d4fc902a9a6450e Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 877d6c2f8b3518ff39601084560bb33c58d35a1f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 23278a1ee1c7738dd1e7005241394d32b82196e4 Author: Brad Spengler Date: Tue Jul 30 19:48:58 2013 -0400 revert recent PaX change that causes boot failures with 32bit userland arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit ec27f71a813656fea8ab37faecb2b485fe99d08e Merge: 3a11bcf 05f0a61 Author: Brad Spengler Date: Tue Jul 30 19:42:21 2013 -0400 Merge branch 'pax-test' into grsec-test commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 Author: Brad Spengler Date: Tue Jul 30 19:41:44 2013 -0400 Update to pax-linux-3.10.4-test6.patch: - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender include/linux/syscalls.h | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8b744005f8bae565e24c1fd88af77e6e619b9434 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b93b829afcc98b6108b18d99ff63c53642d0b951 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit ac695a081d1124fb28bec46814535d34c5e40611 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 82631f451cc7432b6c5578cf8d24155473feb25c Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 84c4a433dfb096e4a1162ee5e68025122c70b421 Merge: c9d3ed3 9fe5897 Author: Brad Spengler Date: Mon Jul 29 17:08:56 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9fe58978938e357642885866ca48090a7753d403 Merge: 8f693ad 6f7bb6b Author: Brad Spengler Date: Mon Jul 29 17:08:43 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 Merge: d5e5bfd 8f693ad Author: Brad Spengler Date: Sun Jul 28 10:03:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8f693ade9b3e448f92706d34148b00a087637f70 Author: Brad Spengler Date: Sun Jul 28 10:02:16 2013 -0400 Update to pax-linux-3.10.3-test5.patch: - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) - fixed handling of faulting userland accesses for UDEREF/arm, from spender - updated the size overflow hash table, from Emese arch/arm/kernel/entry-armv.S | 3 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- 7 files changed, 513 insertions(+), 55 deletions(-) commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 Merge: 19e077b 8a8a0d0 Author: Brad Spengler Date: Thu Jul 25 21:05:18 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 Author: Brad Spengler Date: Thu Jul 25 21:04:09 2013 -0400 Update to pax-linux-3.10.3-test4.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 ++++ fs/buffer.c | 2 +- fs/dcache.c | 3 ++- include/linux/slab.h | 7 +++++++ include/linux/slab_def.h | 4 ++++ kernel/fork.c | 2 +- mm/rmap.c | 6 ++++-- mm/slab.c | 27 +++++++++++++++++++++++++++ mm/slab.h | 12 +++++++++++- mm/slab_common.c | 14 ++++++++++++++ mm/slob.c | 5 +++++ mm/slub.c | 11 +++++++++++ net/core/skbuff.c | 6 ++++-- security/Kconfig | 23 +++++++++++++++++------ 14 files changed, 112 insertions(+), 14 deletions(-) commit 19e077bfff54ca211d0142c07cb6dd88069a390c Merge: 960ec51 c8f7f51 Author: Brad Spengler Date: Thu Jul 25 19:53:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit c8f7f51591207b82530214300e86277028919286 Merge: d5142e3 81a4648 Author: Brad Spengler Date: Thu Jul 25 19:52:29 2013 -0400 Update to pax-linux-3.10.3-test3.patch: - fixed some compile issues reported by Michael Tremer and spender - fixed an i386 regression with the lower address space gap on i386, reported by cnu Merge branch 'linux-3.10.y' into pax-test Conflicts: kernel/time/tick-broadcast.c commit 960ec51ab2142544fbae563d4fd5744775408965 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 Merge: ab95b58 d5142e3 Author: Brad Spengler Date: Sun Jul 21 22:47:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit d5142e31785f8c32c7338c51fcc27313bdd4a84e Merge: f36ae8c 0f4a56e Author: Brad Spengler Date: Sun Jul 21 22:47:34 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit ab95b5842899d61ff5c30f4582e72029b3155be8 Author: Brad Spengler Date: Sun Jul 21 22:28:40 2013 -0400 compile fix with constification reported by Michael Tremer drivers/gpu/host1x/drm/dc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 817cd2d1e7a55720326599dd8f542578eef30927 Author: Hannes Frederic Sowa Date: Fri Jul 12 23:46:33 2013 +0200 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 ipv6: only static routes qualify for equal cost multipathing Static routes in this case are non-expiring routes which did not get configured by autoconf or by icmpv6 redirects. To make sure we actually get an ecmp route while searching for the first one in this fib6_node's leafs, also make sure it matches the ecmp route assumptions. v2: a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF already ensures that this route, even if added again without RTF_EXPIRES (in case of a RA announcement with infinite timeout), does not cause the rt6i_nsiblings logic to go wrong if a later RA updates the expiration time later. v3: a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, because an pmtu event could update the RTF_EXPIRES flag and we would not count this route, if another route joins this set. We now filter only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that don't get changed after rt6_info construction. Cc: Nicolas Dichtel Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_fib.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) commit 77db8196d51b043e2e2d124094da101b0f01bccb Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 926473317fd7953137ef97835edd36dabc584b01 Author: Brad Spengler Date: Wed Jul 17 21:29:02 2013 -0400 add missing asm/pgtable.h include, reported by Michael Tremer drivers/clk/socfpga/clk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c592ae0001b31932ef1491784dfa374058797c66 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 Merge: 9c96441 f36ae8c Author: Brad Spengler Date: Sun Jul 14 19:23:13 2013 -0400 Merge branch 'pax-test' into grsec-test commit f36ae8c741ae32b1caff10825be12c327792c925 Author: Brad Spengler Date: Sun Jul 14 19:22:15 2013 -0400 Update to pax-linux-3.10-test2.patch: - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer - spender fixed an madvise regression, reported by Peter Keel - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) - fixed a headers_install regression, reported by Mathias Krause - fixed a SLOB compile regression, reported by Mathias Krause arch/arm/include/asm/uaccess.h | 4 ++-- arch/arm/mm/mmu.c | 15 +++++++++++++-- drivers/clk/socfpga/clk.c | 6 ++++-- mm/madvise.c | 4 ++-- mm/slab.c | 4 ++-- mm/slob.c | 4 ++-- scripts/headers_install.sh | 2 +- 7 files changed, 26 insertions(+), 13 deletions(-) commit 9c9644156a49637050741d9165df79174e59b0ef Author: Brad Spengler Date: Sun Jul 14 19:19:54 2013 -0400 Fix sparc64 compilation, reported by Blake Self arch/sparc/kernel/sys_sparc_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error mm/madvise.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a10e377d0eddd37e8a3665b135e546ab03d9d171 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 08c5adca34d408772255b313f90d82c250c1d967 Author: Brad Spengler Date: Sun Jul 14 11:26:34 2013 -0400 don't make high vector mapping non-present on old ARM architectures, no point in emulating some vector entries when the processor doesn't even support XN arch/arm/mm/mmu.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 2b40781d4197a89a003616af584884e36361c5b2 Author: Brad Spengler Date: Sun Jul 14 09:51:58 2013 -0400 Temporary compile fix for code incorrectly modifying const data Wrap a cast version of the code with open/close Thanks to Michael Tremer for the report drivers/clk/socfpga/clk.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a8258c1b4098c396cd4ea719e20858182feac1c1 Author: Brad Spengler Date: Sun Jul 14 09:41:16 2013 -0400 Fix missing right parens in pipacs' "improvement" of my ARM code ;) Thanks to Michael Tremer for reporting arch/arm/include/asm/uaccess.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8542e1e973be7cc9a009d2ada8033576b2890e6f Merge: 86f446e 2577f8e Author: Brad Spengler Date: Sat Jul 13 20:46:58 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/memcontrol.c commit 2577f8e4ec41efb347706a59c6838de20f0c90da Merge: 75a36f0 cb5d8be Author: Brad Spengler Date: Sat Jul 13 20:43:42 2013 -0400 Merge branch 'linux-3.10.y' into pax-test Conflicts: crypto/algapi.c drivers/block/nbd.c commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 Author: Brad Spengler Date: Fri Jul 12 23:02:11 2013 -0400 we always want the vector page to be noaccess for userland therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY which turns into supervisor rwx, userland rx, we instead omit that entirely, leaving it as supervisor rwx only Fixes booting on ARMv5 and earlier, which need to write directly to the high vector mapping via set_tls when context switching Thanks to Michael Tremer for the bugreport arch/arm/mm/mmu.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 90cd0827eef656ec884f19c977873fefe2f2e47d Author: Cong Wang Date: Sat Jun 29 12:02:59 2013 +0800 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 gre: fix a regression in ioctl When testing GRE tunnel, I got: # ip tunnel show get tunnel gre0 failed: Invalid argument get tunnel gre1 failed: Invalid argument This is a regression introduced by commit c54419321455631079c7d ("GRE: Refactor GRE tunneling code.") because previously we only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the check is moved for all commands. So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. After this patch I got: # ip tunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit Cc: Pravin B Shelar Cc: "David S. Miller" Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 Author: Cong Wang Date: Sat Jun 29 13:00:57 2013 +0800 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 vti: remove duplicated code to fix a memory leak vti module allocates dev->tstats twice: in vti_fb_tunnel_init() and in vti_tunnel_init(), this lead to a memory leak of dev->tstats. Just remove the duplicated operations in vti_fb_tunnel_init(). (candidate for -stable) Cc: Stephen Hemminger Cc: Saurabh Mohan Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd Author: Michal Schmidt Date: Mon Jul 1 17:23:05 2013 +0200 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a bnx2x: remove zeroing of dump data buffer There is no need to initialize the dump data with zeros. data is allocated with vzalloc, so it's already zero-filled. More importantly, the memset is harmful, because dump->len (the length requested by userspace) can be bigger than the allocated buffer (whose size is determined by asking the driver's .get_dump_flag method). Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c771072b72c261f9bddd6734dca6979c1b96e7df Author: Michal Schmidt Date: Mon Jul 1 17:23:06 2013 +0200 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 bnx2x: fix dump flag handling bnx2x interprets the dump flag as an index of a register preset. It is important to validate the index to avoid out of bounds memory accesses. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ 2 files changed, 5 insertions(+), 0 deletions(-) commit aed315c8fad9b2044143b46b239574b1b72135ce Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit 5c57991e66216e386dcc875d34c33f0edd038569 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit cd83094a85d9bbd5a67332156407d53cf8835432 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c Author: Michael S. Tsirkin Date: Sun Jul 7 14:26:53 2013 +0300 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 vhost-net: fix use-after-free in vhost_net_flush vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 088806db74ac2f08c106202bc5498585a9ee529f Author: Michal Hocko Date: Mon Jul 8 16:00:29 2013 -0700 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b memcg, kmem: fix reference count handling on the error path mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. This is not correct because only memcg_propagate_kmem takes an additional reference while mem_cgroup_sockets_init is allowed to fail as well (although no current implementation fails) but it doesn't take any reference. This all suggests that it should be memcg_propagate_kmem that should clean up after itself so this patch moves mem_cgroup_put over there. Unfortunately this is not that easy (as pointed out by Li Zefan) because memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if memcg_propagate_kmem fails so the additional reference is dropped in that case in kmem_cgroup_destroy which means that the reference would be dropped two times. The easiest way then would be to simply remove mem_cgrroup_put from mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right thing. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.8] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 08bfb6e700d13886ed722c2236e1ec10f03a95df Author: Michal Hocko Date: Mon Jul 8 16:00:27 2013 -0700 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Revert "memcg: avoid dangling reference count in creation failure" This reverts commit e4715f01be697a. mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops an additional reference from all parents so the additional mem_cgrroup_put(parent) potentially causes use-after-free. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 3267ec559f48327a1836eccecd53215afc5810d0 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit cdfeb4049e7cb38702215b2c356ce0407974ac79 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08c87e049c8a50707908785d950fd48c334f4c09 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 Author: Brad Spengler Date: Fri Jul 12 20:38:45 2013 -0400 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums Unlike slub, slab can initally create two of the kmalloc_caches which will be used later for generic kmallocs of their particular aligned size (since the later loop in the unified allocator code skips any already-existing kmalloc_caches) mm/slab.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit e2d027c7e0f106be683c0c72482b8285daefcbe6 Author: Brad Spengler Date: Tue Jul 9 20:58:40 2013 -0400 commit successful merges Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 129 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 4 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/mwave/tp3780i.c | 1 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/resize.c | 17 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 234 ++- fs/namespace.c | 16 + fs/notify/fanotify/fanotify_user.c | 1 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 70 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 343 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 ++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 242 files changed, 4385 insertions(+), 2042 deletions(-) commit 043a378c0f72ed92cc30182c48abce39867ac93f Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 Author: Brad Spengler Date: Tue Jul 9 17:35:47 2013 -0400 Initial import of pax-linux-3.10-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 14 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 122 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 33 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 28 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 +- arch/x86/kernel/entry_64.S | 548 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 143 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 2 + arch/x86/kernel/setup.c | 21 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 13 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 98 +- arch/x86/mm/init_32.c | 113 +- arch/x86/mm/init_64.c | 38 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 11 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/algapi.c | 2 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/nbd.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 45 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 6 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/output.c | 2 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 607 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/lockd/svc.c | 2 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 10 +- fs/nfs/callback.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 40 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 65 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 42 +- include/linux/slab_def.h | 28 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 10 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 83 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 10 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 11 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 22 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 6 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 15 +- mm/mmap.c | 606 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 79 +- mm/slab.h | 5 +- mm/slab_common.c | 46 +- mm/slob.c | 201 +- mm/slub.c | 79 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_core.c | 8 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 6 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 676 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 +++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1607 files changed, 30734 insertions(+), 7318 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40d67e38a42d4e94b43b3d7400addc662b9857dc Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit a1fff2c95162314626dd96bec71d951a8c1c4708 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00131c458eea5200971c8fc326e90fdb6c2d0baa Merge: 37b97a9 47beb61 Author: Brad Spengler Date: Thu Jul 4 15:02:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 Author: Brad Spengler Date: Thu Jul 4 15:01:37 2013 -0400 Update to pax-linux-3.9.9-test13.patch: - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/entry-armv.S | 4 ++-- arch/arm/mm/Kconfig | 2 +- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/page.h | 1 + arch/x86/kernel/entry_32.S | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- arch/x86/kernel/head64.c | 12 ++++++------ arch/x86/kernel/head_64.S | 16 ++++++++++++---- arch/x86/mm/init.c | 8 ++++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ 15 files changed, 64 insertions(+), 44 deletions(-) commit 89085d2d0643813a62f23d1199a335dc1e129bc0 Merge: 963af7f 0adf2e7 Author: Brad Spengler Date: Thu Jul 4 14:55:44 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 Author: Brad Spengler Date: Thu Jul 4 13:29:51 2013 -0400 update log arguments grsecurity/grsec_sig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 3 +-- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit ef808866c070aa1901bd2224521baaf5d145a3a7 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 Author: Brad Spengler Date: Wed Jul 3 16:14:09 2013 -0400 fix renamed export of csum_partial_copy_from_user, as reported by fabled on the forums arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 318235973c2a548c3d25562645d6b69f66e85934 Author: Brad Spengler Date: Wed Jul 3 16:09:16 2013 -0400 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error reported on the forums by fabled arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b569a7f60fab7a522d8c142765c8b847bbce8a1e Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- 1 files changed, 27 insertions(+), 3 deletions(-) commit c22280b85088978bd8b45bd23096879459b48008 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 Author: Brad Spengler Date: Sat Jun 29 13:10:02 2013 -0400 on context switch, make sure we switch DACR when domain support and KERNEXEC is disabled but UDEREF is enabled arch/arm/kernel/entry-armv.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08d017fa51370921694ce087b28c96fec92993d4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be Author: Michael S. Tsirkin Date: Sun Jun 23 17:19:03 2013 +0300 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 tun: fix recovery from gup errors get user pages might fail partially in tun zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 Author: Balazs Peter Odor Date: Sat Jun 22 19:24:43 2013 +0200 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 netfilter: nf_nat_sip: fix mangling In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) there were some missing brackets around the logging information, thus always returning drop. Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 Signed-off-by: Balazs Peter Odor Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_sip.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b0471b6c1160858fc646d8e94628fd1299f61692 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Bluetooth: Fix invalid length check in l2cap_information_rsp() The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Cc: stable@vger.kernel.org Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan net/bluetooth/l2cap_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4184af98c360d825e638b268b1a9847232e8d299 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 1fe6f23c9acd14d832d056909ff326bde418e645 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 4d4464407611527ef6b6b5475cfcab6121b3da66 Merge: 59571a9 963af7f Author: Brad Spengler Date: Thu Jun 27 18:54:52 2013 -0400 Merge branch 'pax-test' into grsec-test commit 963af7f7f591759b731ce6325ceb583a72fcf423 Merge: c51e25a 55db48a Author: Brad Spengler Date: Thu Jun 27 18:54:42 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 59571a9db7485f530a1e865a13cacc4c991ec41f Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 Author: Brad Spengler Date: Wed Jun 26 18:33:06 2013 -0400 update rand_threadstack code to continue the search for a gap if the first choice doesn't have enough space, instead of returning ENOMEM mm/mmap.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 87020d4a4d83038d65ff1fd519938840f6888b9e Merge: 2682346 c51e25a Author: Brad Spengler Date: Wed Jun 26 18:25:32 2013 -0400 Merge branch 'pax-test' into grsec-test commit c51e25a23f30a1198076bd085f19b2073caf164d Author: Brad Spengler Date: Wed Jun 26 18:24:54 2013 -0400 Update to pax-linux-3.9.7-test12.patch: - fixed a regression on PARAVIRT/amd64 kernels - simplified the recent vm_unmapped_area_info based change arch/x86/kernel/entry_64.S | 8 ++++---- mm/mmap.c | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) commit 26823469a08e59cb67bea18d448d9e8c65f82e08 Author: Brad Spengler Date: Tue Jun 25 21:26:51 2013 -0400 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX vm_unmapped_area code is complete arch/x86/kernel/sys_i386_32.c | 5 +++++ grsecurity/Kconfig | 2 +- mm/mmap.c | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 Merge: e58fe8c c4e0704 Author: Brad Spengler Date: Tue Jun 25 19:08:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/sys_i386_32.c commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 Author: Brad Spengler Date: Tue Jun 25 19:05:39 2013 -0400 Update to pax-linux-3.9.7-test11.patch: - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure - fixed the recent nested nmi related fixes some more - fixed a regression in kernel memory initialization on relocatable i386 kernels - empty_zero_page can be read-only on amd64 as well arch/arm/mm/mmap.c | 6 -- arch/x86/kernel/entry_64.S | 8 +-- arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/setup.c | 2 +- arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- drivers/lguest/core.c | 2 +- include/linux/mm.h | 6 +- include/linux/vmalloc.h | 2 +- mm/mmap.c | 30 +++++++- 9 files changed, 83 insertions(+), 134 deletions(-) commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f Author: Brad Spengler Date: Sun Jun 23 14:36:35 2013 -0400 compile fix, reported by KDE on forums kernel/printk.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 1fc9a5e2e267205d28302e1e86ca0da434561111 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d x86/efi: Fix dummy variable buffer allocation 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Matt Fleming arch/x86/platform/efi/efi.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 Author: Dave Kleikamp Date: Tue Jun 18 09:05:36 2013 -0500 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 sparc: tsb must be flushed before tlb This fixes a race where a cpu may re-load a tlb from a stale tsb right after it has been flushed by a remote function call. I still see some instability when stressing the system with parallel kernel builds while creating memory pressure by writing to /proc/sys/vm/nr_hugepages, but this patch improves the stability significantly. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d93b62f6485db9aadda34322a6867868db07f56f Merge: 4ef62f5 71d83e9 Author: Brad Spengler Date: Fri Jun 21 16:52:55 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 71d83e97c936563913bcfb5a25c45b2021a331eb Author: Brad Spengler Date: Fri Jun 21 16:48:42 2013 -0400 Update to pax-linux-3.9.7-test10.patch: - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - fixed a locking issue with track_exec_limit reported by spender - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 2 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/iommu/irq_remapping.c | 2 +- drivers/video/output.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/nfs/callback.c | 4 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfscache.c | 3 +- init/initramfs.c | 2 +- kernel/rcutree.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mmap.c | 4 +- mm/slub.c | 2 +- mm/vmalloc.c | 15 +++---- net/bluetooth/hci_core.c | 8 ++-- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- 40 files changed, 116 insertions(+), 111 deletions(-) commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c Merge: 39efd8f 256eff7 Author: Brad Spengler Date: Fri Jun 21 16:45:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/printk.c commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 Merge: e6e3059 485f25f Author: Brad Spengler Date: Thu Jun 20 22:14:24 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d Author: Brad Spengler Date: Tue Jun 18 17:20:18 2013 -0400 add apparmor compat patch security/apparmor/Kconfig | 9 ++ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 0 deletions(-) commit 49bee3c5341687504669bf62becf4a419a226ba0 Author: Brad Spengler Date: Mon Jun 17 18:48:04 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) commit 5a450f1c46f0c84379518aee878993d3f4a331b6 Author: Theodore Ts'o Date: Thu Jun 6 11:14:31 2013 -0400 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 ext4: verify group number in verify_group_input() before using it Check the group number for sanity earilier, before calling routines such as ext4_bg_has_super() or ext4_group_overhead_blocks(). Reported-by: Jonathan Salwan Signed-off-by: "Theodore Ts'o" fs/ext4/resize.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e13515ad7a9c7634599a105b2527752e527a905d Author: Saurabh Mohan Date: Mon Jun 10 17:45:10 2013 -0700 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 net/ipv4: ip_vti clear skb cb before tunneling. If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af361b412e816e894fb42ddff7a0545b7def64c0 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1f43aca088c35dda35abf76e08544e534c71fed4 Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f Author: Andy Lutomirski Date: Wed Jun 5 19:38:26 2013 +0000 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab net: Unbreak compat_sys_{send,recv}msg I broke them in this commit: commit 1be374a0518a288147c6a7398792583200a67261 Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It also reverts some unnecessary checks in sys_socketcall. Apparently I was suffering from underscore blindness the first time around. Signed-off-by: Andy Lutomirski Tested-by: Eric Dumazet Signed-off-by: David S. Miller include/linux/socket.h | 3 ++ net/compat.c | 13 +++++++- net/socket.c | 72 ++++++++++++++++++++++-------------------------- 3 files changed, 47 insertions(+), 41 deletions(-) commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 Upstream commit: 1be374a0518a288147c6a7398792583200a67261 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. Miller" Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Cc: David S. Miller Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller net/socket.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb67a67049ace7b94ad7e2febfac69816d50d85 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 Author: Johan Hedberg Date: Tue May 28 13:46:30 2013 +0300 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 Bluetooth: Fix missing length checks for L2CAP signalling PDUs There has been code in place to check that the L2CAP length header matches the amount of data received, but many PDU handlers have not been checking that the data received actually matches that expected by the specific PDU. This patch adds passing the length header to the specific handler functions and ensures that those functions fail cleanly in the case of an incorrect amount of data. Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- 1 files changed, 52 insertions(+), 18 deletions(-) commit 628be2427afb241b5a1aa24bc5907d05287e1f25 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 066d9226bc6c569d5f420c978b758e0bddd23444 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 94e2a91600b07d39825e7059195f35eb611a39a2 Merge: 20cc761 e6e3059 Author: Brad Spengler Date: Thu Jun 13 16:23:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a Merge: c6aadb1 4b73feb Author: Brad Spengler Date: Thu Jun 13 16:23:39 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 20cc7613e38cde07adc73179a91d6c15292e8d43 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 386ba837978cc8a1111440bdcd8600f2df4634a4 Author: Brad Spengler Date: Wed Jun 12 20:37:48 2013 -0400 fix deadlock when booting i386 kernel without NX mm/mmap.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc43377e1e757cd37a06be0187884a42af718aab Merge: 3cdea63 c6aadb1 Author: Brad Spengler Date: Tue Jun 11 18:50:39 2013 -0400 Merge branch 'pax-test' into grsec-test commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 Author: Brad Spengler Date: Tue Jun 11 18:49:36 2013 -0400 Update to pax-linux-3.9.4-test9.patch: - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort arch/x86/kernel/setup.c | 2 +- mm/mlock.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 3cdea63e90607d8d55820b101854091623feedb8 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 373a2b5df78f82b9d3db72bd6577e29a71591323 Author: Brad Spengler Date: Mon Jun 10 21:16:46 2013 -0400 Backport infoleak fix by Dan Carpenter in cpqarray: https://lkml.org/lkml/2013/6/3/131 drivers/block/cpqarray.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 251e84b9b05e063981b20be154c9389862f94759 Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 383d89bf95818b05a485a6e8b118963b5bcbc83e Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1c590aa70c95ebd76ba9672aa23d800b81780615 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 Merge: 4e85539 117c3fa Author: Brad Spengler Date: Sun Jun 9 17:30:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit 117c3fa8d26c3806103123560f807d99071b60b6 Merge: ed9b427 5dd2e98 Author: Brad Spengler Date: Sun Jun 9 17:30:00 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5771263fe368cd384127dd17d7596a7e1a4e2eec Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c01c9af268cb066f240aec53454b8b74d8d01688 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 Author: Timo Teräs Date: Wed May 22 01:40:47 2013 +0000 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 xfrm: properly handle invalid states as an error The error exit path needs err explicitly set. Otherwise it returns success and the only caller, xfrm_output_resume(), would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is NULL. Bug introduced in commit bb65a9cb (xfrm: removes a superfluous check and add a statistic). Signed-off-by: Timo Teräs Cc: Li RongQing Cc: Steffen Klassert Signed-off-by: David S. Miller net/xfrm/xfrm_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit c18cef940310c06bdf86d64d8cb227e56e165300 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c47de62893a9f269be0a272c2840aac1e2a35c68 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce869e6f799f95fcac340420ba3612503df80dbf Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5dc65cd34d442783118a17c518e2daedb90a31d0 Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit 84619a3501fd38285a72d9e963f58d1827beedd6 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e Author: Brad Spengler Date: Sat Jun 1 13:43:26 2013 -0400 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" Applying upstream fix instead This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings drivers/usb/atm/cxacru.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 Author: Brad Spengler Date: Sat Jun 1 11:30:17 2013 -0400 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 8578566969d91678a3d7d5251b4eafc6d7775314 Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 Merge: 643b294 ed9b427 Author: Brad Spengler Date: Wed May 29 19:19:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit ed9b4276488528d0c3803df1dc0df804238241e0 Author: Brad Spengler Date: Wed May 29 19:18:45 2013 -0400 Updated to pax-linux-3.9.4-test8.patch: - fixed some fallout detected by the checker plugin arch/x86/kernel/crash_dump_64.c | 2 +- drivers/base/devtmpfs.c | 6 +++--- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/mem.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- drivers/i2c/i2c-dev.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 4 ++-- fs/compat_ioctl.c | 4 ++-- fs/exec.c | 2 +- fs/namespace.c | 8 ++++---- fs/proc/vmcore.c | 12 ++++++++---- fs/read_write.c | 2 +- include/linux/syscalls.h | 8 ++++---- init/do_mounts_initrd.c | 8 ++++---- init/main.c | 4 ++-- kernel/events/core.c | 2 +- kernel/events/internal.h | 10 +++++----- mm/page_io.c | 2 +- security/keys/internal.h | 2 +- tools/gcc/checker_plugin.c | 1 + 24 files changed, 63 insertions(+), 54 deletions(-) commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 Author: Brad Spengler Date: Wed May 29 18:51:31 2013 -0400 eliminate gcc warning fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 Author: Brad Spengler Date: Wed May 29 18:30:20 2013 -0400 use BUILD_BUG() instead of BUILD_BUG_ON(1) arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5343410354267368e5809f3ad8d9a264f141be18 Author: Brad Spengler Date: Wed May 29 17:57:41 2013 -0400 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON for unknown opcodes arch/x86/net/bpf_jit_comp.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- 1 files changed, 39 insertions(+), 40 deletions(-) commit 163a5539b36247865d39b2bcfa8efc03a62124a6 Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 3e54faf888d324d5f362dcba16173ea7bba61e8a Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 2d74639040ba6ce47f57ec010714ec06529c4b42 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 65d05c7ea468c23c175105526dd4f163302a92cf Merge: 1a98d0a 6ce3a135 Author: Brad Spengler Date: Sat May 25 07:48:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/vm86_32.c commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 Merge: 79bdd65 0bfd8ff Author: Brad Spengler Date: Sat May 25 07:46:55 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 Author: Brad Spengler Date: Thu May 23 18:42:23 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2b80ef8586061e32e986b31608717c25d1e7c54 Merge: cb45fbd 79bdd65 Author: Brad Spengler Date: Thu May 23 17:58:53 2013 -0400 Merge branch 'pax-test' into grsec-test commit 79bdd65dac68267bc1b201c6b4a99966a373c305 Author: Brad Spengler Date: Thu May 23 17:57:46 2013 -0400 Update to pax-linux-3.9.3-test7.patch: - fixed some size overflow related warnings (hash table, attributes) - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/page_64.h | 2 +- arch/x86/kernel/head64.c | 2 +- tools/gcc/constify_plugin.c | 48 ++- tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ 4 files changed, 651 insertions(+), 592 deletions(-) commit cb45fbda4967b1b544a754fbdc92d73283379522 Merge: 62588fa 57c11b8 Author: Brad Spengler Date: Mon May 20 17:32:17 2013 -0400 Merge branch 'pax-test' into grsec-test commit 57c11b85acd841a088aa4df8e60be337880df8cd Merge: 0598b37 4bb0869 Author: Brad Spengler Date: Mon May 20 17:32:08 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 Merge: e261c7b 0598b37 Author: Brad Spengler Date: Fri May 17 22:57:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 Author: Brad Spengler Date: Fri May 17 22:57:07 2013 -0400 Update to pax-linux-3.9.2-test6.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado arch/x86/include/asm/pgtable.h | 9 +++++++-- tools/gcc/structleak_plugin.c | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit e261c7bc611e9127bbb7bd95cddd51524bf255ae Author: Brad Spengler Date: Thu May 16 22:54:12 2013 -0400 add offset to topdown check, fixes compilation arch/x86/kernel/sys_x86_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 Author: Brad Spengler Date: Thu May 16 20:57:41 2013 -0400 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, reported by lulzh3ad on irc security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d4593e84707cdf6deb6b925c18c676a476b1613 Merge: 43cd0c0 39a877f Author: Brad Spengler Date: Thu May 16 20:39:11 2013 -0400 Merge branch 'pax-test' into grsec-test commit 39a877f192ed305d88edac10a14a9e8e1e161f3f Author: Brad Spengler Date: Thu May 16 20:37:35 2013 -0400 Update to pax-linux-3.9.2-test105.patch: - fixed !EFI boot problem, reported by spender - fixed a few compile warnings - fixed some more compile errors due to constification - fixed some arm fallout, reported by Michael Tremer arch/arm/include/asm/psci.h | 2 +- arch/arm/kernel/psci.c | 2 +- arch/x86/kernel/sys_x86_64.c | 3 +-- arch/x86/realmode/init.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- drivers/irqchip/irq-gic.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- drivers/platform/x86/chromeos_laptop.c | 2 +- fs/jfs/super.c | 4 ++-- include/linux/irqchip/arm-gic.h | 2 ++ include/sound/compress_driver.h | 2 +- net/mac80211/cfg.c | 4 ++-- sound/soc/fsl/fsl_ssi.c | 2 +- 14 files changed, 31 insertions(+), 22 deletions(-) commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 Author: Brad Spengler Date: Thu May 16 20:35:22 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 56a166129d817f6634c8c230e6ec497669bdfaca Author: Amerigo Wang Date: Thu May 9 21:56:37 2013 +0000 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f ipv6,gre: do not leak info to user-space There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d6f50dae2653ad912952da40417a8ccbd59c7699 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 01322c6951bed4eedefbd2178dbd99292b365d99 Author: Brad Spengler Date: Mon May 13 17:19:57 2013 -0400 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its existing stack-heap gap code for the new unified vm_unmapped_area grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 Author: Brad Spengler Date: Mon May 13 15:40:32 2013 -0400 fix NX fault on early boot arch/x86/realmode/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 Author: Brad Spengler Date: Mon May 13 10:48:13 2013 -0400 compile fix, we weren't using %pa anyway and it's now being used by upstream for physical address printing lib/vsprintf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d Author: Brad Spengler Date: Mon May 13 10:39:52 2013 -0400 compile fix grsecurity/grsec_chroot.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b Author: Brad Spengler Date: Mon May 13 10:35:36 2013 -0400 compile fixes grsecurity/grsec_chroot.c | 2 +- include/linux/grinternal.h | 8 ++++---- include/linux/grsecurity.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 Author: Brad Spengler Date: Mon May 13 10:27:18 2013 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 Author: Brad Spengler Date: Mon May 13 10:23:17 2013 -0400 Initial port of grsecurity for 3.9.2 Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 6 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 181 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 241 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1031 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 387 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 187 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 + include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 242 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 68 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/net/secure_seq.h | 1 + include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 13 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 64 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/8021q/vlan.c | 7 + net/core/dev_ioctl.c | 4 + net/core/net-procfs.c | 5 + net/core/secure_seq.c | 4 +- net/core/sock_diag.c | 7 + net/ipv4/af_inet.c | 5 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 2 +- net/sctp/probe.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/tipc/link.c | 11 +- net/unix/af_unix.c | 31 +- security/Kconfig | 342 ++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 291 files changed, 15221 insertions(+), 2052 deletions(-) commit 88854c350c899bceca4a94598c42bed44d0dc91b Author: Brad Spengler Date: Mon May 13 07:37:47 2013 -0400 Initial import of pax-linux-3.9.2-test2.patch Documentation/dontdiff | 45 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 6 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 15 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/kernel/us3_cpufreq.c | 69 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 21 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 6 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page_64.h | 2 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 113 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 530 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 1 - arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 120 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 19 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 248 + arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 57 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 +- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 90 +- arch/x86/mm/init_32.c | 119 +- arch/x86/mm/init_64.c | 44 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 2 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 10 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 605 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/super.c | 2 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 6 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compat.h | 6 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 110 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 2 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 68 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 8 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 6 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 576 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 105 +- mm/slab.h | 5 +- mm/slab_common.c | 11 +- mm/slob.c | 201 +- mm/slub.c | 99 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 14 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 6 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.pl | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 675 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 518 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 ++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 276 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1555 files changed, 30474 insertions(+), 7126 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 Merge: 814820a 3a59a59 Author: Brad Spengler Date: Sun May 12 21:51:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f Author: Brad Spengler Date: Sun May 12 21:50:07 2013 -0400 Update to pax-linux-3.8.13-test24.patch: - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/arm/kernel/vmlinux.lds.S | 4 ++-- arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes-opt.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- kernel/trace/trace.h | 2 +- net/socket.c | 2 +- security/Kconfig | 2 +- 22 files changed, 67 insertions(+), 34 deletions(-) commit 814820abfe5b9a34401d838b2510431a4cd92be9 Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ed0428c4ef6c5498870772f212ac651216eb8d0c Merge: 2452d8d dbf932a Author: Brad Spengler Date: Sun May 12 21:18:25 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/cpu/perf_event_intel_uncore.c arch/x86/mm/init.c commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 Author: Brad Spengler Date: Sun May 12 20:24:01 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit c75e4664fe4d20da1639f70d9def097c4f20856b Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04638852588cf243f865f5a73aa9dab94fab53b7 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff Merge: 539fff0 2452d8d Author: Brad Spengler Date: Wed May 8 18:13:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a Merge: 6c850d8 9c9ab76 Author: Brad Spengler Date: Wed May 8 18:13:31 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/irq.c kernel/trace/trace_stack.c commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a Author: Brad Spengler Date: Tue May 7 21:43:00 2013 -0400 turn counter into a flag grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 418102925c0cfb0de51b0a021abaa575e28fafa6 Author: Peter Zijlstra Date: Fri May 3 14:11:25 2013 +0200 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL We should always have proper privileges when requesting kernel data. Signed-off-by: Peter Zijlstra Cc: Cc: Andi Kleen Cc: eranian@google.com Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] Signed-off-by: Ingo Molnar Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f Author: Brad Spengler Date: Wed May 1 18:30:48 2013 -0400 remove references to CONFIG_X86_WP_WORKS_OK arch/um/defconfig | 1 - security/Kconfig | 2 +- 2 files changed, 1 insertions(+), 2 deletions(-) commit 408da6791f93ffe00d26bfe919f1b2218fe0804d Merge: a8dbe8e 6c850d8 Author: Brad Spengler Date: Wed May 1 18:28:44 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/mm/ultra.S drivers/tty/tty_io.c commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf Merge: cdbcbef 9fa1d01 Author: Brad Spengler Date: Wed May 1 18:25:18 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 55eba82aca97aa56378e000840c48965557721e8 Author: Brad Spengler Date: Mon Apr 29 18:43:03 2013 -0400 compilation fix kernel/trace/trace.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3bf912b54af6df7fbebc68b5999554562056c5c Merge: 5b72e37 cdbcbef Author: Brad Spengler Date: Mon Apr 29 18:34:42 2013 -0400 Merge branch 'pax-test' into grsec-test commit cdbcbef45c4f003cbee11e10668a35d424c17c60 Author: Brad Spengler Date: Mon Apr 29 18:33:35 2013 -0400 Update to pax-linux-3.8.10-test21.patch: - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) - reverted the nested NMI fix in search for a real one - simplified the arm_delay_ops constification arch/arm/include/asm/delay.h | 8 ++++---- arch/arm/lib/delay.c | 17 +++++------------ arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 11 files changed, 34 insertions(+), 26 deletions(-) commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 5344a24e2320d61dbdb88aae04922f0799deefd0 Author: Zhao Hongjiang Date: Fri Apr 26 11:03:53 2013 +0800 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad aio: fix possible invalid memory access when DEBUG is enabled dprintk() shouldn't access @ring after it's unmapped. Signed-off-by: Zhao Hongjiang Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 Merge: ba54c97 4d05084 Author: Brad Spengler Date: Fri Apr 26 18:17:20 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kvm/x86.c include/linux/capability.h commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 Merge: c664779 bb8dd67 Author: Brad Spengler Date: Fri Apr 26 18:15:45 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 Author: David S. Miller Date: Wed Apr 24 16:52:18 2013 -0700 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. Reported-by: Meelis Roos Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 Author: David S. Miller Date: Fri Apr 19 17:26:26 2013 -0400 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 sparc64: Fix race in TLB batch processing. As reported by Dave Kleikamp, when we emit cross calls to do batched TLB flush processing we have a race because we do not synchronize on the sibling cpus completing the cross call. So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) and either flushes are missed or flushes will flush the wrong addresses. Fix this by using generic infrastructure to synchonize on the completion of the cross call. This first required getting the flush_tlb_pending() call out from switch_to() which operates with locks held and interrupts disabled. The problem is that smp_call_function_many() cannot be invoked with IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). We get the batch processing outside of locked IRQ disabled sections by using some ideas from the powerpc port. Namely, we only batch inside of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a region, we flush TLBs synchronously. 1) Get rid of xcall_flush_tlb_pending and per-cpu type implementations. 2) Do TLB batch cross calls instead via: smp_call_function_many() tlb_pending_func() __flush_tlb_pending() 3) Batch only in lazy mmu sequences: a) Add 'active' member to struct tlb_batch b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE c) Set 'active' in arch_enter_lazy_mmu_mode() d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() e) Check 'active' in tlb_batch_add_one() and do a synchronous flush if it's clear. 4) Add infrastructure for synchronous TLB page flushes. a) Implement __flush_tlb_page and per-cpu variants, patch as needed. b) Likewise for xcall_flush_tlb_page. c) Implement smp_flush_tlb_page() to invoke the cross-call. d) Wire up global_flush_tlb_page() to the right routine based upon CONFIG_SMP 5) It turns out that singleton batches are very common, 2 out of every 3 batch flushes have only a single entry in them. The batch flush waiting is very expensive, both because of the poll on sibling cpu completeion, as well as because passing the tlb batch pointer to the sibling cpus invokes a shared memory dereference. Therefore, in flush_tlb_pending(), if there is only one entry in the batch perform a completely asynchronous global_flush_tlb_page() instead. Reported-by: Dave Kleikamp Signed-off-by: David S. Miller Acked-by: Dave Kleikamp arch/sparc/include/asm/pgtable_64.h | 1 + arch/sparc/include/asm/switch_to_64.h | 3 +- arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- arch/sparc/kernel/smp_64.c | 41 ++++++++++- arch/sparc/mm/tlb.c | 38 +++++++++- arch/sparc/mm/tsb.c | 57 ++++++++++++---- arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- 7 files changed, 241 insertions(+), 55 deletions(-) commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 Author: Linus Torvalds Date: Fri Apr 19 15:32:32 2013 +0000 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 net: fix incorrect credentials passing Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/net/scm.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98ad6adbc48759e4f9eae435d3e51ba487155685 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3600395e8fef3ae712e72f9b68c3609639616df8 Author: Thomas Graf Date: Thu Apr 11 10:57:18 2013 +0000 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 tcp: Reallocate headroom if it would overflow csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. Verify if the acking and collapsing resulted in a headroom exceeding what csum_start can cover and reallocate the headroom if so. A big thank you to Jim Foraker and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker Signed-off-by: Thomas Graf Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 Author: Ivan Vecera Date: Fri Apr 12 16:49:24 2013 +0200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f be2net: take care of __vlan_put_tag return value The driver should use return value of __vlan_put_tag with appropriate NULL-check instead of old skb pointer. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 Author: Wei Yongjun Date: Fri Apr 12 03:17:12 2013 +0000 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 tuntap: fix error return code in tun_set_iff() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. [ Bug added in linux-3.8 , commit 4008e97f866db665 ("tuntap: fix ambigious multiqueue API") ] Signed-off-by: Wei Yongjun Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2b45b5f52c2a8930f80c62de392a62516c83e225 Author: Bjørn Mork Date: Tue Apr 16 00:17:07 2013 +0000 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 net: cdc_mbim: remove bogus sizeof() The intention was to test against the constant, not the size of the constant. Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 17d7408795519037a5a1272c7888238e20830bfe Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text fs/exec.c | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) commit 3cb37d0c0c77dc3928ff8417f982139f95366eba Merge: e87c19f c664779 Author: Brad Spengler Date: Wed Apr 17 20:06:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit c664779987cb0c27a242029f0e0db812e3236203 Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e87c19f8312355b8658e5138c16bfa6043a379c8 Merge: 802d119 d0c636c Author: Brad Spengler Date: Wed Apr 17 16:57:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit d0c636ceaaf406e606898ce3e770e32fb043ea8a Merge: bc88628 2396403 Author: Brad Spengler Date: Wed Apr 17 16:57:01 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/paravirt.c commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b Author: Brad Spengler Date: Sun Apr 14 21:39:51 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1a860d7d67051559ab2e6d10f9888649c92904e6 Author: Brad Spengler Date: Sun Apr 14 21:34:46 2013 -0400 A denied setfsuid by the RBAC system would result in an abort_creds() being called with an uninitalized pointer, introduced by a bad forward-port kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 Merge: c38d142 bc88628 Author: Brad Spengler Date: Sun Apr 14 21:28:33 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit bc88628a6a8fcccaabb90908640809b0540df225 Author: Brad Spengler Date: Sun Apr 14 21:26:41 2013 -0400 Update to pax-linux-3.8.7-test20.patch: - fixed KERNEXEC and NMI nesting problem reported by stef&hunger - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- security/Kconfig | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) commit c38d142744489fc4d9be80188b6435a278438fd9 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93019624b80ba59798393942798d7f6ed0c1dbc6 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 5277b052b5fab36729e1255fb3b12f47a4b12867 Author: Dave Hansen Date: Fri Apr 12 16:23:54 2013 -0700 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables This patch attempts to fix: https://bugzilla.kernel.org/show_bug.cgi?id=56461 The symptom is a crash and messages like this: chrome: Corrupted page table at address 34a03000 *pdpt = 0000000000000000 *pde = 0000000000000000 Bad pagetable: 000f [#1] PREEMPT SMP Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: enable tlb flush range support for x86") since that code started to free unused pagetables. On x86-32 PAE kernels, that new code has the potential to free an entire PMD page and will clear one of the four page-directory-pointer-table (aka pgd_t entries). The hardware aggressively "caches" these top-level entries and invlpg does not actually affect the CPU's copy. If we clear one we *HAVE* to do a full TLB flush, otherwise we might continue using a freed pmd page. (note, we do this properly on the population side in pud_populate()). This patch tracks whenever we clear one of these entries in the 'struct mmu_gather', and ensures that we follow up with a full tlb flush. BTW, I disassembled and checked that: if (tlb->fullmm == 0) and if (!tlb->fullmm && !tlb->need_flush_all) generate essentially the same code, so there should be zero impact there to the !PAE case. Signed-off-by: Dave Hansen Cc: Peter Anvin Cc: Ingo Molnar Cc: Artem S Tashkinov Signed-off-by: Linus Torvalds arch/x86/include/asm/tlb.h | 2 +- arch/x86/mm/pgtable.c | 7 +++++++ include/asm-generic/tlb.h | 7 ++++++- mm/memory.c | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) commit 521e573fc77d1783c1d4636dfbb4617a922f043d Merge: 032f626 f807619 Author: Brad Spengler Date: Fri Apr 12 19:29:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit f80761993b85df96fc142dfc3a317cadc0f8eae5 Author: Brad Spengler Date: Fri Apr 12 19:28:21 2013 -0400 Update to pax-linux-3.8.7-test19.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) - fixed the structleak plugin to compile for gcc 4.5-4.6 as well Makefile | 2 +- arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 Merge: a3a770e 89886f5 Author: Brad Spengler Date: Fri Apr 12 18:38:40 2013 -0400 Merge branch 'pax-test' into grsec-test commit 89886f561cc0d1c42a99624ec8c3704711088155 Merge: 9123489 531ec28 Author: Brad Spengler Date: Fri Apr 12 18:38:30 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a3a770e18578841e4fbe2aa0831a22811b4812cf Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 Author: Konrad Rzeszutek Wilk Date: Fri Mar 29 10:20:56 2013 -0400 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/mmu.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb Author: Neil Horman Date: Tue Apr 9 23:19:00 2013 +0000 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 e100: Add dma mapping error check e100 uses pci_map_single, but fails to check for a dma mapping error after its use, resulting in a stack trace: [ 46.656594] ------------[ cut here ]------------ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() [ 46.657004] Hardware name: To Be Filled By O.E.M. [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] [ 46.657004] Modules linked in: [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core sata_promise crc_itu_t [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 [ 46.657004] Call Trace: [ 46.657004] [] warn_slowpath_common+0x70/0xa0 [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 [ 46.657004] [] check_unmap+0x47b/0x950 [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] [ 46.657004] [] ? net_rx_action+0xa1/0x370 [ 46.657004] [] net_rx_action+0x172/0x370 [ 46.657004] [] __do_softirq+0xef/0x3d0 [ 46.657004] [] call_softirq+0x1c/0x30 [ 46.657004] [] do_softirq+0x85/0xc0 [ 46.657004] [] irq_exit+0xd5/0xe0 [ 46.657004] [] do_IRQ+0x56/0xc0 [ 46.657004] [] common_interrupt+0x72/0x72 [ 46.657004] [] ? _raw_spin_unlock_irqrestore+0x3b/0x70 [ 46.657004] [] __slab_free+0x58/0x38b [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 [ 46.657004] [] ? kmem_cache_free+0x97/0x320 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] kmem_cache_free+0x312/0x320 [ 46.657004] [] sock_destroy_inode+0x34/0x40 [ 46.657004] [] destroy_inode+0x38/0x60 [ 46.657004] [] evict+0x10e/0x1a0 [ 46.657004] [] iput+0xf5/0x180 [ 46.657004] [] dput+0x248/0x310 [ 46.657004] [] __fput+0x171/0x240 [ 46.657004] [] ____fput+0xe/0x10 [ 46.657004] [] task_work_run+0xac/0xe0 [ 46.657004] [] do_exit+0x26d/0xc30 [ 46.657004] [] ? finish_task_switch+0x7c/0x120 [ 46.657004] [] ? retint_swapgs+0x13/0x1b [ 46.657004] [] do_group_exit+0x49/0xc0 [ 46.657004] [] sys_exit_group+0x14/0x20 [ 46.657004] [] system_call_fastpath+0x16/0x1b [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- [ 46.657004] Mapped at: [ 46.657004] [] debug_dma_map_page+0x91/0x140 [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the dma_mapping_error check in the obvious place This was reported previously here: http://article.gmane.org/gmane.linux.network/257893 But nobody stepped up and fixed it. CC: Josh Boyer CC: e1000-devel@lists.sourceforge.net Signed-off-by: Neil Horman Reported-by: Michal Jaegermann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- 1 files changed, 25 insertions(+), 11 deletions(-) commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 Author: Trond Myklebust Date: Wed Apr 10 12:44:18 2013 -0400 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Make sure that we set the status to 0 on success. Missed in testing because it never appears when doing multiple mounts to _different_ servers. Signed-off-by: Trond Myklebust Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list fs/nfs/nfs4client.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea Author: Yuval Mintz Date: Wed Apr 10 13:34:39 2013 +0300 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b bnx2x: Prevent null pointer dereference in AFEX mode The cnic module is responsible for initializing various bnx2x structs via callbacks provided by the bnx2x module. One such struct is the queue object for the FCoE queue. If a device is working in AFEX mode and its configuration allows FCoE yet the cnic module is not loaded, it's very likely a null pointer dereference will occur, as the bnx2x will erroneously access the FCoE's queue object. Prevent said access until cnic properly registers itself. Signed-off-by: Yuval Mintz Signed-off-by: Ariel Elior Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2908830232725db624aaa052f7ad38d1f98bf541 Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit d40b572e845a5fb561e3c4a80cc306cd38888a4e Author: Christoph Paasch Date: Sun Apr 7 04:53:15 2013 +0000 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd ipv6/tcp: Stop processing ICMPv6 redirect messages Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske Signed-off-by: Christoph Paasch Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c7d5c2524456ef3ea9194840e7a9a75069a46824 Author: Brad Spengler Date: Wed Apr 10 20:32:54 2013 -0400 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit acac2380fd97acee4367d2aa24c74322dcf1d22b Author: Trond Myklebust Date: Fri Apr 5 16:11:11 2013 -0400 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list It is unsafe to use list_for_each_entry_safe() here, because when we drop the nn->nfs_client_lock, we pin the _current_ list entry and ensure that it stays in the list, but we don't do the same for the _next_ list entry. Use of list_for_each_entry() is therefore the correct thing to do. Also fix the refcounting in nfs41_walk_client_list(). Finally, ensure that the nfs_client has finished being initialised and, in the case of NFSv4.1, that the session is set up. Signed-off-by: Trond Myklebust Cc: Chuck Lever Cc: Bryan Schumaker Cc: stable@vger.kernel.org [>= 3.7] fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) commit a6cf5f387b882ac0ce655b75f623f86c075517be Author: Chuck Lever Date: Fri Mar 22 12:52:59 2013 -0400 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e SUNRPC: Remove extra xprt_put() While testing error cases where rpc_new_client() fails, I saw some oopses. If rpc_new_client() fails, it already invokes xprt_put(). Thus __rpc_clone_client() does not need to invoke it again. Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" Fri Sep 14, 2012. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org [>=3.7] Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9529169b8c405874fd543b785f53c74fa0501c2a Author: Christopher Harvey Date: Fri Apr 5 10:51:15 2013 -0400 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. This change properly enables the "requester" in G200ER cards that is responsible for getting pixels out of memory and clocking them out to the screen. Signed-off-by: Christopher Harvey Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- 1 files changed, 3 insertions(+), 10 deletions(-) commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a Author: Al Viro Date: Thu Mar 28 13:30:23 2013 -0400 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee ecryptfs: close rmmod race Signed-off-by: Al Viro fs/ecryptfs/miscdev.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83280e384ae3ceadad30369ced111dc7d4b46085 Author: Andrey Vagin Date: Tue Apr 9 17:33:29 2013 +0400 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 mnt: release locks on error path in do_loopback do_loopback calls lock_mount(path) and forget to unlock_mount if clone_mnt or copy_mnt fails. [ 77.661566] ================================================ [ 77.662939] [ BUG: lock held when returning to user space! ] [ 77.664104] 3.9.0-rc5+ #17 Not tainted [ 77.664982] ------------------------------------------------ [ 77.666488] mount/514 is leaving the kernel with locks still held! [ 77.668027] 2 locks held by mount/514: [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 Signed-off-by: Andrey Vagin Signed-off-by: Al Viro fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 679e536b9d9536d804f049fe942367a596253e6d Author: Alex Williamson Date: Tue Mar 26 11:33:16 2013 -0600 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson drivers/vfio/pci/vfio_pci.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5261a6384ee42499b29495aaae40b271e77d394 Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 Merge: 97bca88 9123489 Author: Brad Spengler Date: Tue Apr 9 17:18:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9123489428c58668a89f316db6619739cbdd2c2a Author: Brad Spengler Date: Tue Apr 9 17:17:46 2013 -0400 Update to pax-linux-3.8.6-test18.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 97bca8889e0f1e853f16b7026c39c6729a8587ab Merge: 675a41e e9d6073 Author: Brad Spengler Date: Mon Apr 8 21:32:59 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/us3_cpufreq.c commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef Author: Brad Spengler Date: Mon Apr 8 21:19:03 2013 -0400 Update to pax-linux-3.8.6-test17.patch: - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/sparc/include/asm/uaccess.h | 7 ---- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- tools/gcc/structleak_plugin.c | 15 ++++---- 6 files changed, 28 insertions(+), 69 deletions(-) commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5a216624a06429488f24ce47db093da042f90e48 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit e476ca18d21788898cd3acd1b57049971a2fb70f Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 Author: Johannes Berg Date: Tue Mar 19 20:26:57 2013 +0100 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d cfg80211: fix wdev tracing crash Arend reported a crash in tracing if the driver returns an ERR_PTR() value from the add_virtual_intf() callback. This is due to the tracing then still attempting to dereference the "pointer", fix this by using IS_ERR_OR_NULL(). Reported-by: Arend van Spriel Tested-by: Arend van Spriel Signed-off-by: Johannes Berg net/wireless/trace.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd Author: Johannes Berg Date: Mon Mar 25 11:51:14 2013 +0100 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b mac80211: fix remain-on-channel cancel crash If a ROC item is canceled just as it expires, the work struct may be scheduled while it is running (and waiting for the mutex). This results in it being run after being freed, which obviously crashes. To fix this don't free it when aborting is requested but instead mark it as "to be freed", which makes the work a no-op and allows freeing it outside. Cc: stable@vger.kernel.org [3.6+] Reported-by: Jouni Malinen Tested-by: Jouni Malinen Signed-off-by: Johannes Berg net/mac80211/cfg.c | 6 ++++-- net/mac80211/ieee80211_i.h | 3 ++- net/mac80211/offchannel.c | 23 +++++++++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 Author: Stone Piao Date: Fri Mar 29 19:21:21 2013 -0700 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f mwifiex: limit channel number not to overflow memory Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: # 3.5+ Signed-off-by: Stone Piao Signed-off-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 207c411512bdaf0e4271f93ecac6ca26588da36f Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f Author: Wei Yongjun Date: Fri Mar 22 01:28:18 2013 +0000 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_queue_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a79feb7d3251eca577d83d7f69eee2b961ab2924 Author: Pablo Neira Ayuso Date: Sat Mar 23 16:57:59 2013 +0100 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 netfilter: nfnetlink_acct: return -EINVAL if object name is empty If user-space tries to create accounting object with an empty name, then return -EINVAL. Reported-by: Michael Zintakis Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 Author: Matthias Schiffer Date: Sat Mar 30 10:23:12 2013 +0000 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: Matthias Schiffer Signed-off-by: Pablo Neira Ayuso net/ipv6/netfilter/ip6t_NPT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d12cae44a9d12441d81c489178803237219d403d Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f Author: Cong Wang Date: Fri Mar 22 19:14:07 2013 +0000 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb 8021q: fix a potential use-after-free vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/8021q/vlan.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit fff29c277024a39845d4b535083c8dafc21b45d9 Author: Hong zhi guo Date: Sat Mar 23 02:27:50 2013 +0000 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 bridge: fix crash when set mac address of br interface When I tried to set mac address of a bridge interface to a mac address which already learned on this bridge, I got system hang. The cause is straight forward: function br_fdb_change_mac_address calls fdb_insert with NULL source nbp. Then an fdb lookup is performed. If an fdb entry is found and it's local, it's OK. But if it's not local, source is dereferenced for printk without NULL check. Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller net/bridge/br_fdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 Author: Kumar Amit Mehta Date: Sat Mar 23 20:10:25 2013 +0000 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a bnx2x: fix assignment of signed expression to unsigned variable fix for incorrect assignment of signed expression to unsigned variable. Signed-off-by: Kumar Amit Mehta Acked-by: Dmitry Kravkov Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b964e1e61f0f0ccaa380be3342f956c604054bdc Author: Eric W. Biederman Date: Thu Mar 21 02:30:41 2013 -0700 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 yama: Better permission check for ptraceme Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" security/yama/yama_lsm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit b94e71c7b6abe75989edff18aca2781233fa143b Author: Stanislav Kinsbursky Date: Mon Apr 1 11:40:51 2013 +0400 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d ipc: set msg back to -EAGAIN if copy wasn't performed Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Linus Torvalds ipc/msg.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f07957378e0f55abb81da8e23b124a608fbe1cc Author: Paul Bolle Date: Wed Apr 3 12:24:45 2013 +0100 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 ARM: 7690/1: mm: fix CONFIG_LPAE typos CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix up the two typos under arch/arm/. The fix to head.S is slightly scary, but this is just for setting up an early io-mapping for the serial port when running on a big-endian, LPAE system. Since these systems don't exist in the wild (at least, I have no access to one outside of kvmtool, which doesn't provide a serial port suitable for earlyprintk), then we can revisit the code later if it causes any problems. Signed-off-by: Paul Bolle Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/kernel/head.S | 2 +- arch/arm/kernel/setup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 984ba346b2d8f158473e9723ba145031368431ed Author: Catalin Marinas Date: Tue Mar 26 23:35:04 2013 +0100 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down all use of the old entries. This patch implements the erratum workaround which consists of: 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. 2. Send IPI to the CPUs that are running the same mm (and ASID) as the one being invalidated (or all the online CPUs for global pages). 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception return code already). Signed-off-by: Catalin Marinas Signed-off-by: Russell King Conflicts: arch/arm/include/asm/tlbflush.h arch/arm/kernel/smp_tlb.c arch/arm/mm/context.c arch/arm/Kconfig | 10 +++++ arch/arm/include/asm/highmem.h | 7 ++++ arch/arm/include/asm/mmu_context.h | 2 + arch/arm/include/asm/tlbflush.h | 15 ++++++++ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ arch/arm/mm/context.c | 6 ++- 6 files changed, 104 insertions(+), 2 deletions(-) commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 53f5096daa14967938bc154e6c41f9119863fb36 Merge: e988d7c 0a45285 Author: Brad Spengler Date: Fri Apr 5 17:32:31 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 0a452855444d02502df6eb21ef3083cf303f71e1 Merge: 0277fa1 00cfbb8 Author: Brad Spengler Date: Fri Apr 5 17:31:15 2013 -0400 Update to pax-linux-3.8.6-test16.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/intel_display.c commit e988d7c8d946c816a2cb97f0d38048a1584966b8 Merge: baec40e 0277fa1 Author: Brad Spengler Date: Wed Apr 3 22:05:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0277fa123b486cf11420967e4568d7653e225fd3 Author: Brad Spengler Date: Wed Apr 3 22:04:48 2013 -0400 Update to pax-linux-3.8.5-test15.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) drivers/media/pci/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) commit baec40e6708fd5ae2000cad6c70c5980c998b91c Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 Merge: 6b69c35 0db9d15 Author: Brad Spengler Date: Tue Apr 2 17:47:27 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0db9d156826bdd50510086fde837648a3dfd370e Author: Brad Spengler Date: Tue Apr 2 17:46:05 2013 -0400 Update to pax-linux-3.8.5-test14.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/moduleloader.h | 4 +- tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 47 deletions(-) commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 01e1d503fd2220adaaec0b92ea19441bdff73555 Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit cd5ff114d958470f471c63775278e8c05e774630 Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 295ba16cc53df2375261accbedd6575ea327770a Merge: 18340f1 278a989 Author: Brad Spengler Date: Fri Mar 29 17:36:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/exec.c include/linux/thread_info.h commit 278a989c831d62193c7b3d119fe2302babd45d12 Author: Brad Spengler Date: Fri Mar 29 17:34:34 2013 -0400 Resync with pax-linux-3.8.5-test13.patch arch/arm/include/asm/pgtable.h | 3 ++- arch/arm/lib/delay.c | 1 + fs/exec.c | 8 ++++---- include/linux/compiler.h | 1 + include/linux/proc_fs.h | 2 +- include/linux/thread_info.h | 6 +++--- include/linux/zlib.h | 3 ++- init/main.c | 4 ++-- kernel/user_namespace.c | 2 +- lib/list_debug.c | 4 ++-- mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 1 + net/core/sysctl_net_core.c | 3 +-- tools/gcc/constify_plugin.c | 1 + 15 files changed, 24 insertions(+), 17 deletions(-) commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 Merge: 05f01ae e8cfeae Author: Brad Spengler Date: Fri Mar 29 17:30:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 Merge: b461cb7 aa4cfde Author: Brad Spengler Date: Fri Mar 29 17:30:44 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/nfsd/vfs.c commit 05f01ae4c3479541586a2387f916a6620889c479 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eea6ade59490784e83e08ec67322288fcf14cb31 Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e Merge: c3dc9a6 b461cb7 Author: Brad Spengler Date: Thu Mar 28 20:54:24 2013 -0400 Merge branch 'pax-test' into grsec-test commit b461cb7b1d85490430ef7896c247794af72c3749 Author: Brad Spengler Date: Thu Mar 28 20:54:11 2013 -0400 Add structleak plugin tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 270 insertions(+), 0 deletions(-) commit c3dc9a6ef10782894bb11fd088fd712db44d8062 Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e Merge: d8503a3 74bec16 Author: Brad Spengler Date: Thu Mar 28 20:47:10 2013 -0400 Merge branch 'pax-test' into grsec-test commit 74bec16b657147a5575b1f14f4423a717ba317a6 Author: Brad Spengler Date: Thu Mar 28 20:46:13 2013 -0400 Update to pax-linux-3.8.4-test13.patch: - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Makefile | 5 +++- arch/x86/include/asm/compat.h | 2 +- arch/x86/mm/fault.c | 3 +- fs/binfmt_elf.c | 2 +- include/linux/compiler.h | 42 ++++++++++++++-------------------------- security/Kconfig | 16 +++++++++++++++ tools/gcc/Makefile | 2 + tools/gcc/constify_plugin.c | 7 +++++- 8 files changed, 47 insertions(+), 32 deletions(-) commit d8503a3a35d68b9ba1615d29335aef3f70d51465 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 0b1c6223105a05d5a84e39a5e951868e37610e1c Merge: 93ff726 0deb54c Author: Brad Spengler Date: Mon Mar 25 18:35:15 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 Author: Brad Spengler Date: Mon Mar 25 18:35:05 2013 -0400 fix typo arch/x86/mm/ioremap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 Merge: be9f8b8 f95e53a Author: Brad Spengler Date: Mon Mar 25 18:30:06 2013 -0400 Merge branch 'pax-test' into grsec-test commit f95e53abadb6e4665866e4502ff9f518514193e1 Author: Brad Spengler Date: Mon Mar 25 18:29:25 2013 -0400 Update to pax-linux-3.8.4-test12.patch: - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by mcp - last fix for aslr gap accounting, promise (thanks to spender) arch/x86/mm/ioremap.c | 3 +++ fs/binfmt_elf.c | 5 ++--- mm/mmap.c | 2 +- net/sctp/socket.c | 19 +++++++++++++++---- tools/perf/util/include/linux/compiler.h | 8 ++++++++ 5 files changed, 29 insertions(+), 8 deletions(-) commit be9f8b82b0d8a21d7515fb6e44a907623381c5df Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee Author: Linus Torvalds Date: Fri Mar 22 11:44:04 2013 -0700 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 vfs,proc: guarantee unique inodes in /proc Dave Jones found another /proc issue with his Trinity tool: thanks to the namespace model, we can have multiple /proc dentries that point to the same inode, aliasing directories in /proc//net/ for example. This ends up being a total disaster, because it acts like hardlinked directories, and causes locking problems. We rely on the topological sort of the inodes pointed to by dentries, and if we have aliased directories, that odering becomes unreliable. In short: don't do this. Multiple dentries with the same (directory) inode is just a bad idea, and the namespace code should never have exposed things this way. But we're kind of stuck with it. This solves things by just always allocating a new inode during /proc dentry lookup, instead of using "iget_locked()" to look up existing inodes by superblock and number. That actually simplies the code a bit, at the cost of potentially doing more inode [de]allocations. That said, the inode lookup wasn't free either (and did a lot of locking of inodes), so it is probably not that noticeable. We could easily keep the old lookup model for non-directory entries, but rather than try to be excessively clever this just implements the minimal and simplest workaround for the problem. Reported-and-tested-by: Dave Jones Analyzed-by: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/proc/inode.c fs/proc/inode.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb Author: Vladimir Davydov Date: Fri Mar 22 15:04:51 2013 -0700 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only mnt_drop_write() must be called only if mnt_want_write() succeeded, otherwise the mnt_writers counter will diverge. mnt_writers counters are used to check if remounting FS as read-only is OK, so after an extra mnt_drop_write() call, it would be impossible to remount mqueue FS as read-only. Besides, on umount a warning would be printed like this one: ===================================== [ BUG: bad unlock balance detected! ] 3.9.0-rc3 #5 Not tainted ------------------------------------- a.out/12486 is trying to release lock (sb_writers) at: mnt_drop_write+0x1f/0x30 but there are no more locks to release! Signed-off-by: Vladimir Davydov Cc: Doug Ledford Cc: KOSAKI Motohiro Cc: "Eric W. Biederman" Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e Author: Brad Spengler Date: Sat Mar 23 13:02:32 2013 -0400 Don't use constify plugin if not enabled in config, reported by Alexey Vlasov Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afb82e020593249ac394e9859397c3e0ef5341c Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 Author: Brad Spengler Date: Sat Mar 23 12:13:12 2013 -0400 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak drivers/gpu/drm/i915/i915_debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44cb11a9470f72157601d0ad4d572d111f90f504 Author: Brad Spengler Date: Fri Mar 22 18:11:42 2013 -0400 use VM_DONTDUMP fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fd5f0d92b0fbec02029dad124501a9c80e527a32 Author: Brad Spengler Date: Fri Mar 22 17:08:48 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit b49ab1c73edb6442eec609b26bba4d850b3111b6 Merge: 5e9a707 783ade9 Author: Brad Spengler Date: Thu Mar 21 21:56:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 Author: Brad Spengler Date: Thu Mar 21 21:55:31 2013 -0400 Update to pax-linux-3.8.3-test11.patch: - rewrote the ASLR gap accounting code once again - fixed ptrace compat bug found by the size overflow plugin fs/binfmt_elf.c | 25 ++++++++++++------------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 5 +++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 32 insertions(+), 26 deletions(-) commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a Author: Brad Spengler Date: Thu Mar 21 19:37:33 2013 -0400 Make the constify plugin usage actually depend on the introduced config option (it was still forced on) tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1974b4f58d9d729c80ac1987785446115304a54c Author: Brad Spengler Date: Thu Mar 21 16:12:38 2013 -0400 fix failed merge arch/arm/mm/fault.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit 675a8ab4a8fe8315df348735a37a302a7535224c Author: Brad Spengler Date: Wed Mar 20 23:36:14 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 Author: Andy Honig Date: Wed Feb 20 14:48:10 2013 -0800 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- 2 files changed, 22 insertions(+), 29 deletions(-) commit 0bcac31b57c381001feb69fd6ec8069e61e03432 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695c59887e4ec10b0b695ab4f645d1226c433be0 Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e Merge: aec3cd4 c522e3a Author: Brad Spengler Date: Wed Mar 20 19:38:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 Merge: c57d855 405acc3 Author: Brad Spengler Date: Wed Mar 20 19:38:11 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 Author: Brad Spengler Date: Tue Mar 19 19:56:04 2013 -0400 include linux/compiler.h include/linux/zlib.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit dd65c05cd24faf8946d4941434a553ee285c35a3 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit e297b4f150b769efdc4c547d3caf1e3c0f24735f Author: Brad Spengler Date: Tue Mar 19 18:33:45 2013 -0400 Fix size_overflow false positive reported by slashbeast include/linux/zlib.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be Author: Brad Spengler Date: Tue Mar 19 17:35:36 2013 -0400 fix up failed merge arch/arm/mm/fault.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f00195c633f91cfbd8c1f530d2c371b713026e20 Author: Brad Spengler Date: Mon Mar 18 22:27:33 2013 -0400 Fix compile error reported by KDE on the forums kernel/user_namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 Merge: 0949569 c57d855 Author: Brad Spengler Date: Mon Mar 18 22:20:46 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 Author: Brad Spengler Date: Mon Mar 18 21:22:03 2013 -0400 Update to pax-linux-3.8.2-test9.patch: arm changes from spender - removed userland access to the vectors page - removed obsolete sigreturn trampoline handling - added emulation for __kuser_get_tls - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) - fixed recent sysfs/power_supply attr breakage reported by Steven Allen - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. arch/arm/kernel/process.c | 5 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/traps.c | 7 - arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 23 +- arch/arm/mm/mmu.c | 2 +- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/mm/fault.c | 4 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/power/power_supply_core.c | 1 + drivers/usb/core/message.c | 2 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 5 +- fs/exec.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/linux/compat.h | 4 +- include/linux/completion.h | 6 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/err.h | 4 +- include/linux/math64.h | 6 +- include/linux/sched.h | 2 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/uapi/linux/byteorder/little_endian.h | 4 +- include/uapi/linux/swab.h | 6 +- kernel/sched/core.c | 6 +- kernel/signal.c | 3 + kernel/time.c | 2 +- kernel/timer.c | 2 +- lib/div64.c | 4 +- mm/page-writeback.c | 2 +- net/socket.c | 2 + scripts/package/builddeb | 1 + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- tools/gcc/size_overflow_plugin.c | 1072 ++-- 53 files changed, 6227 insertions(+), 3951 deletions(-) commit 09495691bb31f11ec14d9127429f9a0f3f716f22 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deb85b00d0f9f886e264e116313f298401ec5c59 Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2126421f123513f604ceef2b23ba9ed516de7e58 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 Author: Brad Spengler Date: Sat Mar 16 16:43:45 2013 -0400 add user_arg_ptr back to exec.c fs/exec.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 3 +++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 16 insertions(+), 15 deletions(-) commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1cd623d11a462d151ea8a5cace4521e1724911a3 Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc Merge: 9cdf9bc db4cb92 Author: Brad Spengler Date: Thu Mar 14 20:23:14 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/keys/compat.c commit db4cb924546e3fec3a59f78d056f48176eaf7100 Author: Brad Spengler Date: Thu Mar 14 20:22:24 2013 -0400 Update to pax-linux-3.8.2-test8.patch arch/arm/include/asm/cache.h | 2 ++ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- arch/arm/mach-omap2/omap_device.c | 4 ++-- arch/arm/mach-omap2/omap_device.h | 4 ++-- arch/arm/plat-orion/include/plat/addr-map.h | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae Merge: 3c865f9 1a45c31 Author: Brad Spengler Date: Thu Mar 14 20:20:54 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/arm/include/asm/delay.h arch/arm/include/asm/pgtable.h arch/arm/lib/delay.c security/keys/compat.c commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 79b130c4b11c7940daf2b33d653a17666331c634 Merge: 6480ce9 3c865f9 Author: Brad Spengler Date: Sun Mar 10 20:04:03 2013 -0400 Merge branch 'pax-test' into grsec-test commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d Author: Brad Spengler Date: Sun Mar 10 20:03:12 2013 -0400 Update to pax-linux-3.8.2-test7.patch: - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) fs/binfmt_elf.c | 3 ++- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- init/main.c | 4 ++-- mm/mmap.c | 2 +- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 7 files changed, 18 insertions(+), 11 deletions(-) commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 Merge: 4a5305e 25b3569 Author: Brad Spengler Date: Sun Mar 10 10:41:16 2013 -0400 Merge branch 'pax-test' into grsec-test commit 25b356980568bed9958315bb5a551fdc610055ed Author: Brad Spengler Date: Sun Mar 10 10:40:48 2013 -0400 Update to pax-linux-3.8.2-test6.patch: - fixed a KERNEXEC false positive on arm reported by Gu1 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - added fix from spender for some namespace breakage reported by zakalwe - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot Documentation/kernel-parameters.txt | 5 +++++ arch/arm/kernel/patch.c | 2 ++ arch/x86/kernel/sys_i386_32.c | 5 +++-- drivers/acpi/blacklist.c | 2 +- drivers/video/aty/mach64_cursor.c | 1 + init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ net/ipv4/ip_fragment.c | 2 +- security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 10 files changed, 50 insertions(+), 10 deletions(-) commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause net/bridge/br_mdb.c | 4 ++++ net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 8 ++++++++ 3 files changed, 13 insertions(+), 0 deletions(-) commit 601dd446f896e3a362f706943df18a68d50420a1 Author: Brad Spengler Date: Sat Mar 9 09:35:25 2013 -0500 add open/close wrappers in __patch_text() as reported by Gu1 on IRC arch/arm/kernel/patch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ae39966fd85a493e9079b357e3faa62245a41222 Author: Peter Hurley Date: Fri Mar 8 12:43:27 2013 -0800 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 ipc: don't allocate a copy larger than max When MSG_COPY is set, a duplicate message must be allocated for the copy before locking the queue. However, the copy could not be larger than was sent which is limited to msg_ctlmax. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msg.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 61240e99650ea3e540a03a3e994349c5086f166b Author: Peter Hurley Date: Fri Mar 8 12:43:26 2013 -0800 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 ipc: fix potential oops when src msg > 4k w/ MSG_COPY If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msgutil.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 51727f602a267f34fb2e0dc9557f1714028d51a2 Author: Brad Spengler Date: Fri Mar 8 22:14:06 2013 -0500 add missing 'else' in recent constify fixups net/ipv4/ip_fragment.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a38c1a640729b3d8e584d1ab98e908c221bc12cf Merge: 1580bb3 47c3f47 Author: Brad Spengler Date: Fri Mar 8 18:18:37 2013 -0500 Merge branch 'pax-test' into grsec-test commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe Author: Brad Spengler Date: Fri Mar 8 18:17:22 2013 -0500 Update to pax-linux-3.8.2-test5.patch: - fixed some fallout after the last round of constification changes, reported by several people arch/arm/common/gic.c | 4 ++-- arch/arm/include/asm/hardware/gic.h | 3 ++- arch/x86/include/asm/nmi.h | 2 +- arch/x86/kernel/nmi.c | 2 +- arch/x86/pci/irq.c | 2 +- drivers/base/power/domain.c | 4 ++-- drivers/cpufreq/cpufreq_governor.c | 4 ++-- drivers/mfd/twl4030-irq.c | 1 + drivers/video/vesafb.c | 7 +++++-- include/linux/irq.h | 1 + include/linux/pm_domain.h | 2 +- kernel/sched/core.c | 4 ++++ lib/Kconfig.debug | 4 ++-- net/core/sysctl_net_core.c | 2 +- net/decnet/af_decnet.c | 1 + net/ipv4/devinet.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/route.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- scripts/sortextable.h | 6 +++--- 22 files changed, 36 insertions(+), 25 deletions(-) commit 1580bb38b4db0bf2a46316599815e8b234edad81 Author: Brad Spengler Date: Thu Mar 7 22:02:59 2013 -0500 add an additional open/close wrapper kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 21622672d28d58e0d93a805cd1f9650a894a752a Author: Brad Spengler Date: Thu Mar 7 21:58:24 2013 -0500 fix oops at shutdown with new constify code kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec Author: Brad Spengler Date: Thu Mar 7 21:18:44 2013 -0500 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally it currently conflicts with some lock debugging options, so made as an option to allow for debugging when necessary Makefile | 2 -- lib/Kconfig.debug | 6 +++--- security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) commit 0885b00b8373a1597b69c38032a0c9eee279303b Author: Brad Spengler Date: Thu Mar 7 20:55:19 2013 -0500 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8a2617165e7127a54f293cbf57d22d50dd83abd Author: Brad Spengler Date: Thu Mar 7 20:30:41 2013 -0500 Fix error: drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object with cast and proper kernexec accessors drivers/video/vesafb.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 Author: Brad Spengler Date: Thu Mar 7 20:20:28 2013 -0500 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 Author: Brad Spengler Date: Thu Mar 7 20:12:17 2013 -0500 fix compilation error -- no reason for task_pid_nr to not take a const task ptr include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ac6014ded57101e3e608941555ff507e20c1ece3 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 98a9a5f981f5deda4059a255c1196886f2f27e2f Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 4295a024e812f903fc580c81de5e81cc149503fa Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33edd486a9899a145a15586d7134636b0300aaee Merge: 4eeeaf3 a2a2094 Author: Brad Spengler Date: Thu Mar 7 17:53:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/include/asm/domain.h commit a2a20947f5e1332e474160a39af520738b3c8c19 Author: Brad Spengler Date: Thu Mar 7 17:51:04 2013 -0500 Update to pax-linux-3.8.2-test4.patch: fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) Documentation/dontdiff | 2 + arch/arm/include/asm/domain.h | 1 + arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/nmi.h | 4 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 10 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/base/bus.c | 4 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 ++- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 26 ++- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/iommu/iommu.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/mfd/twl4030-irq.c | 8 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/vxlan.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 6 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 4 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 ++- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- fs/exec.c | 6 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drmP.h | 12 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/iommu.h | 2 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/rculist.h | 16 ++ include/linux/sched.h | 2 +- include/linux/sock_diag.h | 2 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/xattr.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/pid_namespace.c | 2 +- kernel/rcutree_plugin.h | 2 +- kernel/sched/core.c | 39 ++-- kernel/smpboot.c | 4 +- kernel/softirq.c | 2 +- kernel/sysctl.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 2 +- lib/kobject.c | 4 +- lib/list_debug.c | 57 ++++- lib/swiotlb.c | 2 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/slab_common.c | 2 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 15 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 12 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 9 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipip.c | 4 +- net/ipv4/route.c | 14 +- net/ipv4/sysctl_net_ipv4.c | 43 ++-- net/ipv6/addrconf.c | 4 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 6 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/reassembly.c | 11 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/sysctl.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 ++- net/xfrm/xfrm_sysctl.c | 2 +- security/apparmor/lsm.c | 2 +- security/keys/key.c | 18 +- security/yama/yama_lsm.c | 22 +- tools/gcc/Makefile | 4 +- tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ tools/gcc/size_overflow_plugin.c | 7 +- 248 files changed, 994 insertions(+), 668 deletions(-) commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b Author: Brad Spengler Date: Wed Mar 6 12:58:21 2013 -0500 Make slab_state __read_only, it's only written to during init mm/slab_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a Author: Brad Spengler Date: Wed Mar 6 12:31:35 2013 -0500 Make two new helper functions: gr_is_global_root() and gr_is_global_nonroot() grsecurity/gracl.c | 10 +++++----- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_link.c | 4 ++-- grsecurity/grsec_sig.c | 10 +++++----- grsecurity/grsec_tpe.c | 6 +++--- include/linux/uidgid.h | 2 ++ 6 files changed, 18 insertions(+), 16 deletions(-) commit d45d88eddd4998b280b1e5b5384289ee11ca7088 Author: Brad Spengler Date: Wed Mar 6 12:14:41 2013 -0500 convert remaining task->pid to task_pid_nr(task) grsecurity/gracl.c | 22 +++++++++++----------- grsecurity/gracl_shm.c | 2 +- grsecurity/grsec_chroot.c | 4 ++-- grsecurity/grsec_sig.c | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) commit c877f2ece03ee2232dd281c1977ae59507297124 Author: Brad Spengler Date: Tue Mar 5 17:29:54 2013 -0500 compat-log is only used anymore by vm86-on-64bit and allows unlimited spamming of the kernel log buffer (and since it includes the changable process name, can avoid syslog log deduplication) Turn it off by default fs/compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c1964c4b7276889d7967bee70e46918cdca1b14 Author: Brad Spengler Date: Mon Mar 4 17:19:10 2013 -0500 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP is enabled, introduced with recent userns support init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 Author: Brad Spengler Date: Sun Mar 3 18:46:12 2013 -0500 Prevent TOMOYO from auto-loading modules by unprivileged users (Only reachable if TOMOYO is actually used) security/tomoyo/mount.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 79e142f9455b398759ff9d93d4963a21b98dddda Author: Brad Spengler Date: Sun Mar 3 18:28:45 2013 -0500 For now, don't permit any special access to /proc in a user namespace Later we can go back and allow a userns-uid0 special access to a /proc with a non-global pid namespace fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b91fb393049ce5f3c0a86f62247409853fd9700 Merge: d931eb8 603ef05 Author: Brad Spengler Date: Sun Mar 3 17:42:09 2013 -0500 Merge branch 'pax-test' into grsec-test commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b Author: Brad Spengler Date: Sun Mar 3 17:41:31 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/mach-omap2/wd_timer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b4c9ce81fdd7839a150c97873c710c479e788280 Author: Brad Spengler Date: Sun Mar 3 17:39:53 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d931eb81ab3da46896268fd61373a6aa7bbea930 Merge: bfa7f44 5948f93 Author: Brad Spengler Date: Sun Mar 3 17:34:36 2013 -0500 Merge branch 'pax-test' into grsec-test commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 Merge: ab30472 19b00d2 Author: Brad Spengler Date: Sun Mar 3 17:34:08 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. fs/exec.c | 6 +- fs/proc/base.c | 2 +- fs/proc/proc_net.c | 4 +- grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- grsecurity/gracl_cap.c | 4 +- grsecurity/gracl_ip.c | 16 +++--- grsecurity/gracl_segv.c | 12 +++- grsecurity/gracl_shm.c | 4 +- grsecurity/grsec_disabled.c | 10 ++-- grsecurity/grsec_fifo.c | 6 +- grsecurity/grsec_init.c | 24 ++++---- grsecurity/grsec_log.c | 3 - grsecurity/grsec_tpe.c | 6 +- include/linux/grinternal.h | 12 ++-- include/linux/grsecurity.h | 12 ++-- include/linux/uidgid.h | 3 + init/Kconfig | 2 - ipc/shm.c | 2 +- kernel/cred.c | 5 +- kernel/kallsyms.c | 2 +- kernel/kmod.c | 6 +- kernel/sys.c | 12 ++-- 22 files changed, 166 insertions(+), 115 deletions(-) commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit 5596211af754867ca825f58e6e0300a8439950fe Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7ca96db0817416fd40761e7437d1939fc0731380 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 idr: fix a subtle bug in idr_get_next() The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/idr.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 745362f28034f54242ba2e64eaa7374ab9869613 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit b53b3b14330920c6f7cfb74c8508a3026e1be620 Author: Brad Spengler Date: Thu Feb 28 18:29:26 2013 -0500 Fix bad git merge fs/namespace.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede Merge: 1cce1dd ab30472 Author: Brad Spengler Date: Thu Feb 28 17:45:14 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/core/sock_diag.c commit ab3047280e1dfb43f1b301a296123757b4ac4f6e Merge: 4b61d21 4c91a0e Author: Brad Spengler Date: Thu Feb 28 17:43:56 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 Author: Brad Spengler Date: Wed Feb 27 17:52:31 2013 -0500 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel kernel/printk.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 Author: Brad Spengler Date: Wed Feb 27 17:23:46 2013 -0500 Fix upstream vulnerability from addition of a /dev/kmsg device while neglecting to add the same set of existing permission checks from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. A temporary workaround without this patch would be to chmod 0600 /dev/kmsg (and is likely a good idea anyway). Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek Initially reported to Redhat bugzilla by Christian Kujau: https://bugzilla.redhat.com/show_bug.cgi?id=903192 kernel/printk.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 66c04806f5660988c3cb4855e60de294e77e3d0e Author: David Howells Date: Thu Feb 21 12:00:25 2013 +0000 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f KEYS: Revert one application of "Fix unreachable code" patch A patch to fix some unreachable code in search_my_process_keyrings() got applied twice by two different routes upstream as commits e67eab39bee2 and b010520ab3d2 (both "fix unreachable code"). Unfortunately, the second application removed something it shouldn't have and this wasn't detected by GIT. This is due to the patch not having sufficient lines of context to distinguish the two places of application. The effect of this is relatively minor: inside the kernel, the keyring search routines may search multiple keyrings and then prioritise the errors if no keys or negative keys are found in any of them. With the extra deletion, the presence of a negative key in the thread keyring (causing ENOKEY) is incorrectly overridden by an error searching the process keyring. So revert the second application of the patch. Signed-off-by: David Howells Cc: Jiri Kosina Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds security/keys/process_keys.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 954b0c8a95b08c09c3d15ec38106ce403bf714da Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 Author: Nicolas Pitre Date: Sun Feb 24 20:06:09 2013 -0500 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 tty vt: fix character insertion overflow Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") broke insert_char() in multiple ways. Then commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") partially fixed it. However, the buffer being moved is still too large and overflowing beyond the end of the current line, corrupting existing characters on the next line. Example test case: echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" Expected result: ab c de Current result: ab c e Needless to say that this is very annoying when inserting words in the middle of paragraphs with certain text editors. Signed-off-by: Nicolas Pitre Cc: Jean-François Moine Cc: Greg Kroah-Hartman Cc: Signed-off-by: Linus Torvalds drivers/tty/vt/vt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6cda35071669b4aabde081bd039e0ffea36f997a Author: Robin Holt Date: Fri Feb 22 16:35:34 2013 -0800 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. Additionally, the list traversal in __mmu_notifier_release() is not protected by the by the mmu_notifier_mm->hlist_lock which can result in callouts to the ->release() notifier from both mmu_notifier_unregister() and __mmu_notifier_release(). -stable suggestions: The stable trees prior to 3.7.y need commits 21a92735f660 and 70400303ce0c cherry-picked in that order prior to cherry-picking this commit. The 3.7.y tree already has those two commits. Signed-off-by: Robin Holt Cc: Andrea Arcangeli Cc: Wanpeng Li Cc: Xiao Guangrong Cc: Avi Kivity Cc: Hugh Dickins Cc: Marcelo Tosatti Cc: Sagi Grimberg Cc: Haggai Eran Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- 1 files changed, 42 insertions(+), 40 deletions(-) commit bf5167ed78ba6131c6874887f714bda50c2cab83 Author: Mike Galbraith Date: Mon Jan 28 12:19:25 2013 +0100 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 sched: Fix select_idle_sibling() bouncing cow syndrome If the previous CPU is cache affine and idle, select it. The current implementation simply traverses the sd_llc domain, taking the first idle CPU encountered, which walks buddy pairs hand in hand over the package, inflicting excruciating pain. 1 tbench pair (worst case) in a 10 core + SMT package: pre 15.22 MB/sec 1 procs post 252.01 MB/sec 1 procs Signed-off-by: Mike Galbraith Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 21 +++++++-------------- 1 files changed, 7 insertions(+), 14 deletions(-) commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c Author: Eric W. Biederman Date: Fri Dec 28 18:58:39 2012 -0800 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f userns: Avoid recursion in put_user_ns When freeing a deeply nested user namespace free_user_ns calls put_user_ns on it's parent which may in turn call free_user_ns again. When -fno-optimize-sibling-calls is passed to gcc one stack frame per user namespace is left on the stack, potentially overflowing the kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls so we can't count on gcc to optimize this code. Remove struct kref and use a plain atomic_t. Making the code more flexible and easier to comprehend. Make the loop in free_user_ns explict to guarantee that the stack does not overflow with CONFIG_FRAME_POINTER enabled. I have tested this fix with a simple program that uses unshare to create a deeply nested user namespace structure and then calls exit. With 1000 nesteuser namespaces before this change running my test program causes the kernel to die a horrible death. With 10,000,000 nested user namespaces after this change my test program runs to completion and causes no harm. Acked-by: Serge Hallyn Pointed-out-by: Vasily Kulikov Signed-off-by: "Eric W. Biederman" include/linux/user_namespace.h | 10 +++++----- kernel/user.c | 4 +--- kernel/user_namespace.c | 17 +++++++++-------- 3 files changed, 15 insertions(+), 16 deletions(-) commit 81501c7106ccc186c94806f4db954626295b5ebe Author: Brad Spengler Date: Tue Feb 26 17:12:30 2013 -0500 Pass the same flags to kern_path_create as the original function fs/namei.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a677c8eee35afe48868f92c7d6745bfe809cd481 Author: Al Viro Date: Fri Feb 22 22:45:42 2013 -0500 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 get rid of unprotected dereferencing of mnt->mnt_ns It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namespace.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 89298124d0c96dc34a60377e7a1308f8f532ff75 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 Author: Brad Spengler Date: Sat Feb 23 11:08:05 2013 -0500 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause net/core/sock_diag.c | 27 ++++++++++----------------- 1 files changed, 10 insertions(+), 17 deletions(-) commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 Author: Brad Spengler Date: Sat Feb 23 10:58:52 2013 -0500 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined arch/arm/include/asm/domain.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7b729586eb81f344fdedf0942fab0acc738a6725 Author: Brad Spengler Date: Fri Feb 22 19:02:51 2013 -0500 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. kernel/fork.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit fadc560d0c486af88da83177735f5515e88acdcc Author: Brad Spengler Date: Thu Feb 21 23:06:48 2013 -0500 put is_hugetlbfs_mnt inside ifdefs grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8252176922d405484f986eb2cc350b7cd3ae586e Author: Brad Spengler Date: Thu Feb 21 23:02:07 2013 -0500 remove unused label kernel/module.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dad4a980f0b625059e215d13da728aa7fd02a374 Author: Brad Spengler Date: Thu Feb 21 23:00:52 2013 -0500 compile fix fs/open.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 Author: Brad Spengler Date: Thu Feb 21 22:57:49 2013 -0500 remove kmalloc_array_error for the same reasons as kcalloc_error include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a Author: Brad Spengler Date: Thu Feb 21 22:49:35 2013 -0500 Initial port of grsecurity for Linux 3.8 Documentation/kernel-parameters.txt | 4 + Makefile | 10 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 14 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 27 +- arch/arm/mm/mmap.c | 6 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 3 +- arch/ia64/mm/hugetlbpage.c | 3 +- arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 3 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 19 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 6 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 3 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 3 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- crypto/ablkcipher.c | 12 +- crypto/aead.c | 9 +- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +- crypto/crypto_user.c | 38 +- crypto/pcompress.c | 3 +- crypto/rng.c | 2 +- crypto/shash.c | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 155 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 5 + fs/fs_struct.c | 26 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 269 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1021 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4017 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 384 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 357 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 174 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 329 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 ++ include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 257 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 66 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/vermagic.h | 9 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 5 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 109 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 80 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 38 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 62 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev.c | 9 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 19 + security/Kconfig | 320 ++- security/apparmor/lsm.c | 2 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/yama/Kconfig | 2 +- tools/gcc/Makefile | 2 +- 286 files changed, 15083 insertions(+), 2067 deletions(-) commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 Author: Brad Spengler Date: Wed Feb 20 21:00:42 2013 -0500 Initial import of pax-linux-3.8-test3.patch Documentation/dontdiff | 43 +- Documentation/kernel-parameters.txt | 7 + Makefile | 97 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 +++- arch/arm/include/asm/cache.h | 3 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/delay.h | 8 +- arch/arm/include/asm/domain.h | 32 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 10 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 20 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 14 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/fault.c | 78 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 186 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 28 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/uaccess.h | 142 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 +++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 12 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 ++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 65 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/io.h | 13 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 6 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 29 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 512 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/head_32.S | 237 ++- arch/x86/kernel/head_64.S | 158 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes-opt.c | 12 +- arch/x86/kernel/kprobes.c | 30 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 247 ++ arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 47 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 68 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 ++- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 555 +++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 92 +- arch/x86/mm/init_32.c | 122 +- arch/x86/mm/init_64.c | 48 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 12 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 18 +- drivers/block/loop.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 8 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_generic.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 6 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 9 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/ramster/tmem.c | 54 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 39 +- drivers/video/vesafb.c | 51 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 604 ++++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/relocation.c | 2 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 356 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 ++ include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 72 +- include/linux/cpu.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 3 + include/linux/mm.h | 91 +- include/linux/mm_types.h | 22 +- include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 55 +- include/linux/moduleloader.h | 18 +- include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/random.h | 5 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 64 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysrq.h | 2 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/gro_cells.h | 6 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 6 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/structs.h | 4 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 4 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 24 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/module.c | 333 ++- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 72 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 2 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/softirq.c | 16 +- kernel/srcu.c | 6 +- kernel/stop_machine.c | 2 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 +- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/list_debug.c | 89 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 54 + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 18 +- mm/memory.c | 404 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 573 +++- mm/mprotect.c | 138 +- mm/mremap.c | 44 +- mm/nommu.c | 11 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 104 +- mm/slab.h | 5 +- mm/slab_common.c | 9 +- mm/slob.c | 200 +- mm/slub.c | 98 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/sctp/socket.c | 2 + net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 4 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 654 ++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 43 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 359 +++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 +++ tools/gcc/latent_entropy_plugin.c | 321 ++ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 32 +- 1311 files changed, 26668 insertions(+), 6394 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c Merge: c3ccfb2 777e08c Author: Brad Spengler Date: Sun Sep 8 19:49:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 Author: Brad Spengler Date: Sun Sep 8 19:47:32 2013 -0400 Update to pax-linux-3.10.11-test26.patch: - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 14 +- tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- 3 files changed, 247 insertions(+), 194 deletions(-) commit 5c3161364270c842d901789faac731f79a9f9cd6 Merge: cf9c476 85cdabb Author: Brad Spengler Date: Sun Sep 8 19:24:25 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c3ccfb29794a03413095422100ce90d40ef7df0f Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit d260badf708d6aa16c44f56f54727532dcae826e Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 Author: Dan Carpenter Date: Thu Aug 29 11:47:00 2013 +0300 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 mISDN: return -EINVAL on error in dsp_control_req() If skb->len is too short then we should return an error. Otherwise we read beyond the end of skb->data for several bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/mISDN/dsp_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit da68dbcd96c617923a0aedb177d36b2701f9c858 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit ce0e893adc830ee110f97071cc17e661fb35ae3d Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd Merge: 7ee3899 cf9c476 Author: Brad Spengler Date: Sun Sep 1 13:56:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit cf9c47690fa0f3da590de766ea8c6a543984ee3c Author: Brad Spengler Date: Sun Sep 1 13:56:16 2013 -0400 Update to pax-linux-3.10.10-test25.patch: - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop block/blk-cgroup.c | 4 ++-- drivers/video/hyperv_fb.c | 4 ++-- fs/namespace.c | 4 ++-- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/output_core.c | 15 ++++++--------- net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- 7 files changed, 21 insertions(+), 27 deletions(-) commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa Merge: fd0338c 2bdeae7 Author: Brad Spengler Date: Sat Aug 31 22:07:38 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 Author: Brad Spengler Date: Sat Aug 31 22:06:55 2013 -0400 Update to pax-linux-3.10.10-test24.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users drivers/acpi/apei/ghes.c | 4 ++-- drivers/ata/libata-core.c | 4 ++-- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/block/drbd/drbd_nl.c | 4 ++-- drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/hv/hv_balloon.c | 18 +++++++++--------- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/input/misc/ims-pcu.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/v4l2-core/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/pci/hotplug/pciehp_hpc.c | 4 +--- drivers/regulator/core.c | 4 ++-- drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ drivers/staging/android/timed_output.c | 6 +++--- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/target/sbp/sbp_target.c | 4 ++-- drivers/tty/hvc/hvsi.c | 12 ++++++------ drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/btrfs/delayed-inode.c | 6 +++--- fs/btrfs/delayed-inode.h | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- net/ceph/messenger.c | 4 ++-- net/core/netpoll.c | 4 ++-- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 43 files changed, 93 insertions(+), 95 deletions(-) commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 Merge: 1bdf7ec 85099d2 Author: Brad Spengler Date: Sat Aug 31 21:07:29 2013 -0400 Merge branch 'pax-test' into grsec-test commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed Author: Brad Spengler Date: Sat Aug 31 21:06:55 2013 -0400 Update to pax-linux-3.10.10-test23.patch: - added the necessary atomic_unchecked_t conversion for mips - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/arm/kvm/arm.c | 8 ++++---- arch/arm/mm/context.c | 10 +++++----- arch/mips/kernel/irq.c | 6 +++--- arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- 8 files changed, 45 insertions(+), 45 deletions(-) commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 Merge: 995a168 38ee86c Author: Brad Spengler Date: Fri Aug 30 19:23:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 38ee86c05df0f8db582df8776b9f23f317d42bbb Author: Brad Spengler Date: Fri Aug 30 19:23:11 2013 -0400 Update to pax-linux-3.10.10-test22.patch: - fixed !REFCOUNT/mips compilation, by Corey Minyard - fixed a few more format strings arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- drivers/md/bcache/super.c | 2 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- drivers/pci/hotplug/pciehp_hpc.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- drivers/vfio/vfio.c | 4 ++-- fs/ntfs/super.c | 6 +++--- include/linux/workqueue.h | 6 +++--- net/mac80211/main.c | 2 +- sound/pci/hda/hda_codec.c | 8 ++------ 11 files changed, 32 insertions(+), 25 deletions(-) commit 995a16841e2097c3a9dfc652e856469679c4a0ba Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 Merge: be2497c 1052971 Author: Brad Spengler Date: Thu Aug 29 20:44:29 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/sched.h commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 Merge: e902dad 8bf3379 Author: Brad Spengler Date: Thu Aug 29 20:39:50 2013 -0400 Update to pax-linux-3.10.10-test21.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 Merge: 081c22b e902dad Author: Brad Spengler Date: Wed Aug 28 20:52:44 2013 -0400 Merge branch 'pax-test' into grsec-test commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 Author: Brad Spengler Date: Wed Aug 28 20:51:21 2013 -0400 Update to pax-linux-3.10.9-test21.patch: - removed unnecessary type cast in do_PrefetchAbort, noticed by spender - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov - fixed a REFCOUNT false positive in UHID - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network arch/arm/mm/fault.c | 2 +- arch/mips/kernel/traps.c | 2 -- drivers/hid/uhid.c | 6 +++--- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/usb/dwc3/gadget.c | 2 -- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- 10 files changed, 14 insertions(+), 16 deletions(-) commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 8044382257ec75a03f3d784ce048ef14e94b90ca Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 270ba9096ddecdc3cf6c4d76e6892184820116be Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 60115e8108e508060815bce5ef9504233c81898c Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38627769bb2b9a550e251b2caf1babda7566fb4a Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 813f51e0881e4ea6d221da828b1cced02ad9694d Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 95e3cfb5a995dabe45b98cafb77e59d074de151f Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 96a55ce1b2f3af376c400a02059174e79ce4399c Author: Brad Spengler Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit eb1106eef5f17bfda833ca3cf89e315919173257 Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 Author: Brad Spengler Date: Wed Aug 28 17:01:21 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 Author: Andy Lutomirski Date: Thu Aug 22 11:39:15 2013 -0700 Upstream commit: d661684cf6820331feae71146c35da83d794467e net: Check the correct namespace when spoofing pid over SCM_RIGHTS This is a security bug. The follow-up will fix nsproxy to discourage this type of issue from happening again. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/core/scm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 8333e0981469a226a47d0142ff31090a48db95a4 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 xen/events: initialize local per-cpu mask for all possible events The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk CC: stable@vger.kernel.org drivers/xen/events.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2a9a83768433937a2b7a97001ba1627156c0efed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit e6fe57dee152671afd618d6bc8cbf23155be6c34 Merge: cdc8f7d f2095a4 Author: Brad Spengler Date: Tue Aug 27 18:13:35 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c security/Kconfig commit f2095a4787f7d332e5919f0bd00f8de6021ad612 Author: Brad Spengler Date: Tue Aug 27 18:08:23 2013 -0400 Update to pax-linux-3.10.9-test20.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - added REFCOUNT support for mips, by Corey Minyard - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) arch/arm/mm/fault.c | 11 +- arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- arch/mips/kernel/traps.c | 14 +- arch/x86/include/asm/tlbflush.h | 4 + arch/x86/include/asm/uaccess_64.h | 2 +- fs/ntfs/file.c | 2 +- kernel/events/internal.h | 4 +- kernel/events/uprobes.c | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 +- security/Kconfig | 2 +- tools/gcc/kernexec_plugin.c | 18 +- tools/gcc/latent_entropy_plugin.c | 26 +- tools/gcc/size_overflow_plugin.c | 3 +- 14 files changed, 750 insertions(+), 70 deletions(-) commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 Merge: 5a9ae57 745975e Author: Brad Spengler Date: Mon Aug 26 20:27:33 2013 -0400 Merge branch 'pax-test' into grsec-test commit 745975e3b3b74b64e00e85778f9a22714d1274f2 Author: Brad Spengler Date: Mon Aug 26 20:26:33 2013 -0400 Fix compilation when UDEREF is enabled and KERNEXEC is disabled, as reported by fabled on the forums: http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 arch/arm/include/asm/pgtable.h | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 Merge: 486ec00 f68df21 Author: Brad Spengler Date: Tue Aug 20 20:15:20 2013 -0400 Merge branch 'pax-test' into grsec-test commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 Author: Brad Spengler Date: Tue Aug 20 20:14:50 2013 -0400 Update to pax-linux-3.10.9-test18.patch: - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) - forward port to 3.10.9 arch/x86/kernel/entry_64.S | 18 +++++++++--------- arch/x86/kernel/i386_ksyms_32.c | 4 ++++ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f Merge: f47a293 d8fed0e Author: Brad Spengler Date: Tue Aug 20 20:12:47 2013 -0400 Merge branch 'pax-test' into grsec-test commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 Merge: f6ace8e 0a4b6d4 Author: Brad Spengler Date: Tue Aug 20 20:12:33 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit f47a293a1440da2a3e2c239d43d636e37ca74f10 Merge: f1e8ec7 f6ace8e Author: Brad Spengler Date: Tue Aug 20 18:20:05 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/kernel/perf_event.c include/linux/sched.h commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 Merge: b4fa847 6f54059 Author: Brad Spengler Date: Tue Aug 20 18:18:02 2013 -0400 Update to pax-linux-3.10.8-test18.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca Merge: 6f88011 b4fa847 Author: Brad Spengler Date: Tue Aug 20 18:05:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 Author: Brad Spengler Date: Tue Aug 20 18:04:14 2013 -0400 Update to pax-linux-3.10.7-test18.patch: - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) - fixed a UDEREF resume regression due to the constification of clone_pgd_mask - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause arch/arm/kernel/process.c | 2 +- arch/x86/include/asm/processor.h | 25 ++----------------------- arch/x86/kernel/cpu/common.c | 4 ++++ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/staging/zcache/tmem.c | 4 ++-- drivers/staging/zcache/tmem.h | 6 ++---- 6 files changed, 47 insertions(+), 30 deletions(-) commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 Merge: 6eba999 5de93c8 Author: Brad Spengler Date: Sun Aug 18 22:03:19 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db Author: Brad Spengler Date: Sun Aug 18 22:02:47 2013 -0400 Update to pax-linux-3.10.7-test15.patch: - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) - fixed some new REFCOUNT false positives, caught by inspection arch/x86/kernel/cpu/common.c | 5 +++-- arch/x86/kernel/entry_64.S | 11 +++++++---- fs/ceph/super.c | 4 ++-- mm/backing-dev.c | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) commit 94c119587c76723c1072237b98fff9886ccb7689 Author: Brad Spengler Date: Sun Aug 18 20:49:39 2013 -0400 fix pipacs' DEMORGAN typo arch/x86/include/asm/tlbflush.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 Merge: df347f6 64a293e Author: Brad Spengler Date: Sun Aug 18 18:13:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 Author: Brad Spengler Date: Sun Aug 18 18:12:37 2013 -0400 Update to pax-linux-3.10.7-test14.patch: - fixed compile error introduced by the previous PCID change - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) arch/x86/include/asm/tlbflush.h | 2 +- kernel/posix-timers.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 Merge: d8efbc5 e11b314 Author: Brad Spengler Date: Sun Aug 18 08:15:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit e11b314734c5b7317f5468be75305ad812e78c2b Author: Brad Spengler Date: Sun Aug 18 08:14:26 2013 -0400 Update to pax-linux-3.10.7-test13.patch: - always enable the use of PCID and INVPCID when available in the CPU - kvm guest kernels can use these features even if the host kernel lacks UDEREF arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- 2 files changed, 70 insertions(+), 47 deletions(-) commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c8feffa95ce2db280160015027b52bb41a344c8 Merge: dbf6930 0bb1c2b Author: Brad Spengler Date: Sat Aug 17 11:57:50 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 Author: Brad Spengler Date: Sat Aug 17 11:56:43 2013 -0400 Update to pax-linux-3.10.7-test12.patch: - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause - fixed some arm compile problems arch/x86/include/asm/tlbflush.h | 2 +- drivers/clocksource/bcm_kona_timer.c | 2 +- kernel/signal.c | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) commit dbf69305ad4f8a037aae95af90f9201f556dcb48 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 Merge: 68bd16f f562e3e Author: Brad Spengler Date: Sat Aug 17 10:35:02 2013 -0400 Merge branch 'pax-test' into grsec-test commit f562e3ef7737ea8d80431a722479b36a12504ace Author: Brad Spengler Date: Sat Aug 17 10:34:51 2013 -0400 add uderef_64.c arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ 1 files changed, 37 insertions(+), 0 deletions(-) commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 Author: Asbjoern Sloth Toennesen Date: Mon Aug 12 16:30:09 2013 +0000 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by: Asbjoern Sloth Toennesen Reviewed-by: Vlad Yasevich Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c7bc5bafddddff55ed4687203a977e96f72540a Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb Author: Daniel Borkmann Date: Fri Aug 9 16:25:21 2013 +0200 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/transport.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3925eab5483946fd746575a46f97bee9d566bb77 Author: Stephane Grosjean Date: Fri Aug 9 11:44:06 2013 +0200 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e can: pcan_usb: fix wrong memcpy() bytes length Fix possibly wrong memcpy() bytes length since some CAN records received from PCAN-USB could define a DLC field in range [9..15]. In that case, the real DLC value MUST be used to move forward the record pointer but, only 8 bytes max. MUST be copied into the data field of the struct can_frame object of the skb given to the network core. Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c1ac6642baae4a400d1f87115024d1bb1ef53598 Author: Linus Lüssing Date: Tue Aug 6 20:21:15 2013 +0200 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 batman-adv: fix potential kernel paging errors for unicast transmissions There are several functions which might reallocate skb data. Currently some places keep reusing their old ethhdr pointer regardless of whether they became invalid after such a reallocation or not. This potentially leads to kernel paging errors. This patch fixes these by refetching the ethdr pointer after the potential reallocations. Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli net/batman-adv/bridge_loop_avoidance.c | 2 ++ net/batman-adv/gateway_client.c | 13 ++++++++++++- net/batman-adv/gateway_client.h | 3 +-- net/batman-adv/soft-interface.c | 9 ++++++++- net/batman-adv/unicast.c | 13 ++++++++++--- 5 files changed, 33 insertions(+), 7 deletions(-) commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue_core.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f Author: Pablo Neira Ayuso Date: Thu Jul 25 10:46:46 2013 +0200 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 netfilter: xt_TCPOPTSTRIP: fix possible off by one access Fix a possible off by one access since optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen that stores the TCP header length, to save some cycles. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 4634def261cf5f635bc60afe8a6ad436b3ec151e Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 Author: Dave Jones Date: Fri Aug 9 11:16:34 2013 -0700 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e 8139cp: Fix skb leak in rx_status_loop failure path. Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 ("8139cp: Add dma_mapping_error checking") Signed-off-by: Dave Jones Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 227b279491a0bbcc70ca3654f34903282c378600 Author: Timo Teräs Date: Tue Aug 6 13:45:43 2013 +0300 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b ip_gre: fix ipgre_header to return correct offset Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar Signed-off-by: Timo Teräs Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit f02bce292d1c2fe610be509c96593e70b3de387b Author: Julia Lawall Date: Mon Aug 5 16:47:38 2013 +0200 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 net/vmw_vsock/af_vsock.c: drop unneeded semicolon Drop the semicolon at the end of the list_for_each_entry loop header. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 Author: Tiger Yang Date: Tue Aug 13 16:00:58 2013 -0700 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as the struct file pointer, it finally result in a null pointer dereference in ocfs2_duplicate_clusters_by_page. This patch replace file pointer with inode pointer in cow_duplicate_clusters to fix this issue. [jeff.liu@oracle.com: rebased patch against linux-next tree] Signed-off-by: Tiger Yang Signed-off-by: Jie Liu Cc: Joel Becker Cc: Mark Fasheh Acked-by: Tao Ma Tested-by: David Weber Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 2 +- fs/ocfs2/file.c | 6 ++-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- fs/ocfs2/refcounttree.h | 6 ++-- 5 files changed, 16 insertions(+), 53 deletions(-) commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 Author: Dan Carpenter Date: Thu Aug 15 15:52:57 2013 +0300 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 26ad267ddda451919357965a0cf271ca24d1bcf2 Author: Weiping Pan Date: Tue Aug 13 21:46:56 2013 +0800 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 tun: compare with 0 instead of total_len Since we set "len = total_len" in the beginning of tun_get_user(), so we should compare the new len with 0, instead of total_len, or the if statement always returns false. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller drivers/net/tun.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 Author: Guenter Roeck Date: Fri Aug 16 20:50:55 2013 -0700 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 s390: Fix broken build Fix this build error: In file included from fs/exec.c:61:0: arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range invalidation corner cases"). Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] Signed-off-by: Linus Torvalds arch/s390/include/asm/tlb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4e57312c2de2a25ddb181d129dafbc0251062c33 Author: Linus Torvalds Date: Thu Aug 15 11:42:25 2013 -0700 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce Fix TLB gather virtual address range invalidation corner cases Ben Tebulin reported: "Since v3.7.2 on two independent machines a very specific Git repository fails in 9/10 cases on git-fsck due to an SHA1/memory failures. This only occurs on a very specific repository and can be reproduced stably on two independent laptops. Git mailing list ran out of ideas and for me this looks like some very exotic kernel issue" and bisected the failure to the backport of commit 53a59fc67f97 ("mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). That commit itself is not actually buggy, but what it does is to make it much more likely to hit the partial TLB invalidation case, since it introduces a new case in tlb_next_batch() that previously only ever happened when running out of memory. The real bug is that the TLB gather virtual memory range setup is subtly buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: enable tlb flush range in generic mmu_gather"), and the range handling was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots"), but that fix was not complete. The problem with the TLB gather virtual address range is that it isn't set up by the initial tlb_gather_mmu() initialization (which didn't get the TLB range information), but it is set up ad-hoc later by the functions that actually flush the TLB. And so any such case that forgot to update the TLB range entries would potentially miss TLB invalidates. Rather than try to figure out exactly which particular ad-hoc range setup was missing (I personally suspect it's the hugetlb case in zap_huge_pmd(), which didn't have the same logic as zap_pte_range() did), this patch just gets rid of the problem at the source: make the TLB range information available to tlb_gather_mmu(), and initialize it when initializing all the other tlb gather fields. This makes the patch larger, but conceptually much simpler. And the end result is much more understandable; even if you want to play games with partial ranges when invalidating the TLB contents in chunks, now the range information is always there, and anybody who doesn't want to bother with it won't introduce subtle bugs. Ben verified that this fixes his problem. Reported-bisected-and-tested-by: Ben Tebulin Build-testing-by: Stephen Rothwell Build-testing-by: Richard Weinberger Reviewed-by: Michal Hocko Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/arm/include/asm/tlb.h | 7 +++++-- arch/arm64/include/asm/tlb.h | 7 +++++-- arch/ia64/include/asm/tlb.h | 9 ++++++--- arch/s390/include/asm/tlb.h | 8 ++++++-- arch/sh/include/asm/tlb.h | 6 ++++-- arch/um/include/asm/tlb.h | 6 ++++-- fs/exec.c | 4 ++-- include/asm-generic/tlb.h | 2 +- mm/hugetlb.c | 2 +- mm/memory.c | 36 +++++++++++++++++++++--------------- mm/mmap.c | 4 ++-- 11 files changed, 57 insertions(+), 34 deletions(-) commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 Merge: 5568c80 ffceabf Author: Brad Spengler Date: Sat Aug 17 09:11:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit ffceabfcc65c60109ba5fca694d78d4dc7047809 Author: Brad Spengler Date: Sat Aug 17 09:10:44 2013 -0400 Update to pax-linux-3.10.7-test11.patch: - simplified some arm code - disabled preemption when calling show_regs, reported by Corey Minyard - added PCID based support for UDEREF on amd64 (blog will have more details) - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc - nopcid turns it off - by default a strong form of UDEREF is used under PCID - pax_weakuderef switches to the older, less secure UDEREF - fixed several bugs that would also have manifested under SMAP - INVPCID is used when available (Haswell) - added a few more return insn instrumentation in new amd64 crypto code Documentation/kernel-parameters.txt | 7 + arch/arm/include/asm/uaccess.h | 3 + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ arch/x86/ia32/ia32_signal.c | 2 +- arch/x86/ia32/ia32entry.S | 24 ++++- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/fpu-internal.h | 2 + arch/x86/include/asm/futex.h | 4 + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- arch/x86/include/asm/pgtable.h | 10 +- arch/x86/include/asm/processor.h | 15 +++- arch/x86/include/asm/segment.h | 5 +- arch/x86/include/asm/smap.h | 64 +++++++++++- arch/x86/include/asm/tlbflush.h | 63 +++++++++-- arch/x86/include/asm/uaccess.h | 18 +++- arch/x86/include/asm/xsave.h | 4 + arch/x86/kernel/cpu/common.c | 38 +++++++ arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- arch/x86/kernel/head_32.S | 2 +- arch/x86/kernel/head_64.S | 8 +- arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/setup.c | 8 +- arch/x86/kernel/signal.c | 4 +- arch/x86/kernel/smpboot.c | 15 ++- arch/x86/lib/copy_user_64.S | 50 +-------- arch/x86/lib/copy_user_nocache_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 11 ++- arch/x86/lib/memcpy_64.S | 4 +- arch/x86/lib/memmove_64.S | 2 +- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/usercopy_64.c | 5 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/fault.c | 29 ++++-- arch/x86/mm/init.c | 7 +- arch/x86/mm/init_64.c | 9 ++- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 3 + arch/x86/platform/efi/efi_32.c | 2 +- arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/realmode/rm/trampoline_64.S | 1 + fs/exec.c | 2 + include/asm-generic/uaccess.h | 8 ++ include/linux/compat.h | 1 + include/linux/preempt.h | 19 +++ include/linux/signal.h | 1 + include/linux/smp.h | 2 + init/main.c | 14 ++- kernel/signal.c | 16 +++ security/Kconfig | 5 + tools/lib/lk/Makefile | 2 +- tools/perf/Makefile | 2 +- 64 files changed, 673 insertions(+), 136 deletions(-) commit 5568c8059e78d6d002815409df4e90c83b3b08a8 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 Author: Brad Spengler Date: Fri Aug 16 22:55:24 2013 -0400 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b arch/arm/kernel/perf_event.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3637bc893b57a227b01852fe34685ab237285b10 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 11802e1f961a088c39af58d1c1b14d861eedfb35 Author: Brad Spengler Date: Fri Aug 16 22:53:30 2013 -0400 More ARM backports arch/arm/kernel/entry-armv.S | 3 ++- arch/arm/kernel/fiq.c | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0a3dac834746de241c10d4978bf61b4f146ba89d Merge: dc19474 e12de30 Author: Brad Spengler Date: Fri Aug 16 17:39:01 2013 -0400 Merge branch 'pax-test' into grsec-test commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 Author: Brad Spengler Date: Fri Aug 16 17:34:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch: - Emese fixed a size overflow false positive reported by Sven Vermeulen - fixed some arm compile problems reported by spender - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard eventually we'll have full REFCOUNT support on mips arch/arm/kernel/process.c | 5 ++- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 3 ++ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ mm/internal.h | 2 +- 5 files changed, 65 insertions(+), 4 deletions(-) commit dc19474d0ea6ea3c939544ae5f906067b1784a10 Merge: 51b78c0 82266f9 Author: Brad Spengler Date: Thu Aug 15 21:47:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 82266f90a3f87ab5017329fb539aebf94c42253a Author: Brad Spengler Date: Thu Aug 15 21:14:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch arch/arm/kernel/process.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 51b78c06d1f41614f593cd36456b4af559e9d7fa Merge: e32d904 cb77ead Author: Brad Spengler Date: Thu Aug 15 20:53:45 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit cb77ead0eccb5abb75f7e437a3725d0254558ccd Merge: 13675b8 519be45 Author: Brad Spengler Date: Thu Aug 15 20:50:47 2013 -0400 Update to pax-linux-3.10.7-test8.patch Merge branch 'linux-3.10.y' into pax-test commit e32d904b87292288e74e2637b900fd1115687b8e Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c Author: Oleg Nesterov Date: Thu Aug 8 18:55:32 2013 +0200 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 another local DoS found in reaction to the one I reported, we don't allow unpriv user ns use so this doesn't matter much to us userns: limit the maximum depth of user_namespace->parent chain Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/user_namespace.h | 1 + kernel/user_namespace.c | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) commit 223ac007ef18bf3a5095ba0a56675c1f16200149 Merge: 1c92de4 13675b8 Author: Brad Spengler Date: Thu Aug 8 20:45:24 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 13675b848cf02bffd26924b2b84d927095bc253d Author: Brad Spengler Date: Thu Aug 8 20:43:52 2013 -0400 Update to pax-linux-3.10.5-test8.patch: - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard arch/arm/include/asm/pgtable-2level.h | 4 +++- arch/arm/mm/proc-v7-2level.S | 3 --- arch/mips/mm/fault.c | 8 ++++++++ arch/x86/include/asm/processor.h | 3 ++- include/linux/math64.h | 2 +- security/Kconfig | 2 -- 6 files changed, 14 insertions(+), 8 deletions(-) commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 Merge: e65aa3d 1660f49 Author: Brad Spengler Date: Mon Aug 5 18:50:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 1660f496848b8400d263f7920989dae15e72185a Merge: 7f91ba1 dc51cd2 Author: Brad Spengler Date: Mon Aug 5 18:50:12 2013 -0400 Update to pax-linux-3.10.5-test7.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/head_64.S mm/mempolicy.c commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 50d20ebce56b6e0b9622685930e007e46c7c04bb Author: Daniel Borkmann Date: Fri Aug 2 11:32:43 2013 +0200 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by: Daniel Borkmann Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/devinet.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 Author: Himanshu Madhani Date: Fri Aug 2 23:15:56 2013 -0400 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 qlcnic: Free up memory in error path. Signed-off-by: Himanshu Madhani Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a Author: Shahed Shaikh Date: Fri Aug 2 23:15:54 2013 -0400 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f qlcnic: Fix MAC address filter issue on 82xx adapter Driver was passing the address of a pointer instead of the pointer itself. Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 24 ++++++++++++++++++++++-- 2 files changed, 22 insertions(+), 19 deletions(-) commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b8966a5d577e9220fbc63306eee978f819f24e2e Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1704c23fdc55b68f512dc9927940e72237f3f43e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit faf81c100c8565524e21c9af780a0ad2ce3fd925 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c Merge: 65019c9 7f91ba1 Author: Brad Spengler Date: Wed Jul 31 17:47:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 65019c9bd05f860437071cbf00e2027fd2d68615 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 Author: Brad Spengler Date: Wed Jul 31 17:46:00 2013 -0400 Update to pax-linux-3.10.4-test7.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - fixed a UDEREF/i386 regression, __get_user_8 would always fail arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/lib/getuser.S | 4 +- arch/x86/xen/smp.c | 2 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- fs/exec.c | 50 +++++++++++++-------------- include/linux/sched.h | 2 + 14 files changed, 88 insertions(+), 47 deletions(-) commit 043130da54cb7cc8dc44e0ce889d426e889a0532 Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ed0a195abd4e41c2449a020a53a19c74dc866d78 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit e75b3f504692b97960a7530ad0855d91441d79c0 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e5abbaf95313066a724e1a843d4fc902a9a6450e Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 877d6c2f8b3518ff39601084560bb33c58d35a1f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 23278a1ee1c7738dd1e7005241394d32b82196e4 Author: Brad Spengler Date: Tue Jul 30 19:48:58 2013 -0400 revert recent PaX change that causes boot failures with 32bit userland arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit ec27f71a813656fea8ab37faecb2b485fe99d08e Merge: 3a11bcf 05f0a61 Author: Brad Spengler Date: Tue Jul 30 19:42:21 2013 -0400 Merge branch 'pax-test' into grsec-test commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 Author: Brad Spengler Date: Tue Jul 30 19:41:44 2013 -0400 Update to pax-linux-3.10.4-test6.patch: - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender include/linux/syscalls.h | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8b744005f8bae565e24c1fd88af77e6e619b9434 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b93b829afcc98b6108b18d99ff63c53642d0b951 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit ac695a081d1124fb28bec46814535d34c5e40611 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 82631f451cc7432b6c5578cf8d24155473feb25c Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 84c4a433dfb096e4a1162ee5e68025122c70b421 Merge: c9d3ed3 9fe5897 Author: Brad Spengler Date: Mon Jul 29 17:08:56 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9fe58978938e357642885866ca48090a7753d403 Merge: 8f693ad 6f7bb6b Author: Brad Spengler Date: Mon Jul 29 17:08:43 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 Merge: d5e5bfd 8f693ad Author: Brad Spengler Date: Sun Jul 28 10:03:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8f693ade9b3e448f92706d34148b00a087637f70 Author: Brad Spengler Date: Sun Jul 28 10:02:16 2013 -0400 Update to pax-linux-3.10.3-test5.patch: - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) - fixed handling of faulting userland accesses for UDEREF/arm, from spender - updated the size overflow hash table, from Emese arch/arm/kernel/entry-armv.S | 3 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- 7 files changed, 513 insertions(+), 55 deletions(-) commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 Merge: 19e077b 8a8a0d0 Author: Brad Spengler Date: Thu Jul 25 21:05:18 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 Author: Brad Spengler Date: Thu Jul 25 21:04:09 2013 -0400 Update to pax-linux-3.10.3-test4.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 ++++ fs/buffer.c | 2 +- fs/dcache.c | 3 ++- include/linux/slab.h | 7 +++++++ include/linux/slab_def.h | 4 ++++ kernel/fork.c | 2 +- mm/rmap.c | 6 ++++-- mm/slab.c | 27 +++++++++++++++++++++++++++ mm/slab.h | 12 +++++++++++- mm/slab_common.c | 14 ++++++++++++++ mm/slob.c | 5 +++++ mm/slub.c | 11 +++++++++++ net/core/skbuff.c | 6 ++++-- security/Kconfig | 23 +++++++++++++++++------ 14 files changed, 112 insertions(+), 14 deletions(-) commit 19e077bfff54ca211d0142c07cb6dd88069a390c Merge: 960ec51 c8f7f51 Author: Brad Spengler Date: Thu Jul 25 19:53:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit c8f7f51591207b82530214300e86277028919286 Merge: d5142e3 81a4648 Author: Brad Spengler Date: Thu Jul 25 19:52:29 2013 -0400 Update to pax-linux-3.10.3-test3.patch: - fixed some compile issues reported by Michael Tremer and spender - fixed an i386 regression with the lower address space gap on i386, reported by cnu Merge branch 'linux-3.10.y' into pax-test Conflicts: kernel/time/tick-broadcast.c commit 960ec51ab2142544fbae563d4fd5744775408965 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 Merge: ab95b58 d5142e3 Author: Brad Spengler Date: Sun Jul 21 22:47:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit d5142e31785f8c32c7338c51fcc27313bdd4a84e Merge: f36ae8c 0f4a56e Author: Brad Spengler Date: Sun Jul 21 22:47:34 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit ab95b5842899d61ff5c30f4582e72029b3155be8 Author: Brad Spengler Date: Sun Jul 21 22:28:40 2013 -0400 compile fix with constification reported by Michael Tremer drivers/gpu/host1x/drm/dc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 817cd2d1e7a55720326599dd8f542578eef30927 Author: Hannes Frederic Sowa Date: Fri Jul 12 23:46:33 2013 +0200 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 ipv6: only static routes qualify for equal cost multipathing Static routes in this case are non-expiring routes which did not get configured by autoconf or by icmpv6 redirects. To make sure we actually get an ecmp route while searching for the first one in this fib6_node's leafs, also make sure it matches the ecmp route assumptions. v2: a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF already ensures that this route, even if added again without RTF_EXPIRES (in case of a RA announcement with infinite timeout), does not cause the rt6i_nsiblings logic to go wrong if a later RA updates the expiration time later. v3: a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, because an pmtu event could update the RTF_EXPIRES flag and we would not count this route, if another route joins this set. We now filter only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that don't get changed after rt6_info construction. Cc: Nicolas Dichtel Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_fib.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) commit 77db8196d51b043e2e2d124094da101b0f01bccb Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 926473317fd7953137ef97835edd36dabc584b01 Author: Brad Spengler Date: Wed Jul 17 21:29:02 2013 -0400 add missing asm/pgtable.h include, reported by Michael Tremer drivers/clk/socfpga/clk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c592ae0001b31932ef1491784dfa374058797c66 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 Merge: 9c96441 f36ae8c Author: Brad Spengler Date: Sun Jul 14 19:23:13 2013 -0400 Merge branch 'pax-test' into grsec-test commit f36ae8c741ae32b1caff10825be12c327792c925 Author: Brad Spengler Date: Sun Jul 14 19:22:15 2013 -0400 Update to pax-linux-3.10-test2.patch: - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer - spender fixed an madvise regression, reported by Peter Keel - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) - fixed a headers_install regression, reported by Mathias Krause - fixed a SLOB compile regression, reported by Mathias Krause arch/arm/include/asm/uaccess.h | 4 ++-- arch/arm/mm/mmu.c | 15 +++++++++++++-- drivers/clk/socfpga/clk.c | 6 ++++-- mm/madvise.c | 4 ++-- mm/slab.c | 4 ++-- mm/slob.c | 4 ++-- scripts/headers_install.sh | 2 +- 7 files changed, 26 insertions(+), 13 deletions(-) commit 9c9644156a49637050741d9165df79174e59b0ef Author: Brad Spengler Date: Sun Jul 14 19:19:54 2013 -0400 Fix sparc64 compilation, reported by Blake Self arch/sparc/kernel/sys_sparc_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error mm/madvise.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a10e377d0eddd37e8a3665b135e546ab03d9d171 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 08c5adca34d408772255b313f90d82c250c1d967 Author: Brad Spengler Date: Sun Jul 14 11:26:34 2013 -0400 don't make high vector mapping non-present on old ARM architectures, no point in emulating some vector entries when the processor doesn't even support XN arch/arm/mm/mmu.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 2b40781d4197a89a003616af584884e36361c5b2 Author: Brad Spengler Date: Sun Jul 14 09:51:58 2013 -0400 Temporary compile fix for code incorrectly modifying const data Wrap a cast version of the code with open/close Thanks to Michael Tremer for the report drivers/clk/socfpga/clk.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a8258c1b4098c396cd4ea719e20858182feac1c1 Author: Brad Spengler Date: Sun Jul 14 09:41:16 2013 -0400 Fix missing right parens in pipacs' "improvement" of my ARM code ;) Thanks to Michael Tremer for reporting arch/arm/include/asm/uaccess.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8542e1e973be7cc9a009d2ada8033576b2890e6f Merge: 86f446e 2577f8e Author: Brad Spengler Date: Sat Jul 13 20:46:58 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/memcontrol.c commit 2577f8e4ec41efb347706a59c6838de20f0c90da Merge: 75a36f0 cb5d8be Author: Brad Spengler Date: Sat Jul 13 20:43:42 2013 -0400 Merge branch 'linux-3.10.y' into pax-test Conflicts: crypto/algapi.c drivers/block/nbd.c commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 Author: Brad Spengler Date: Fri Jul 12 23:02:11 2013 -0400 we always want the vector page to be noaccess for userland therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY which turns into supervisor rwx, userland rx, we instead omit that entirely, leaving it as supervisor rwx only Fixes booting on ARMv5 and earlier, which need to write directly to the high vector mapping via set_tls when context switching Thanks to Michael Tremer for the bugreport arch/arm/mm/mmu.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 90cd0827eef656ec884f19c977873fefe2f2e47d Author: Cong Wang Date: Sat Jun 29 12:02:59 2013 +0800 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 gre: fix a regression in ioctl When testing GRE tunnel, I got: # ip tunnel show get tunnel gre0 failed: Invalid argument get tunnel gre1 failed: Invalid argument This is a regression introduced by commit c54419321455631079c7d ("GRE: Refactor GRE tunneling code.") because previously we only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the check is moved for all commands. So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. After this patch I got: # ip tunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit Cc: Pravin B Shelar Cc: "David S. Miller" Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 Author: Cong Wang Date: Sat Jun 29 13:00:57 2013 +0800 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 vti: remove duplicated code to fix a memory leak vti module allocates dev->tstats twice: in vti_fb_tunnel_init() and in vti_tunnel_init(), this lead to a memory leak of dev->tstats. Just remove the duplicated operations in vti_fb_tunnel_init(). (candidate for -stable) Cc: Stephen Hemminger Cc: Saurabh Mohan Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd Author: Michal Schmidt Date: Mon Jul 1 17:23:05 2013 +0200 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a bnx2x: remove zeroing of dump data buffer There is no need to initialize the dump data with zeros. data is allocated with vzalloc, so it's already zero-filled. More importantly, the memset is harmful, because dump->len (the length requested by userspace) can be bigger than the allocated buffer (whose size is determined by asking the driver's .get_dump_flag method). Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c771072b72c261f9bddd6734dca6979c1b96e7df Author: Michal Schmidt Date: Mon Jul 1 17:23:06 2013 +0200 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 bnx2x: fix dump flag handling bnx2x interprets the dump flag as an index of a register preset. It is important to validate the index to avoid out of bounds memory accesses. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ 2 files changed, 5 insertions(+), 0 deletions(-) commit aed315c8fad9b2044143b46b239574b1b72135ce Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit 5c57991e66216e386dcc875d34c33f0edd038569 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit cd83094a85d9bbd5a67332156407d53cf8835432 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c Author: Michael S. Tsirkin Date: Sun Jul 7 14:26:53 2013 +0300 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 vhost-net: fix use-after-free in vhost_net_flush vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 088806db74ac2f08c106202bc5498585a9ee529f Author: Michal Hocko Date: Mon Jul 8 16:00:29 2013 -0700 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b memcg, kmem: fix reference count handling on the error path mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. This is not correct because only memcg_propagate_kmem takes an additional reference while mem_cgroup_sockets_init is allowed to fail as well (although no current implementation fails) but it doesn't take any reference. This all suggests that it should be memcg_propagate_kmem that should clean up after itself so this patch moves mem_cgroup_put over there. Unfortunately this is not that easy (as pointed out by Li Zefan) because memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if memcg_propagate_kmem fails so the additional reference is dropped in that case in kmem_cgroup_destroy which means that the reference would be dropped two times. The easiest way then would be to simply remove mem_cgrroup_put from mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right thing. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.8] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 08bfb6e700d13886ed722c2236e1ec10f03a95df Author: Michal Hocko Date: Mon Jul 8 16:00:27 2013 -0700 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Revert "memcg: avoid dangling reference count in creation failure" This reverts commit e4715f01be697a. mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops an additional reference from all parents so the additional mem_cgrroup_put(parent) potentially causes use-after-free. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 3267ec559f48327a1836eccecd53215afc5810d0 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit cdfeb4049e7cb38702215b2c356ce0407974ac79 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08c87e049c8a50707908785d950fd48c334f4c09 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 Author: Brad Spengler Date: Fri Jul 12 20:38:45 2013 -0400 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums Unlike slub, slab can initally create two of the kmalloc_caches which will be used later for generic kmallocs of their particular aligned size (since the later loop in the unified allocator code skips any already-existing kmalloc_caches) mm/slab.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit e2d027c7e0f106be683c0c72482b8285daefcbe6 Author: Brad Spengler Date: Tue Jul 9 20:58:40 2013 -0400 commit successful merges Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 129 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 4 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/mwave/tp3780i.c | 1 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/resize.c | 17 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 234 ++- fs/namespace.c | 16 + fs/notify/fanotify/fanotify_user.c | 1 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 70 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 343 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 ++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 242 files changed, 4385 insertions(+), 2042 deletions(-) commit 043a378c0f72ed92cc30182c48abce39867ac93f Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 Author: Brad Spengler Date: Tue Jul 9 17:35:47 2013 -0400 Initial import of pax-linux-3.10-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 14 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 122 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 33 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 28 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 +- arch/x86/kernel/entry_64.S | 548 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 143 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 2 + arch/x86/kernel/setup.c | 21 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 13 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 98 +- arch/x86/mm/init_32.c | 113 +- arch/x86/mm/init_64.c | 38 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 11 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/algapi.c | 2 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/nbd.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 45 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 6 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/output.c | 2 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 607 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/lockd/svc.c | 2 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 10 +- fs/nfs/callback.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 40 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 65 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 42 +- include/linux/slab_def.h | 28 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 10 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 83 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 10 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 11 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 22 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 6 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 15 +- mm/mmap.c | 606 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 79 +- mm/slab.h | 5 +- mm/slab_common.c | 46 +- mm/slob.c | 201 +- mm/slub.c | 79 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_core.c | 8 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 6 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 676 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 +++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1607 files changed, 30734 insertions(+), 7318 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40d67e38a42d4e94b43b3d7400addc662b9857dc Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit a1fff2c95162314626dd96bec71d951a8c1c4708 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00131c458eea5200971c8fc326e90fdb6c2d0baa Merge: 37b97a9 47beb61 Author: Brad Spengler Date: Thu Jul 4 15:02:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 Author: Brad Spengler Date: Thu Jul 4 15:01:37 2013 -0400 Update to pax-linux-3.9.9-test13.patch: - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/entry-armv.S | 4 ++-- arch/arm/mm/Kconfig | 2 +- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/page.h | 1 + arch/x86/kernel/entry_32.S | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- arch/x86/kernel/head64.c | 12 ++++++------ arch/x86/kernel/head_64.S | 16 ++++++++++++---- arch/x86/mm/init.c | 8 ++++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ 15 files changed, 64 insertions(+), 44 deletions(-) commit 89085d2d0643813a62f23d1199a335dc1e129bc0 Merge: 963af7f 0adf2e7 Author: Brad Spengler Date: Thu Jul 4 14:55:44 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 Author: Brad Spengler Date: Thu Jul 4 13:29:51 2013 -0400 update log arguments grsecurity/grsec_sig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 3 +-- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit ef808866c070aa1901bd2224521baaf5d145a3a7 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 Author: Brad Spengler Date: Wed Jul 3 16:14:09 2013 -0400 fix renamed export of csum_partial_copy_from_user, as reported by fabled on the forums arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 318235973c2a548c3d25562645d6b69f66e85934 Author: Brad Spengler Date: Wed Jul 3 16:09:16 2013 -0400 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error reported on the forums by fabled arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b569a7f60fab7a522d8c142765c8b847bbce8a1e Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- 1 files changed, 27 insertions(+), 3 deletions(-) commit c22280b85088978bd8b45bd23096879459b48008 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 Author: Brad Spengler Date: Sat Jun 29 13:10:02 2013 -0400 on context switch, make sure we switch DACR when domain support and KERNEXEC is disabled but UDEREF is enabled arch/arm/kernel/entry-armv.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08d017fa51370921694ce087b28c96fec92993d4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be Author: Michael S. Tsirkin Date: Sun Jun 23 17:19:03 2013 +0300 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 tun: fix recovery from gup errors get user pages might fail partially in tun zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 Author: Balazs Peter Odor Date: Sat Jun 22 19:24:43 2013 +0200 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 netfilter: nf_nat_sip: fix mangling In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) there were some missing brackets around the logging information, thus always returning drop. Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 Signed-off-by: Balazs Peter Odor Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_sip.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b0471b6c1160858fc646d8e94628fd1299f61692 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Bluetooth: Fix invalid length check in l2cap_information_rsp() The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Cc: stable@vger.kernel.org Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan net/bluetooth/l2cap_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4184af98c360d825e638b268b1a9847232e8d299 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 1fe6f23c9acd14d832d056909ff326bde418e645 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 4d4464407611527ef6b6b5475cfcab6121b3da66 Merge: 59571a9 963af7f Author: Brad Spengler Date: Thu Jun 27 18:54:52 2013 -0400 Merge branch 'pax-test' into grsec-test commit 963af7f7f591759b731ce6325ceb583a72fcf423 Merge: c51e25a 55db48a Author: Brad Spengler Date: Thu Jun 27 18:54:42 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 59571a9db7485f530a1e865a13cacc4c991ec41f Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 Author: Brad Spengler Date: Wed Jun 26 18:33:06 2013 -0400 update rand_threadstack code to continue the search for a gap if the first choice doesn't have enough space, instead of returning ENOMEM mm/mmap.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 87020d4a4d83038d65ff1fd519938840f6888b9e Merge: 2682346 c51e25a Author: Brad Spengler Date: Wed Jun 26 18:25:32 2013 -0400 Merge branch 'pax-test' into grsec-test commit c51e25a23f30a1198076bd085f19b2073caf164d Author: Brad Spengler Date: Wed Jun 26 18:24:54 2013 -0400 Update to pax-linux-3.9.7-test12.patch: - fixed a regression on PARAVIRT/amd64 kernels - simplified the recent vm_unmapped_area_info based change arch/x86/kernel/entry_64.S | 8 ++++---- mm/mmap.c | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) commit 26823469a08e59cb67bea18d448d9e8c65f82e08 Author: Brad Spengler Date: Tue Jun 25 21:26:51 2013 -0400 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX vm_unmapped_area code is complete arch/x86/kernel/sys_i386_32.c | 5 +++++ grsecurity/Kconfig | 2 +- mm/mmap.c | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 Merge: e58fe8c c4e0704 Author: Brad Spengler Date: Tue Jun 25 19:08:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/sys_i386_32.c commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 Author: Brad Spengler Date: Tue Jun 25 19:05:39 2013 -0400 Update to pax-linux-3.9.7-test11.patch: - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure - fixed the recent nested nmi related fixes some more - fixed a regression in kernel memory initialization on relocatable i386 kernels - empty_zero_page can be read-only on amd64 as well arch/arm/mm/mmap.c | 6 -- arch/x86/kernel/entry_64.S | 8 +-- arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/setup.c | 2 +- arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- drivers/lguest/core.c | 2 +- include/linux/mm.h | 6 +- include/linux/vmalloc.h | 2 +- mm/mmap.c | 30 +++++++- 9 files changed, 83 insertions(+), 134 deletions(-) commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f Author: Brad Spengler Date: Sun Jun 23 14:36:35 2013 -0400 compile fix, reported by KDE on forums kernel/printk.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 1fc9a5e2e267205d28302e1e86ca0da434561111 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d x86/efi: Fix dummy variable buffer allocation 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Matt Fleming arch/x86/platform/efi/efi.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 Author: Dave Kleikamp Date: Tue Jun 18 09:05:36 2013 -0500 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 sparc: tsb must be flushed before tlb This fixes a race where a cpu may re-load a tlb from a stale tsb right after it has been flushed by a remote function call. I still see some instability when stressing the system with parallel kernel builds while creating memory pressure by writing to /proc/sys/vm/nr_hugepages, but this patch improves the stability significantly. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d93b62f6485db9aadda34322a6867868db07f56f Merge: 4ef62f5 71d83e9 Author: Brad Spengler Date: Fri Jun 21 16:52:55 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 71d83e97c936563913bcfb5a25c45b2021a331eb Author: Brad Spengler Date: Fri Jun 21 16:48:42 2013 -0400 Update to pax-linux-3.9.7-test10.patch: - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - fixed a locking issue with track_exec_limit reported by spender - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 2 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/iommu/irq_remapping.c | 2 +- drivers/video/output.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/nfs/callback.c | 4 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfscache.c | 3 +- init/initramfs.c | 2 +- kernel/rcutree.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mmap.c | 4 +- mm/slub.c | 2 +- mm/vmalloc.c | 15 +++---- net/bluetooth/hci_core.c | 8 ++-- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- 40 files changed, 116 insertions(+), 111 deletions(-) commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c Merge: 39efd8f 256eff7 Author: Brad Spengler Date: Fri Jun 21 16:45:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/printk.c commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 Merge: e6e3059 485f25f Author: Brad Spengler Date: Thu Jun 20 22:14:24 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d Author: Brad Spengler Date: Tue Jun 18 17:20:18 2013 -0400 add apparmor compat patch security/apparmor/Kconfig | 9 ++ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 0 deletions(-) commit 49bee3c5341687504669bf62becf4a419a226ba0 Author: Brad Spengler Date: Mon Jun 17 18:48:04 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) commit 5a450f1c46f0c84379518aee878993d3f4a331b6 Author: Theodore Ts'o Date: Thu Jun 6 11:14:31 2013 -0400 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 ext4: verify group number in verify_group_input() before using it Check the group number for sanity earilier, before calling routines such as ext4_bg_has_super() or ext4_group_overhead_blocks(). Reported-by: Jonathan Salwan Signed-off-by: "Theodore Ts'o" fs/ext4/resize.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e13515ad7a9c7634599a105b2527752e527a905d Author: Saurabh Mohan Date: Mon Jun 10 17:45:10 2013 -0700 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 net/ipv4: ip_vti clear skb cb before tunneling. If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af361b412e816e894fb42ddff7a0545b7def64c0 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1f43aca088c35dda35abf76e08544e534c71fed4 Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f Author: Andy Lutomirski Date: Wed Jun 5 19:38:26 2013 +0000 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab net: Unbreak compat_sys_{send,recv}msg I broke them in this commit: commit 1be374a0518a288147c6a7398792583200a67261 Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It also reverts some unnecessary checks in sys_socketcall. Apparently I was suffering from underscore blindness the first time around. Signed-off-by: Andy Lutomirski Tested-by: Eric Dumazet Signed-off-by: David S. Miller include/linux/socket.h | 3 ++ net/compat.c | 13 +++++++- net/socket.c | 72 ++++++++++++++++++++++-------------------------- 3 files changed, 47 insertions(+), 41 deletions(-) commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 Upstream commit: 1be374a0518a288147c6a7398792583200a67261 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. Miller" Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Cc: David S. Miller Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller net/socket.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb67a67049ace7b94ad7e2febfac69816d50d85 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 Author: Johan Hedberg Date: Tue May 28 13:46:30 2013 +0300 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 Bluetooth: Fix missing length checks for L2CAP signalling PDUs There has been code in place to check that the L2CAP length header matches the amount of data received, but many PDU handlers have not been checking that the data received actually matches that expected by the specific PDU. This patch adds passing the length header to the specific handler functions and ensures that those functions fail cleanly in the case of an incorrect amount of data. Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- 1 files changed, 52 insertions(+), 18 deletions(-) commit 628be2427afb241b5a1aa24bc5907d05287e1f25 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 066d9226bc6c569d5f420c978b758e0bddd23444 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 94e2a91600b07d39825e7059195f35eb611a39a2 Merge: 20cc761 e6e3059 Author: Brad Spengler Date: Thu Jun 13 16:23:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a Merge: c6aadb1 4b73feb Author: Brad Spengler Date: Thu Jun 13 16:23:39 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 20cc7613e38cde07adc73179a91d6c15292e8d43 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 386ba837978cc8a1111440bdcd8600f2df4634a4 Author: Brad Spengler Date: Wed Jun 12 20:37:48 2013 -0400 fix deadlock when booting i386 kernel without NX mm/mmap.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc43377e1e757cd37a06be0187884a42af718aab Merge: 3cdea63 c6aadb1 Author: Brad Spengler Date: Tue Jun 11 18:50:39 2013 -0400 Merge branch 'pax-test' into grsec-test commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 Author: Brad Spengler Date: Tue Jun 11 18:49:36 2013 -0400 Update to pax-linux-3.9.4-test9.patch: - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort arch/x86/kernel/setup.c | 2 +- mm/mlock.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 3cdea63e90607d8d55820b101854091623feedb8 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 373a2b5df78f82b9d3db72bd6577e29a71591323 Author: Brad Spengler Date: Mon Jun 10 21:16:46 2013 -0400 Backport infoleak fix by Dan Carpenter in cpqarray: https://lkml.org/lkml/2013/6/3/131 drivers/block/cpqarray.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 251e84b9b05e063981b20be154c9389862f94759 Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 383d89bf95818b05a485a6e8b118963b5bcbc83e Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1c590aa70c95ebd76ba9672aa23d800b81780615 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 Merge: 4e85539 117c3fa Author: Brad Spengler Date: Sun Jun 9 17:30:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit 117c3fa8d26c3806103123560f807d99071b60b6 Merge: ed9b427 5dd2e98 Author: Brad Spengler Date: Sun Jun 9 17:30:00 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5771263fe368cd384127dd17d7596a7e1a4e2eec Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c01c9af268cb066f240aec53454b8b74d8d01688 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 Author: Timo Teräs Date: Wed May 22 01:40:47 2013 +0000 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 xfrm: properly handle invalid states as an error The error exit path needs err explicitly set. Otherwise it returns success and the only caller, xfrm_output_resume(), would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is NULL. Bug introduced in commit bb65a9cb (xfrm: removes a superfluous check and add a statistic). Signed-off-by: Timo Teräs Cc: Li RongQing Cc: Steffen Klassert Signed-off-by: David S. Miller net/xfrm/xfrm_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit c18cef940310c06bdf86d64d8cb227e56e165300 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c47de62893a9f269be0a272c2840aac1e2a35c68 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce869e6f799f95fcac340420ba3612503df80dbf Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5dc65cd34d442783118a17c518e2daedb90a31d0 Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit 84619a3501fd38285a72d9e963f58d1827beedd6 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e Author: Brad Spengler Date: Sat Jun 1 13:43:26 2013 -0400 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" Applying upstream fix instead This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings drivers/usb/atm/cxacru.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 Author: Brad Spengler Date: Sat Jun 1 11:30:17 2013 -0400 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 8578566969d91678a3d7d5251b4eafc6d7775314 Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 Merge: 643b294 ed9b427 Author: Brad Spengler Date: Wed May 29 19:19:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit ed9b4276488528d0c3803df1dc0df804238241e0 Author: Brad Spengler Date: Wed May 29 19:18:45 2013 -0400 Updated to pax-linux-3.9.4-test8.patch: - fixed some fallout detected by the checker plugin arch/x86/kernel/crash_dump_64.c | 2 +- drivers/base/devtmpfs.c | 6 +++--- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/mem.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- drivers/i2c/i2c-dev.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 4 ++-- fs/compat_ioctl.c | 4 ++-- fs/exec.c | 2 +- fs/namespace.c | 8 ++++---- fs/proc/vmcore.c | 12 ++++++++---- fs/read_write.c | 2 +- include/linux/syscalls.h | 8 ++++---- init/do_mounts_initrd.c | 8 ++++---- init/main.c | 4 ++-- kernel/events/core.c | 2 +- kernel/events/internal.h | 10 +++++----- mm/page_io.c | 2 +- security/keys/internal.h | 2 +- tools/gcc/checker_plugin.c | 1 + 24 files changed, 63 insertions(+), 54 deletions(-) commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 Author: Brad Spengler Date: Wed May 29 18:51:31 2013 -0400 eliminate gcc warning fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 Author: Brad Spengler Date: Wed May 29 18:30:20 2013 -0400 use BUILD_BUG() instead of BUILD_BUG_ON(1) arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5343410354267368e5809f3ad8d9a264f141be18 Author: Brad Spengler Date: Wed May 29 17:57:41 2013 -0400 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON for unknown opcodes arch/x86/net/bpf_jit_comp.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- 1 files changed, 39 insertions(+), 40 deletions(-) commit 163a5539b36247865d39b2bcfa8efc03a62124a6 Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 3e54faf888d324d5f362dcba16173ea7bba61e8a Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 2d74639040ba6ce47f57ec010714ec06529c4b42 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 65d05c7ea468c23c175105526dd4f163302a92cf Merge: 1a98d0a 6ce3a135 Author: Brad Spengler Date: Sat May 25 07:48:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/vm86_32.c commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 Merge: 79bdd65 0bfd8ff Author: Brad Spengler Date: Sat May 25 07:46:55 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 Author: Brad Spengler Date: Thu May 23 18:42:23 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2b80ef8586061e32e986b31608717c25d1e7c54 Merge: cb45fbd 79bdd65 Author: Brad Spengler Date: Thu May 23 17:58:53 2013 -0400 Merge branch 'pax-test' into grsec-test commit 79bdd65dac68267bc1b201c6b4a99966a373c305 Author: Brad Spengler Date: Thu May 23 17:57:46 2013 -0400 Update to pax-linux-3.9.3-test7.patch: - fixed some size overflow related warnings (hash table, attributes) - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/page_64.h | 2 +- arch/x86/kernel/head64.c | 2 +- tools/gcc/constify_plugin.c | 48 ++- tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ 4 files changed, 651 insertions(+), 592 deletions(-) commit cb45fbda4967b1b544a754fbdc92d73283379522 Merge: 62588fa 57c11b8 Author: Brad Spengler Date: Mon May 20 17:32:17 2013 -0400 Merge branch 'pax-test' into grsec-test commit 57c11b85acd841a088aa4df8e60be337880df8cd Merge: 0598b37 4bb0869 Author: Brad Spengler Date: Mon May 20 17:32:08 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 Merge: e261c7b 0598b37 Author: Brad Spengler Date: Fri May 17 22:57:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 Author: Brad Spengler Date: Fri May 17 22:57:07 2013 -0400 Update to pax-linux-3.9.2-test6.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado arch/x86/include/asm/pgtable.h | 9 +++++++-- tools/gcc/structleak_plugin.c | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit e261c7bc611e9127bbb7bd95cddd51524bf255ae Author: Brad Spengler Date: Thu May 16 22:54:12 2013 -0400 add offset to topdown check, fixes compilation arch/x86/kernel/sys_x86_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 Author: Brad Spengler Date: Thu May 16 20:57:41 2013 -0400 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, reported by lulzh3ad on irc security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d4593e84707cdf6deb6b925c18c676a476b1613 Merge: 43cd0c0 39a877f Author: Brad Spengler Date: Thu May 16 20:39:11 2013 -0400 Merge branch 'pax-test' into grsec-test commit 39a877f192ed305d88edac10a14a9e8e1e161f3f Author: Brad Spengler Date: Thu May 16 20:37:35 2013 -0400 Update to pax-linux-3.9.2-test105.patch: - fixed !EFI boot problem, reported by spender - fixed a few compile warnings - fixed some more compile errors due to constification - fixed some arm fallout, reported by Michael Tremer arch/arm/include/asm/psci.h | 2 +- arch/arm/kernel/psci.c | 2 +- arch/x86/kernel/sys_x86_64.c | 3 +-- arch/x86/realmode/init.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- drivers/irqchip/irq-gic.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- drivers/platform/x86/chromeos_laptop.c | 2 +- fs/jfs/super.c | 4 ++-- include/linux/irqchip/arm-gic.h | 2 ++ include/sound/compress_driver.h | 2 +- net/mac80211/cfg.c | 4 ++-- sound/soc/fsl/fsl_ssi.c | 2 +- 14 files changed, 31 insertions(+), 22 deletions(-) commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 Author: Brad Spengler Date: Thu May 16 20:35:22 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 56a166129d817f6634c8c230e6ec497669bdfaca Author: Amerigo Wang Date: Thu May 9 21:56:37 2013 +0000 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f ipv6,gre: do not leak info to user-space There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d6f50dae2653ad912952da40417a8ccbd59c7699 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 01322c6951bed4eedefbd2178dbd99292b365d99 Author: Brad Spengler Date: Mon May 13 17:19:57 2013 -0400 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its existing stack-heap gap code for the new unified vm_unmapped_area grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 Author: Brad Spengler Date: Mon May 13 15:40:32 2013 -0400 fix NX fault on early boot arch/x86/realmode/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 Author: Brad Spengler Date: Mon May 13 10:48:13 2013 -0400 compile fix, we weren't using %pa anyway and it's now being used by upstream for physical address printing lib/vsprintf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d Author: Brad Spengler Date: Mon May 13 10:39:52 2013 -0400 compile fix grsecurity/grsec_chroot.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b Author: Brad Spengler Date: Mon May 13 10:35:36 2013 -0400 compile fixes grsecurity/grsec_chroot.c | 2 +- include/linux/grinternal.h | 8 ++++---- include/linux/grsecurity.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 Author: Brad Spengler Date: Mon May 13 10:27:18 2013 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 Author: Brad Spengler Date: Mon May 13 10:23:17 2013 -0400 Initial port of grsecurity for 3.9.2 Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 6 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 181 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 241 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1031 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 387 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 187 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 + include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 242 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 68 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/net/secure_seq.h | 1 + include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 13 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 64 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/8021q/vlan.c | 7 + net/core/dev_ioctl.c | 4 + net/core/net-procfs.c | 5 + net/core/secure_seq.c | 4 +- net/core/sock_diag.c | 7 + net/ipv4/af_inet.c | 5 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 2 +- net/sctp/probe.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/tipc/link.c | 11 +- net/unix/af_unix.c | 31 +- security/Kconfig | 342 ++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 291 files changed, 15221 insertions(+), 2052 deletions(-) commit 88854c350c899bceca4a94598c42bed44d0dc91b Author: Brad Spengler Date: Mon May 13 07:37:47 2013 -0400 Initial import of pax-linux-3.9.2-test2.patch Documentation/dontdiff | 45 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 6 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 15 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/kernel/us3_cpufreq.c | 69 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 21 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 6 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page_64.h | 2 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 113 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 530 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 1 - arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 120 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 19 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 248 + arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 57 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 +- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 90 +- arch/x86/mm/init_32.c | 119 +- arch/x86/mm/init_64.c | 44 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 2 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 10 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 605 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/super.c | 2 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 6 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compat.h | 6 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 110 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 2 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 68 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 8 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 6 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 576 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 105 +- mm/slab.h | 5 +- mm/slab_common.c | 11 +- mm/slob.c | 201 +- mm/slub.c | 99 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 14 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 6 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.pl | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 675 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 518 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 ++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 276 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1555 files changed, 30474 insertions(+), 7126 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 Merge: 814820a 3a59a59 Author: Brad Spengler Date: Sun May 12 21:51:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f Author: Brad Spengler Date: Sun May 12 21:50:07 2013 -0400 Update to pax-linux-3.8.13-test24.patch: - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/arm/kernel/vmlinux.lds.S | 4 ++-- arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes-opt.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- kernel/trace/trace.h | 2 +- net/socket.c | 2 +- security/Kconfig | 2 +- 22 files changed, 67 insertions(+), 34 deletions(-) commit 814820abfe5b9a34401d838b2510431a4cd92be9 Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ed0428c4ef6c5498870772f212ac651216eb8d0c Merge: 2452d8d dbf932a Author: Brad Spengler Date: Sun May 12 21:18:25 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/cpu/perf_event_intel_uncore.c arch/x86/mm/init.c commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 Author: Brad Spengler Date: Sun May 12 20:24:01 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit c75e4664fe4d20da1639f70d9def097c4f20856b Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04638852588cf243f865f5a73aa9dab94fab53b7 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff Merge: 539fff0 2452d8d Author: Brad Spengler Date: Wed May 8 18:13:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a Merge: 6c850d8 9c9ab76 Author: Brad Spengler Date: Wed May 8 18:13:31 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/irq.c kernel/trace/trace_stack.c commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a Author: Brad Spengler Date: Tue May 7 21:43:00 2013 -0400 turn counter into a flag grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 418102925c0cfb0de51b0a021abaa575e28fafa6 Author: Peter Zijlstra Date: Fri May 3 14:11:25 2013 +0200 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL We should always have proper privileges when requesting kernel data. Signed-off-by: Peter Zijlstra Cc: Cc: Andi Kleen Cc: eranian@google.com Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] Signed-off-by: Ingo Molnar Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f Author: Brad Spengler Date: Wed May 1 18:30:48 2013 -0400 remove references to CONFIG_X86_WP_WORKS_OK arch/um/defconfig | 1 - security/Kconfig | 2 +- 2 files changed, 1 insertions(+), 2 deletions(-) commit 408da6791f93ffe00d26bfe919f1b2218fe0804d Merge: a8dbe8e 6c850d8 Author: Brad Spengler Date: Wed May 1 18:28:44 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/mm/ultra.S drivers/tty/tty_io.c commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf Merge: cdbcbef 9fa1d01 Author: Brad Spengler Date: Wed May 1 18:25:18 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 55eba82aca97aa56378e000840c48965557721e8 Author: Brad Spengler Date: Mon Apr 29 18:43:03 2013 -0400 compilation fix kernel/trace/trace.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3bf912b54af6df7fbebc68b5999554562056c5c Merge: 5b72e37 cdbcbef Author: Brad Spengler Date: Mon Apr 29 18:34:42 2013 -0400 Merge branch 'pax-test' into grsec-test commit cdbcbef45c4f003cbee11e10668a35d424c17c60 Author: Brad Spengler Date: Mon Apr 29 18:33:35 2013 -0400 Update to pax-linux-3.8.10-test21.patch: - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) - reverted the nested NMI fix in search for a real one - simplified the arm_delay_ops constification arch/arm/include/asm/delay.h | 8 ++++---- arch/arm/lib/delay.c | 17 +++++------------ arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 11 files changed, 34 insertions(+), 26 deletions(-) commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 5344a24e2320d61dbdb88aae04922f0799deefd0 Author: Zhao Hongjiang Date: Fri Apr 26 11:03:53 2013 +0800 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad aio: fix possible invalid memory access when DEBUG is enabled dprintk() shouldn't access @ring after it's unmapped. Signed-off-by: Zhao Hongjiang Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 Merge: ba54c97 4d05084 Author: Brad Spengler Date: Fri Apr 26 18:17:20 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kvm/x86.c include/linux/capability.h commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 Merge: c664779 bb8dd67 Author: Brad Spengler Date: Fri Apr 26 18:15:45 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 Author: David S. Miller Date: Wed Apr 24 16:52:18 2013 -0700 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. Reported-by: Meelis Roos Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 Author: David S. Miller Date: Fri Apr 19 17:26:26 2013 -0400 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 sparc64: Fix race in TLB batch processing. As reported by Dave Kleikamp, when we emit cross calls to do batched TLB flush processing we have a race because we do not synchronize on the sibling cpus completing the cross call. So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) and either flushes are missed or flushes will flush the wrong addresses. Fix this by using generic infrastructure to synchonize on the completion of the cross call. This first required getting the flush_tlb_pending() call out from switch_to() which operates with locks held and interrupts disabled. The problem is that smp_call_function_many() cannot be invoked with IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). We get the batch processing outside of locked IRQ disabled sections by using some ideas from the powerpc port. Namely, we only batch inside of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a region, we flush TLBs synchronously. 1) Get rid of xcall_flush_tlb_pending and per-cpu type implementations. 2) Do TLB batch cross calls instead via: smp_call_function_many() tlb_pending_func() __flush_tlb_pending() 3) Batch only in lazy mmu sequences: a) Add 'active' member to struct tlb_batch b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE c) Set 'active' in arch_enter_lazy_mmu_mode() d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() e) Check 'active' in tlb_batch_add_one() and do a synchronous flush if it's clear. 4) Add infrastructure for synchronous TLB page flushes. a) Implement __flush_tlb_page and per-cpu variants, patch as needed. b) Likewise for xcall_flush_tlb_page. c) Implement smp_flush_tlb_page() to invoke the cross-call. d) Wire up global_flush_tlb_page() to the right routine based upon CONFIG_SMP 5) It turns out that singleton batches are very common, 2 out of every 3 batch flushes have only a single entry in them. The batch flush waiting is very expensive, both because of the poll on sibling cpu completeion, as well as because passing the tlb batch pointer to the sibling cpus invokes a shared memory dereference. Therefore, in flush_tlb_pending(), if there is only one entry in the batch perform a completely asynchronous global_flush_tlb_page() instead. Reported-by: Dave Kleikamp Signed-off-by: David S. Miller Acked-by: Dave Kleikamp arch/sparc/include/asm/pgtable_64.h | 1 + arch/sparc/include/asm/switch_to_64.h | 3 +- arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- arch/sparc/kernel/smp_64.c | 41 ++++++++++- arch/sparc/mm/tlb.c | 38 +++++++++- arch/sparc/mm/tsb.c | 57 ++++++++++++---- arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- 7 files changed, 241 insertions(+), 55 deletions(-) commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 Author: Linus Torvalds Date: Fri Apr 19 15:32:32 2013 +0000 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 net: fix incorrect credentials passing Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/net/scm.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98ad6adbc48759e4f9eae435d3e51ba487155685 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3600395e8fef3ae712e72f9b68c3609639616df8 Author: Thomas Graf Date: Thu Apr 11 10:57:18 2013 +0000 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 tcp: Reallocate headroom if it would overflow csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. Verify if the acking and collapsing resulted in a headroom exceeding what csum_start can cover and reallocate the headroom if so. A big thank you to Jim Foraker and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker Signed-off-by: Thomas Graf Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 Author: Ivan Vecera Date: Fri Apr 12 16:49:24 2013 +0200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f be2net: take care of __vlan_put_tag return value The driver should use return value of __vlan_put_tag with appropriate NULL-check instead of old skb pointer. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 Author: Wei Yongjun Date: Fri Apr 12 03:17:12 2013 +0000 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 tuntap: fix error return code in tun_set_iff() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. [ Bug added in linux-3.8 , commit 4008e97f866db665 ("tuntap: fix ambigious multiqueue API") ] Signed-off-by: Wei Yongjun Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2b45b5f52c2a8930f80c62de392a62516c83e225 Author: Bjørn Mork Date: Tue Apr 16 00:17:07 2013 +0000 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 net: cdc_mbim: remove bogus sizeof() The intention was to test against the constant, not the size of the constant. Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 17d7408795519037a5a1272c7888238e20830bfe Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text fs/exec.c | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) commit 3cb37d0c0c77dc3928ff8417f982139f95366eba Merge: e87c19f c664779 Author: Brad Spengler Date: Wed Apr 17 20:06:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit c664779987cb0c27a242029f0e0db812e3236203 Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e87c19f8312355b8658e5138c16bfa6043a379c8 Merge: 802d119 d0c636c Author: Brad Spengler Date: Wed Apr 17 16:57:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit d0c636ceaaf406e606898ce3e770e32fb043ea8a Merge: bc88628 2396403 Author: Brad Spengler Date: Wed Apr 17 16:57:01 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/paravirt.c commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b Author: Brad Spengler Date: Sun Apr 14 21:39:51 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1a860d7d67051559ab2e6d10f9888649c92904e6 Author: Brad Spengler Date: Sun Apr 14 21:34:46 2013 -0400 A denied setfsuid by the RBAC system would result in an abort_creds() being called with an uninitalized pointer, introduced by a bad forward-port kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 Merge: c38d142 bc88628 Author: Brad Spengler Date: Sun Apr 14 21:28:33 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit bc88628a6a8fcccaabb90908640809b0540df225 Author: Brad Spengler Date: Sun Apr 14 21:26:41 2013 -0400 Update to pax-linux-3.8.7-test20.patch: - fixed KERNEXEC and NMI nesting problem reported by stef&hunger - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- security/Kconfig | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) commit c38d142744489fc4d9be80188b6435a278438fd9 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93019624b80ba59798393942798d7f6ed0c1dbc6 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 5277b052b5fab36729e1255fb3b12f47a4b12867 Author: Dave Hansen Date: Fri Apr 12 16:23:54 2013 -0700 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables This patch attempts to fix: https://bugzilla.kernel.org/show_bug.cgi?id=56461 The symptom is a crash and messages like this: chrome: Corrupted page table at address 34a03000 *pdpt = 0000000000000000 *pde = 0000000000000000 Bad pagetable: 000f [#1] PREEMPT SMP Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: enable tlb flush range support for x86") since that code started to free unused pagetables. On x86-32 PAE kernels, that new code has the potential to free an entire PMD page and will clear one of the four page-directory-pointer-table (aka pgd_t entries). The hardware aggressively "caches" these top-level entries and invlpg does not actually affect the CPU's copy. If we clear one we *HAVE* to do a full TLB flush, otherwise we might continue using a freed pmd page. (note, we do this properly on the population side in pud_populate()). This patch tracks whenever we clear one of these entries in the 'struct mmu_gather', and ensures that we follow up with a full tlb flush. BTW, I disassembled and checked that: if (tlb->fullmm == 0) and if (!tlb->fullmm && !tlb->need_flush_all) generate essentially the same code, so there should be zero impact there to the !PAE case. Signed-off-by: Dave Hansen Cc: Peter Anvin Cc: Ingo Molnar Cc: Artem S Tashkinov Signed-off-by: Linus Torvalds arch/x86/include/asm/tlb.h | 2 +- arch/x86/mm/pgtable.c | 7 +++++++ include/asm-generic/tlb.h | 7 ++++++- mm/memory.c | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) commit 521e573fc77d1783c1d4636dfbb4617a922f043d Merge: 032f626 f807619 Author: Brad Spengler Date: Fri Apr 12 19:29:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit f80761993b85df96fc142dfc3a317cadc0f8eae5 Author: Brad Spengler Date: Fri Apr 12 19:28:21 2013 -0400 Update to pax-linux-3.8.7-test19.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) - fixed the structleak plugin to compile for gcc 4.5-4.6 as well Makefile | 2 +- arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 Merge: a3a770e 89886f5 Author: Brad Spengler Date: Fri Apr 12 18:38:40 2013 -0400 Merge branch 'pax-test' into grsec-test commit 89886f561cc0d1c42a99624ec8c3704711088155 Merge: 9123489 531ec28 Author: Brad Spengler Date: Fri Apr 12 18:38:30 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a3a770e18578841e4fbe2aa0831a22811b4812cf Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 Author: Konrad Rzeszutek Wilk Date: Fri Mar 29 10:20:56 2013 -0400 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/mmu.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb Author: Neil Horman Date: Tue Apr 9 23:19:00 2013 +0000 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 e100: Add dma mapping error check e100 uses pci_map_single, but fails to check for a dma mapping error after its use, resulting in a stack trace: [ 46.656594] ------------[ cut here ]------------ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() [ 46.657004] Hardware name: To Be Filled By O.E.M. [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] [ 46.657004] Modules linked in: [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core sata_promise crc_itu_t [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 [ 46.657004] Call Trace: [ 46.657004] [] warn_slowpath_common+0x70/0xa0 [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 [ 46.657004] [] check_unmap+0x47b/0x950 [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] [ 46.657004] [] ? net_rx_action+0xa1/0x370 [ 46.657004] [] net_rx_action+0x172/0x370 [ 46.657004] [] __do_softirq+0xef/0x3d0 [ 46.657004] [] call_softirq+0x1c/0x30 [ 46.657004] [] do_softirq+0x85/0xc0 [ 46.657004] [] irq_exit+0xd5/0xe0 [ 46.657004] [] do_IRQ+0x56/0xc0 [ 46.657004] [] common_interrupt+0x72/0x72 [ 46.657004] [] ? _raw_spin_unlock_irqrestore+0x3b/0x70 [ 46.657004] [] __slab_free+0x58/0x38b [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 [ 46.657004] [] ? kmem_cache_free+0x97/0x320 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] kmem_cache_free+0x312/0x320 [ 46.657004] [] sock_destroy_inode+0x34/0x40 [ 46.657004] [] destroy_inode+0x38/0x60 [ 46.657004] [] evict+0x10e/0x1a0 [ 46.657004] [] iput+0xf5/0x180 [ 46.657004] [] dput+0x248/0x310 [ 46.657004] [] __fput+0x171/0x240 [ 46.657004] [] ____fput+0xe/0x10 [ 46.657004] [] task_work_run+0xac/0xe0 [ 46.657004] [] do_exit+0x26d/0xc30 [ 46.657004] [] ? finish_task_switch+0x7c/0x120 [ 46.657004] [] ? retint_swapgs+0x13/0x1b [ 46.657004] [] do_group_exit+0x49/0xc0 [ 46.657004] [] sys_exit_group+0x14/0x20 [ 46.657004] [] system_call_fastpath+0x16/0x1b [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- [ 46.657004] Mapped at: [ 46.657004] [] debug_dma_map_page+0x91/0x140 [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the dma_mapping_error check in the obvious place This was reported previously here: http://article.gmane.org/gmane.linux.network/257893 But nobody stepped up and fixed it. CC: Josh Boyer CC: e1000-devel@lists.sourceforge.net Signed-off-by: Neil Horman Reported-by: Michal Jaegermann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- 1 files changed, 25 insertions(+), 11 deletions(-) commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 Author: Trond Myklebust Date: Wed Apr 10 12:44:18 2013 -0400 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Make sure that we set the status to 0 on success. Missed in testing because it never appears when doing multiple mounts to _different_ servers. Signed-off-by: Trond Myklebust Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list fs/nfs/nfs4client.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea Author: Yuval Mintz Date: Wed Apr 10 13:34:39 2013 +0300 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b bnx2x: Prevent null pointer dereference in AFEX mode The cnic module is responsible for initializing various bnx2x structs via callbacks provided by the bnx2x module. One such struct is the queue object for the FCoE queue. If a device is working in AFEX mode and its configuration allows FCoE yet the cnic module is not loaded, it's very likely a null pointer dereference will occur, as the bnx2x will erroneously access the FCoE's queue object. Prevent said access until cnic properly registers itself. Signed-off-by: Yuval Mintz Signed-off-by: Ariel Elior Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2908830232725db624aaa052f7ad38d1f98bf541 Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit d40b572e845a5fb561e3c4a80cc306cd38888a4e Author: Christoph Paasch Date: Sun Apr 7 04:53:15 2013 +0000 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd ipv6/tcp: Stop processing ICMPv6 redirect messages Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske Signed-off-by: Christoph Paasch Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c7d5c2524456ef3ea9194840e7a9a75069a46824 Author: Brad Spengler Date: Wed Apr 10 20:32:54 2013 -0400 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit acac2380fd97acee4367d2aa24c74322dcf1d22b Author: Trond Myklebust Date: Fri Apr 5 16:11:11 2013 -0400 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list It is unsafe to use list_for_each_entry_safe() here, because when we drop the nn->nfs_client_lock, we pin the _current_ list entry and ensure that it stays in the list, but we don't do the same for the _next_ list entry. Use of list_for_each_entry() is therefore the correct thing to do. Also fix the refcounting in nfs41_walk_client_list(). Finally, ensure that the nfs_client has finished being initialised and, in the case of NFSv4.1, that the session is set up. Signed-off-by: Trond Myklebust Cc: Chuck Lever Cc: Bryan Schumaker Cc: stable@vger.kernel.org [>= 3.7] fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) commit a6cf5f387b882ac0ce655b75f623f86c075517be Author: Chuck Lever Date: Fri Mar 22 12:52:59 2013 -0400 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e SUNRPC: Remove extra xprt_put() While testing error cases where rpc_new_client() fails, I saw some oopses. If rpc_new_client() fails, it already invokes xprt_put(). Thus __rpc_clone_client() does not need to invoke it again. Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" Fri Sep 14, 2012. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org [>=3.7] Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9529169b8c405874fd543b785f53c74fa0501c2a Author: Christopher Harvey Date: Fri Apr 5 10:51:15 2013 -0400 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. This change properly enables the "requester" in G200ER cards that is responsible for getting pixels out of memory and clocking them out to the screen. Signed-off-by: Christopher Harvey Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- 1 files changed, 3 insertions(+), 10 deletions(-) commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a Author: Al Viro Date: Thu Mar 28 13:30:23 2013 -0400 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee ecryptfs: close rmmod race Signed-off-by: Al Viro fs/ecryptfs/miscdev.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83280e384ae3ceadad30369ced111dc7d4b46085 Author: Andrey Vagin Date: Tue Apr 9 17:33:29 2013 +0400 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 mnt: release locks on error path in do_loopback do_loopback calls lock_mount(path) and forget to unlock_mount if clone_mnt or copy_mnt fails. [ 77.661566] ================================================ [ 77.662939] [ BUG: lock held when returning to user space! ] [ 77.664104] 3.9.0-rc5+ #17 Not tainted [ 77.664982] ------------------------------------------------ [ 77.666488] mount/514 is leaving the kernel with locks still held! [ 77.668027] 2 locks held by mount/514: [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 Signed-off-by: Andrey Vagin Signed-off-by: Al Viro fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 679e536b9d9536d804f049fe942367a596253e6d Author: Alex Williamson Date: Tue Mar 26 11:33:16 2013 -0600 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson drivers/vfio/pci/vfio_pci.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5261a6384ee42499b29495aaae40b271e77d394 Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 Merge: 97bca88 9123489 Author: Brad Spengler Date: Tue Apr 9 17:18:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9123489428c58668a89f316db6619739cbdd2c2a Author: Brad Spengler Date: Tue Apr 9 17:17:46 2013 -0400 Update to pax-linux-3.8.6-test18.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 97bca8889e0f1e853f16b7026c39c6729a8587ab Merge: 675a41e e9d6073 Author: Brad Spengler Date: Mon Apr 8 21:32:59 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/us3_cpufreq.c commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef Author: Brad Spengler Date: Mon Apr 8 21:19:03 2013 -0400 Update to pax-linux-3.8.6-test17.patch: - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/sparc/include/asm/uaccess.h | 7 ---- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- tools/gcc/structleak_plugin.c | 15 ++++---- 6 files changed, 28 insertions(+), 69 deletions(-) commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5a216624a06429488f24ce47db093da042f90e48 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit e476ca18d21788898cd3acd1b57049971a2fb70f Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 Author: Johannes Berg Date: Tue Mar 19 20:26:57 2013 +0100 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d cfg80211: fix wdev tracing crash Arend reported a crash in tracing if the driver returns an ERR_PTR() value from the add_virtual_intf() callback. This is due to the tracing then still attempting to dereference the "pointer", fix this by using IS_ERR_OR_NULL(). Reported-by: Arend van Spriel Tested-by: Arend van Spriel Signed-off-by: Johannes Berg net/wireless/trace.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd Author: Johannes Berg Date: Mon Mar 25 11:51:14 2013 +0100 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b mac80211: fix remain-on-channel cancel crash If a ROC item is canceled just as it expires, the work struct may be scheduled while it is running (and waiting for the mutex). This results in it being run after being freed, which obviously crashes. To fix this don't free it when aborting is requested but instead mark it as "to be freed", which makes the work a no-op and allows freeing it outside. Cc: stable@vger.kernel.org [3.6+] Reported-by: Jouni Malinen Tested-by: Jouni Malinen Signed-off-by: Johannes Berg net/mac80211/cfg.c | 6 ++++-- net/mac80211/ieee80211_i.h | 3 ++- net/mac80211/offchannel.c | 23 +++++++++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 Author: Stone Piao Date: Fri Mar 29 19:21:21 2013 -0700 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f mwifiex: limit channel number not to overflow memory Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: # 3.5+ Signed-off-by: Stone Piao Signed-off-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 207c411512bdaf0e4271f93ecac6ca26588da36f Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f Author: Wei Yongjun Date: Fri Mar 22 01:28:18 2013 +0000 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_queue_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a79feb7d3251eca577d83d7f69eee2b961ab2924 Author: Pablo Neira Ayuso Date: Sat Mar 23 16:57:59 2013 +0100 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 netfilter: nfnetlink_acct: return -EINVAL if object name is empty If user-space tries to create accounting object with an empty name, then return -EINVAL. Reported-by: Michael Zintakis Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 Author: Matthias Schiffer Date: Sat Mar 30 10:23:12 2013 +0000 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: Matthias Schiffer Signed-off-by: Pablo Neira Ayuso net/ipv6/netfilter/ip6t_NPT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d12cae44a9d12441d81c489178803237219d403d Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f Author: Cong Wang Date: Fri Mar 22 19:14:07 2013 +0000 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb 8021q: fix a potential use-after-free vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/8021q/vlan.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit fff29c277024a39845d4b535083c8dafc21b45d9 Author: Hong zhi guo Date: Sat Mar 23 02:27:50 2013 +0000 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 bridge: fix crash when set mac address of br interface When I tried to set mac address of a bridge interface to a mac address which already learned on this bridge, I got system hang. The cause is straight forward: function br_fdb_change_mac_address calls fdb_insert with NULL source nbp. Then an fdb lookup is performed. If an fdb entry is found and it's local, it's OK. But if it's not local, source is dereferenced for printk without NULL check. Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller net/bridge/br_fdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 Author: Kumar Amit Mehta Date: Sat Mar 23 20:10:25 2013 +0000 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a bnx2x: fix assignment of signed expression to unsigned variable fix for incorrect assignment of signed expression to unsigned variable. Signed-off-by: Kumar Amit Mehta Acked-by: Dmitry Kravkov Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b964e1e61f0f0ccaa380be3342f956c604054bdc Author: Eric W. Biederman Date: Thu Mar 21 02:30:41 2013 -0700 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 yama: Better permission check for ptraceme Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" security/yama/yama_lsm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit b94e71c7b6abe75989edff18aca2781233fa143b Author: Stanislav Kinsbursky Date: Mon Apr 1 11:40:51 2013 +0400 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d ipc: set msg back to -EAGAIN if copy wasn't performed Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Linus Torvalds ipc/msg.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f07957378e0f55abb81da8e23b124a608fbe1cc Author: Paul Bolle Date: Wed Apr 3 12:24:45 2013 +0100 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 ARM: 7690/1: mm: fix CONFIG_LPAE typos CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix up the two typos under arch/arm/. The fix to head.S is slightly scary, but this is just for setting up an early io-mapping for the serial port when running on a big-endian, LPAE system. Since these systems don't exist in the wild (at least, I have no access to one outside of kvmtool, which doesn't provide a serial port suitable for earlyprintk), then we can revisit the code later if it causes any problems. Signed-off-by: Paul Bolle Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/kernel/head.S | 2 +- arch/arm/kernel/setup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 984ba346b2d8f158473e9723ba145031368431ed Author: Catalin Marinas Date: Tue Mar 26 23:35:04 2013 +0100 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down all use of the old entries. This patch implements the erratum workaround which consists of: 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. 2. Send IPI to the CPUs that are running the same mm (and ASID) as the one being invalidated (or all the online CPUs for global pages). 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception return code already). Signed-off-by: Catalin Marinas Signed-off-by: Russell King Conflicts: arch/arm/include/asm/tlbflush.h arch/arm/kernel/smp_tlb.c arch/arm/mm/context.c arch/arm/Kconfig | 10 +++++ arch/arm/include/asm/highmem.h | 7 ++++ arch/arm/include/asm/mmu_context.h | 2 + arch/arm/include/asm/tlbflush.h | 15 ++++++++ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ arch/arm/mm/context.c | 6 ++- 6 files changed, 104 insertions(+), 2 deletions(-) commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 53f5096daa14967938bc154e6c41f9119863fb36 Merge: e988d7c 0a45285 Author: Brad Spengler Date: Fri Apr 5 17:32:31 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 0a452855444d02502df6eb21ef3083cf303f71e1 Merge: 0277fa1 00cfbb8 Author: Brad Spengler Date: Fri Apr 5 17:31:15 2013 -0400 Update to pax-linux-3.8.6-test16.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/intel_display.c commit e988d7c8d946c816a2cb97f0d38048a1584966b8 Merge: baec40e 0277fa1 Author: Brad Spengler Date: Wed Apr 3 22:05:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0277fa123b486cf11420967e4568d7653e225fd3 Author: Brad Spengler Date: Wed Apr 3 22:04:48 2013 -0400 Update to pax-linux-3.8.5-test15.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) drivers/media/pci/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) commit baec40e6708fd5ae2000cad6c70c5980c998b91c Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 Merge: 6b69c35 0db9d15 Author: Brad Spengler Date: Tue Apr 2 17:47:27 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0db9d156826bdd50510086fde837648a3dfd370e Author: Brad Spengler Date: Tue Apr 2 17:46:05 2013 -0400 Update to pax-linux-3.8.5-test14.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/moduleloader.h | 4 +- tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 47 deletions(-) commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 01e1d503fd2220adaaec0b92ea19441bdff73555 Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit cd5ff114d958470f471c63775278e8c05e774630 Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 295ba16cc53df2375261accbedd6575ea327770a Merge: 18340f1 278a989 Author: Brad Spengler Date: Fri Mar 29 17:36:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/exec.c include/linux/thread_info.h commit 278a989c831d62193c7b3d119fe2302babd45d12 Author: Brad Spengler Date: Fri Mar 29 17:34:34 2013 -0400 Resync with pax-linux-3.8.5-test13.patch arch/arm/include/asm/pgtable.h | 3 ++- arch/arm/lib/delay.c | 1 + fs/exec.c | 8 ++++---- include/linux/compiler.h | 1 + include/linux/proc_fs.h | 2 +- include/linux/thread_info.h | 6 +++--- include/linux/zlib.h | 3 ++- init/main.c | 4 ++-- kernel/user_namespace.c | 2 +- lib/list_debug.c | 4 ++-- mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 1 + net/core/sysctl_net_core.c | 3 +-- tools/gcc/constify_plugin.c | 1 + 15 files changed, 24 insertions(+), 17 deletions(-) commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 Merge: 05f01ae e8cfeae Author: Brad Spengler Date: Fri Mar 29 17:30:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 Merge: b461cb7 aa4cfde Author: Brad Spengler Date: Fri Mar 29 17:30:44 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/nfsd/vfs.c commit 05f01ae4c3479541586a2387f916a6620889c479 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eea6ade59490784e83e08ec67322288fcf14cb31 Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e Merge: c3dc9a6 b461cb7 Author: Brad Spengler Date: Thu Mar 28 20:54:24 2013 -0400 Merge branch 'pax-test' into grsec-test commit b461cb7b1d85490430ef7896c247794af72c3749 Author: Brad Spengler Date: Thu Mar 28 20:54:11 2013 -0400 Add structleak plugin tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 270 insertions(+), 0 deletions(-) commit c3dc9a6ef10782894bb11fd088fd712db44d8062 Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e Merge: d8503a3 74bec16 Author: Brad Spengler Date: Thu Mar 28 20:47:10 2013 -0400 Merge branch 'pax-test' into grsec-test commit 74bec16b657147a5575b1f14f4423a717ba317a6 Author: Brad Spengler Date: Thu Mar 28 20:46:13 2013 -0400 Update to pax-linux-3.8.4-test13.patch: - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Makefile | 5 +++- arch/x86/include/asm/compat.h | 2 +- arch/x86/mm/fault.c | 3 +- fs/binfmt_elf.c | 2 +- include/linux/compiler.h | 42 ++++++++++++++-------------------------- security/Kconfig | 16 +++++++++++++++ tools/gcc/Makefile | 2 + tools/gcc/constify_plugin.c | 7 +++++- 8 files changed, 47 insertions(+), 32 deletions(-) commit d8503a3a35d68b9ba1615d29335aef3f70d51465 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 0b1c6223105a05d5a84e39a5e951868e37610e1c Merge: 93ff726 0deb54c Author: Brad Spengler Date: Mon Mar 25 18:35:15 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 Author: Brad Spengler Date: Mon Mar 25 18:35:05 2013 -0400 fix typo arch/x86/mm/ioremap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 Merge: be9f8b8 f95e53a Author: Brad Spengler Date: Mon Mar 25 18:30:06 2013 -0400 Merge branch 'pax-test' into grsec-test commit f95e53abadb6e4665866e4502ff9f518514193e1 Author: Brad Spengler Date: Mon Mar 25 18:29:25 2013 -0400 Update to pax-linux-3.8.4-test12.patch: - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by mcp - last fix for aslr gap accounting, promise (thanks to spender) arch/x86/mm/ioremap.c | 3 +++ fs/binfmt_elf.c | 5 ++--- mm/mmap.c | 2 +- net/sctp/socket.c | 19 +++++++++++++++---- tools/perf/util/include/linux/compiler.h | 8 ++++++++ 5 files changed, 29 insertions(+), 8 deletions(-) commit be9f8b82b0d8a21d7515fb6e44a907623381c5df Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee Author: Linus Torvalds Date: Fri Mar 22 11:44:04 2013 -0700 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 vfs,proc: guarantee unique inodes in /proc Dave Jones found another /proc issue with his Trinity tool: thanks to the namespace model, we can have multiple /proc dentries that point to the same inode, aliasing directories in /proc//net/ for example. This ends up being a total disaster, because it acts like hardlinked directories, and causes locking problems. We rely on the topological sort of the inodes pointed to by dentries, and if we have aliased directories, that odering becomes unreliable. In short: don't do this. Multiple dentries with the same (directory) inode is just a bad idea, and the namespace code should never have exposed things this way. But we're kind of stuck with it. This solves things by just always allocating a new inode during /proc dentry lookup, instead of using "iget_locked()" to look up existing inodes by superblock and number. That actually simplies the code a bit, at the cost of potentially doing more inode [de]allocations. That said, the inode lookup wasn't free either (and did a lot of locking of inodes), so it is probably not that noticeable. We could easily keep the old lookup model for non-directory entries, but rather than try to be excessively clever this just implements the minimal and simplest workaround for the problem. Reported-and-tested-by: Dave Jones Analyzed-by: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/proc/inode.c fs/proc/inode.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb Author: Vladimir Davydov Date: Fri Mar 22 15:04:51 2013 -0700 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only mnt_drop_write() must be called only if mnt_want_write() succeeded, otherwise the mnt_writers counter will diverge. mnt_writers counters are used to check if remounting FS as read-only is OK, so after an extra mnt_drop_write() call, it would be impossible to remount mqueue FS as read-only. Besides, on umount a warning would be printed like this one: ===================================== [ BUG: bad unlock balance detected! ] 3.9.0-rc3 #5 Not tainted ------------------------------------- a.out/12486 is trying to release lock (sb_writers) at: mnt_drop_write+0x1f/0x30 but there are no more locks to release! Signed-off-by: Vladimir Davydov Cc: Doug Ledford Cc: KOSAKI Motohiro Cc: "Eric W. Biederman" Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e Author: Brad Spengler Date: Sat Mar 23 13:02:32 2013 -0400 Don't use constify plugin if not enabled in config, reported by Alexey Vlasov Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afb82e020593249ac394e9859397c3e0ef5341c Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 Author: Brad Spengler Date: Sat Mar 23 12:13:12 2013 -0400 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak drivers/gpu/drm/i915/i915_debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44cb11a9470f72157601d0ad4d572d111f90f504 Author: Brad Spengler Date: Fri Mar 22 18:11:42 2013 -0400 use VM_DONTDUMP fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fd5f0d92b0fbec02029dad124501a9c80e527a32 Author: Brad Spengler Date: Fri Mar 22 17:08:48 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit b49ab1c73edb6442eec609b26bba4d850b3111b6 Merge: 5e9a707 783ade9 Author: Brad Spengler Date: Thu Mar 21 21:56:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 Author: Brad Spengler Date: Thu Mar 21 21:55:31 2013 -0400 Update to pax-linux-3.8.3-test11.patch: - rewrote the ASLR gap accounting code once again - fixed ptrace compat bug found by the size overflow plugin fs/binfmt_elf.c | 25 ++++++++++++------------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 5 +++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 32 insertions(+), 26 deletions(-) commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a Author: Brad Spengler Date: Thu Mar 21 19:37:33 2013 -0400 Make the constify plugin usage actually depend on the introduced config option (it was still forced on) tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1974b4f58d9d729c80ac1987785446115304a54c Author: Brad Spengler Date: Thu Mar 21 16:12:38 2013 -0400 fix failed merge arch/arm/mm/fault.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit 675a8ab4a8fe8315df348735a37a302a7535224c Author: Brad Spengler Date: Wed Mar 20 23:36:14 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 Author: Andy Honig Date: Wed Feb 20 14:48:10 2013 -0800 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- 2 files changed, 22 insertions(+), 29 deletions(-) commit 0bcac31b57c381001feb69fd6ec8069e61e03432 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695c59887e4ec10b0b695ab4f645d1226c433be0 Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e Merge: aec3cd4 c522e3a Author: Brad Spengler Date: Wed Mar 20 19:38:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 Merge: c57d855 405acc3 Author: Brad Spengler Date: Wed Mar 20 19:38:11 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 Author: Brad Spengler Date: Tue Mar 19 19:56:04 2013 -0400 include linux/compiler.h include/linux/zlib.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit dd65c05cd24faf8946d4941434a553ee285c35a3 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit e297b4f150b769efdc4c547d3caf1e3c0f24735f Author: Brad Spengler Date: Tue Mar 19 18:33:45 2013 -0400 Fix size_overflow false positive reported by slashbeast include/linux/zlib.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be Author: Brad Spengler Date: Tue Mar 19 17:35:36 2013 -0400 fix up failed merge arch/arm/mm/fault.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f00195c633f91cfbd8c1f530d2c371b713026e20 Author: Brad Spengler Date: Mon Mar 18 22:27:33 2013 -0400 Fix compile error reported by KDE on the forums kernel/user_namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 Merge: 0949569 c57d855 Author: Brad Spengler Date: Mon Mar 18 22:20:46 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 Author: Brad Spengler Date: Mon Mar 18 21:22:03 2013 -0400 Update to pax-linux-3.8.2-test9.patch: arm changes from spender - removed userland access to the vectors page - removed obsolete sigreturn trampoline handling - added emulation for __kuser_get_tls - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) - fixed recent sysfs/power_supply attr breakage reported by Steven Allen - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. arch/arm/kernel/process.c | 5 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/traps.c | 7 - arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 23 +- arch/arm/mm/mmu.c | 2 +- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/mm/fault.c | 4 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/power/power_supply_core.c | 1 + drivers/usb/core/message.c | 2 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 5 +- fs/exec.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/linux/compat.h | 4 +- include/linux/completion.h | 6 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/err.h | 4 +- include/linux/math64.h | 6 +- include/linux/sched.h | 2 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/uapi/linux/byteorder/little_endian.h | 4 +- include/uapi/linux/swab.h | 6 +- kernel/sched/core.c | 6 +- kernel/signal.c | 3 + kernel/time.c | 2 +- kernel/timer.c | 2 +- lib/div64.c | 4 +- mm/page-writeback.c | 2 +- net/socket.c | 2 + scripts/package/builddeb | 1 + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- tools/gcc/size_overflow_plugin.c | 1072 ++-- 53 files changed, 6227 insertions(+), 3951 deletions(-) commit 09495691bb31f11ec14d9127429f9a0f3f716f22 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deb85b00d0f9f886e264e116313f298401ec5c59 Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2126421f123513f604ceef2b23ba9ed516de7e58 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 Author: Brad Spengler Date: Sat Mar 16 16:43:45 2013 -0400 add user_arg_ptr back to exec.c fs/exec.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 3 +++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 16 insertions(+), 15 deletions(-) commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1cd623d11a462d151ea8a5cace4521e1724911a3 Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc Merge: 9cdf9bc db4cb92 Author: Brad Spengler Date: Thu Mar 14 20:23:14 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/keys/compat.c commit db4cb924546e3fec3a59f78d056f48176eaf7100 Author: Brad Spengler Date: Thu Mar 14 20:22:24 2013 -0400 Update to pax-linux-3.8.2-test8.patch arch/arm/include/asm/cache.h | 2 ++ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- arch/arm/mach-omap2/omap_device.c | 4 ++-- arch/arm/mach-omap2/omap_device.h | 4 ++-- arch/arm/plat-orion/include/plat/addr-map.h | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae Merge: 3c865f9 1a45c31 Author: Brad Spengler Date: Thu Mar 14 20:20:54 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/arm/include/asm/delay.h arch/arm/include/asm/pgtable.h arch/arm/lib/delay.c security/keys/compat.c commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 79b130c4b11c7940daf2b33d653a17666331c634 Merge: 6480ce9 3c865f9 Author: Brad Spengler Date: Sun Mar 10 20:04:03 2013 -0400 Merge branch 'pax-test' into grsec-test commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d Author: Brad Spengler Date: Sun Mar 10 20:03:12 2013 -0400 Update to pax-linux-3.8.2-test7.patch: - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) fs/binfmt_elf.c | 3 ++- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- init/main.c | 4 ++-- mm/mmap.c | 2 +- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 7 files changed, 18 insertions(+), 11 deletions(-) commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 Merge: 4a5305e 25b3569 Author: Brad Spengler Date: Sun Mar 10 10:41:16 2013 -0400 Merge branch 'pax-test' into grsec-test commit 25b356980568bed9958315bb5a551fdc610055ed Author: Brad Spengler Date: Sun Mar 10 10:40:48 2013 -0400 Update to pax-linux-3.8.2-test6.patch: - fixed a KERNEXEC false positive on arm reported by Gu1 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - added fix from spender for some namespace breakage reported by zakalwe - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot Documentation/kernel-parameters.txt | 5 +++++ arch/arm/kernel/patch.c | 2 ++ arch/x86/kernel/sys_i386_32.c | 5 +++-- drivers/acpi/blacklist.c | 2 +- drivers/video/aty/mach64_cursor.c | 1 + init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ net/ipv4/ip_fragment.c | 2 +- security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 10 files changed, 50 insertions(+), 10 deletions(-) commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause net/bridge/br_mdb.c | 4 ++++ net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 8 ++++++++ 3 files changed, 13 insertions(+), 0 deletions(-) commit 601dd446f896e3a362f706943df18a68d50420a1 Author: Brad Spengler Date: Sat Mar 9 09:35:25 2013 -0500 add open/close wrappers in __patch_text() as reported by Gu1 on IRC arch/arm/kernel/patch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ae39966fd85a493e9079b357e3faa62245a41222 Author: Peter Hurley Date: Fri Mar 8 12:43:27 2013 -0800 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 ipc: don't allocate a copy larger than max When MSG_COPY is set, a duplicate message must be allocated for the copy before locking the queue. However, the copy could not be larger than was sent which is limited to msg_ctlmax. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msg.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 61240e99650ea3e540a03a3e994349c5086f166b Author: Peter Hurley Date: Fri Mar 8 12:43:26 2013 -0800 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 ipc: fix potential oops when src msg > 4k w/ MSG_COPY If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msgutil.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 51727f602a267f34fb2e0dc9557f1714028d51a2 Author: Brad Spengler Date: Fri Mar 8 22:14:06 2013 -0500 add missing 'else' in recent constify fixups net/ipv4/ip_fragment.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a38c1a640729b3d8e584d1ab98e908c221bc12cf Merge: 1580bb3 47c3f47 Author: Brad Spengler Date: Fri Mar 8 18:18:37 2013 -0500 Merge branch 'pax-test' into grsec-test commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe Author: Brad Spengler Date: Fri Mar 8 18:17:22 2013 -0500 Update to pax-linux-3.8.2-test5.patch: - fixed some fallout after the last round of constification changes, reported by several people arch/arm/common/gic.c | 4 ++-- arch/arm/include/asm/hardware/gic.h | 3 ++- arch/x86/include/asm/nmi.h | 2 +- arch/x86/kernel/nmi.c | 2 +- arch/x86/pci/irq.c | 2 +- drivers/base/power/domain.c | 4 ++-- drivers/cpufreq/cpufreq_governor.c | 4 ++-- drivers/mfd/twl4030-irq.c | 1 + drivers/video/vesafb.c | 7 +++++-- include/linux/irq.h | 1 + include/linux/pm_domain.h | 2 +- kernel/sched/core.c | 4 ++++ lib/Kconfig.debug | 4 ++-- net/core/sysctl_net_core.c | 2 +- net/decnet/af_decnet.c | 1 + net/ipv4/devinet.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/route.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- scripts/sortextable.h | 6 +++--- 22 files changed, 36 insertions(+), 25 deletions(-) commit 1580bb38b4db0bf2a46316599815e8b234edad81 Author: Brad Spengler Date: Thu Mar 7 22:02:59 2013 -0500 add an additional open/close wrapper kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 21622672d28d58e0d93a805cd1f9650a894a752a Author: Brad Spengler Date: Thu Mar 7 21:58:24 2013 -0500 fix oops at shutdown with new constify code kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec Author: Brad Spengler Date: Thu Mar 7 21:18:44 2013 -0500 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally it currently conflicts with some lock debugging options, so made as an option to allow for debugging when necessary Makefile | 2 -- lib/Kconfig.debug | 6 +++--- security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) commit 0885b00b8373a1597b69c38032a0c9eee279303b Author: Brad Spengler Date: Thu Mar 7 20:55:19 2013 -0500 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8a2617165e7127a54f293cbf57d22d50dd83abd Author: Brad Spengler Date: Thu Mar 7 20:30:41 2013 -0500 Fix error: drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object with cast and proper kernexec accessors drivers/video/vesafb.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 Author: Brad Spengler Date: Thu Mar 7 20:20:28 2013 -0500 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 Author: Brad Spengler Date: Thu Mar 7 20:12:17 2013 -0500 fix compilation error -- no reason for task_pid_nr to not take a const task ptr include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ac6014ded57101e3e608941555ff507e20c1ece3 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 98a9a5f981f5deda4059a255c1196886f2f27e2f Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 4295a024e812f903fc580c81de5e81cc149503fa Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33edd486a9899a145a15586d7134636b0300aaee Merge: 4eeeaf3 a2a2094 Author: Brad Spengler Date: Thu Mar 7 17:53:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/include/asm/domain.h commit a2a20947f5e1332e474160a39af520738b3c8c19 Author: Brad Spengler Date: Thu Mar 7 17:51:04 2013 -0500 Update to pax-linux-3.8.2-test4.patch: fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) Documentation/dontdiff | 2 + arch/arm/include/asm/domain.h | 1 + arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/nmi.h | 4 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 10 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/base/bus.c | 4 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 ++- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 26 ++- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/iommu/iommu.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/mfd/twl4030-irq.c | 8 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/vxlan.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 6 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 4 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 ++- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- fs/exec.c | 6 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drmP.h | 12 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/iommu.h | 2 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/rculist.h | 16 ++ include/linux/sched.h | 2 +- include/linux/sock_diag.h | 2 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/xattr.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/pid_namespace.c | 2 +- kernel/rcutree_plugin.h | 2 +- kernel/sched/core.c | 39 ++-- kernel/smpboot.c | 4 +- kernel/softirq.c | 2 +- kernel/sysctl.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 2 +- lib/kobject.c | 4 +- lib/list_debug.c | 57 ++++- lib/swiotlb.c | 2 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/slab_common.c | 2 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 15 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 12 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 9 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipip.c | 4 +- net/ipv4/route.c | 14 +- net/ipv4/sysctl_net_ipv4.c | 43 ++-- net/ipv6/addrconf.c | 4 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 6 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/reassembly.c | 11 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/sysctl.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 ++- net/xfrm/xfrm_sysctl.c | 2 +- security/apparmor/lsm.c | 2 +- security/keys/key.c | 18 +- security/yama/yama_lsm.c | 22 +- tools/gcc/Makefile | 4 +- tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ tools/gcc/size_overflow_plugin.c | 7 +- 248 files changed, 994 insertions(+), 668 deletions(-) commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b Author: Brad Spengler Date: Wed Mar 6 12:58:21 2013 -0500 Make slab_state __read_only, it's only written to during init mm/slab_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a Author: Brad Spengler Date: Wed Mar 6 12:31:35 2013 -0500 Make two new helper functions: gr_is_global_root() and gr_is_global_nonroot() grsecurity/gracl.c | 10 +++++----- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_link.c | 4 ++-- grsecurity/grsec_sig.c | 10 +++++----- grsecurity/grsec_tpe.c | 6 +++--- include/linux/uidgid.h | 2 ++ 6 files changed, 18 insertions(+), 16 deletions(-) commit d45d88eddd4998b280b1e5b5384289ee11ca7088 Author: Brad Spengler Date: Wed Mar 6 12:14:41 2013 -0500 convert remaining task->pid to task_pid_nr(task) grsecurity/gracl.c | 22 +++++++++++----------- grsecurity/gracl_shm.c | 2 +- grsecurity/grsec_chroot.c | 4 ++-- grsecurity/grsec_sig.c | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) commit c877f2ece03ee2232dd281c1977ae59507297124 Author: Brad Spengler Date: Tue Mar 5 17:29:54 2013 -0500 compat-log is only used anymore by vm86-on-64bit and allows unlimited spamming of the kernel log buffer (and since it includes the changable process name, can avoid syslog log deduplication) Turn it off by default fs/compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c1964c4b7276889d7967bee70e46918cdca1b14 Author: Brad Spengler Date: Mon Mar 4 17:19:10 2013 -0500 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP is enabled, introduced with recent userns support init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 Author: Brad Spengler Date: Sun Mar 3 18:46:12 2013 -0500 Prevent TOMOYO from auto-loading modules by unprivileged users (Only reachable if TOMOYO is actually used) security/tomoyo/mount.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 79e142f9455b398759ff9d93d4963a21b98dddda Author: Brad Spengler Date: Sun Mar 3 18:28:45 2013 -0500 For now, don't permit any special access to /proc in a user namespace Later we can go back and allow a userns-uid0 special access to a /proc with a non-global pid namespace fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b91fb393049ce5f3c0a86f62247409853fd9700 Merge: d931eb8 603ef05 Author: Brad Spengler Date: Sun Mar 3 17:42:09 2013 -0500 Merge branch 'pax-test' into grsec-test commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b Author: Brad Spengler Date: Sun Mar 3 17:41:31 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/mach-omap2/wd_timer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b4c9ce81fdd7839a150c97873c710c479e788280 Author: Brad Spengler Date: Sun Mar 3 17:39:53 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d931eb81ab3da46896268fd61373a6aa7bbea930 Merge: bfa7f44 5948f93 Author: Brad Spengler Date: Sun Mar 3 17:34:36 2013 -0500 Merge branch 'pax-test' into grsec-test commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 Merge: ab30472 19b00d2 Author: Brad Spengler Date: Sun Mar 3 17:34:08 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. fs/exec.c | 6 +- fs/proc/base.c | 2 +- fs/proc/proc_net.c | 4 +- grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- grsecurity/gracl_cap.c | 4 +- grsecurity/gracl_ip.c | 16 +++--- grsecurity/gracl_segv.c | 12 +++- grsecurity/gracl_shm.c | 4 +- grsecurity/grsec_disabled.c | 10 ++-- grsecurity/grsec_fifo.c | 6 +- grsecurity/grsec_init.c | 24 ++++---- grsecurity/grsec_log.c | 3 - grsecurity/grsec_tpe.c | 6 +- include/linux/grinternal.h | 12 ++-- include/linux/grsecurity.h | 12 ++-- include/linux/uidgid.h | 3 + init/Kconfig | 2 - ipc/shm.c | 2 +- kernel/cred.c | 5 +- kernel/kallsyms.c | 2 +- kernel/kmod.c | 6 +- kernel/sys.c | 12 ++-- 22 files changed, 166 insertions(+), 115 deletions(-) commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit 5596211af754867ca825f58e6e0300a8439950fe Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7ca96db0817416fd40761e7437d1939fc0731380 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 idr: fix a subtle bug in idr_get_next() The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/idr.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 745362f28034f54242ba2e64eaa7374ab9869613 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit b53b3b14330920c6f7cfb74c8508a3026e1be620 Author: Brad Spengler Date: Thu Feb 28 18:29:26 2013 -0500 Fix bad git merge fs/namespace.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede Merge: 1cce1dd ab30472 Author: Brad Spengler Date: Thu Feb 28 17:45:14 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/core/sock_diag.c commit ab3047280e1dfb43f1b301a296123757b4ac4f6e Merge: 4b61d21 4c91a0e Author: Brad Spengler Date: Thu Feb 28 17:43:56 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 Author: Brad Spengler Date: Wed Feb 27 17:52:31 2013 -0500 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel kernel/printk.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 Author: Brad Spengler Date: Wed Feb 27 17:23:46 2013 -0500 Fix upstream vulnerability from addition of a /dev/kmsg device while neglecting to add the same set of existing permission checks from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. A temporary workaround without this patch would be to chmod 0600 /dev/kmsg (and is likely a good idea anyway). Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek Initially reported to Redhat bugzilla by Christian Kujau: https://bugzilla.redhat.com/show_bug.cgi?id=903192 kernel/printk.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 66c04806f5660988c3cb4855e60de294e77e3d0e Author: David Howells Date: Thu Feb 21 12:00:25 2013 +0000 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f KEYS: Revert one application of "Fix unreachable code" patch A patch to fix some unreachable code in search_my_process_keyrings() got applied twice by two different routes upstream as commits e67eab39bee2 and b010520ab3d2 (both "fix unreachable code"). Unfortunately, the second application removed something it shouldn't have and this wasn't detected by GIT. This is due to the patch not having sufficient lines of context to distinguish the two places of application. The effect of this is relatively minor: inside the kernel, the keyring search routines may search multiple keyrings and then prioritise the errors if no keys or negative keys are found in any of them. With the extra deletion, the presence of a negative key in the thread keyring (causing ENOKEY) is incorrectly overridden by an error searching the process keyring. So revert the second application of the patch. Signed-off-by: David Howells Cc: Jiri Kosina Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds security/keys/process_keys.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 954b0c8a95b08c09c3d15ec38106ce403bf714da Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 Author: Nicolas Pitre Date: Sun Feb 24 20:06:09 2013 -0500 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 tty vt: fix character insertion overflow Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") broke insert_char() in multiple ways. Then commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") partially fixed it. However, the buffer being moved is still too large and overflowing beyond the end of the current line, corrupting existing characters on the next line. Example test case: echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" Expected result: ab c de Current result: ab c e Needless to say that this is very annoying when inserting words in the middle of paragraphs with certain text editors. Signed-off-by: Nicolas Pitre Cc: Jean-François Moine Cc: Greg Kroah-Hartman Cc: Signed-off-by: Linus Torvalds drivers/tty/vt/vt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6cda35071669b4aabde081bd039e0ffea36f997a Author: Robin Holt Date: Fri Feb 22 16:35:34 2013 -0800 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. Additionally, the list traversal in __mmu_notifier_release() is not protected by the by the mmu_notifier_mm->hlist_lock which can result in callouts to the ->release() notifier from both mmu_notifier_unregister() and __mmu_notifier_release(). -stable suggestions: The stable trees prior to 3.7.y need commits 21a92735f660 and 70400303ce0c cherry-picked in that order prior to cherry-picking this commit. The 3.7.y tree already has those two commits. Signed-off-by: Robin Holt Cc: Andrea Arcangeli Cc: Wanpeng Li Cc: Xiao Guangrong Cc: Avi Kivity Cc: Hugh Dickins Cc: Marcelo Tosatti Cc: Sagi Grimberg Cc: Haggai Eran Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- 1 files changed, 42 insertions(+), 40 deletions(-) commit bf5167ed78ba6131c6874887f714bda50c2cab83 Author: Mike Galbraith Date: Mon Jan 28 12:19:25 2013 +0100 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 sched: Fix select_idle_sibling() bouncing cow syndrome If the previous CPU is cache affine and idle, select it. The current implementation simply traverses the sd_llc domain, taking the first idle CPU encountered, which walks buddy pairs hand in hand over the package, inflicting excruciating pain. 1 tbench pair (worst case) in a 10 core + SMT package: pre 15.22 MB/sec 1 procs post 252.01 MB/sec 1 procs Signed-off-by: Mike Galbraith Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 21 +++++++-------------- 1 files changed, 7 insertions(+), 14 deletions(-) commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c Author: Eric W. Biederman Date: Fri Dec 28 18:58:39 2012 -0800 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f userns: Avoid recursion in put_user_ns When freeing a deeply nested user namespace free_user_ns calls put_user_ns on it's parent which may in turn call free_user_ns again. When -fno-optimize-sibling-calls is passed to gcc one stack frame per user namespace is left on the stack, potentially overflowing the kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls so we can't count on gcc to optimize this code. Remove struct kref and use a plain atomic_t. Making the code more flexible and easier to comprehend. Make the loop in free_user_ns explict to guarantee that the stack does not overflow with CONFIG_FRAME_POINTER enabled. I have tested this fix with a simple program that uses unshare to create a deeply nested user namespace structure and then calls exit. With 1000 nesteuser namespaces before this change running my test program causes the kernel to die a horrible death. With 10,000,000 nested user namespaces after this change my test program runs to completion and causes no harm. Acked-by: Serge Hallyn Pointed-out-by: Vasily Kulikov Signed-off-by: "Eric W. Biederman" include/linux/user_namespace.h | 10 +++++----- kernel/user.c | 4 +--- kernel/user_namespace.c | 17 +++++++++-------- 3 files changed, 15 insertions(+), 16 deletions(-) commit 81501c7106ccc186c94806f4db954626295b5ebe Author: Brad Spengler Date: Tue Feb 26 17:12:30 2013 -0500 Pass the same flags to kern_path_create as the original function fs/namei.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a677c8eee35afe48868f92c7d6745bfe809cd481 Author: Al Viro Date: Fri Feb 22 22:45:42 2013 -0500 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 get rid of unprotected dereferencing of mnt->mnt_ns It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namespace.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 89298124d0c96dc34a60377e7a1308f8f532ff75 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 Author: Brad Spengler Date: Sat Feb 23 11:08:05 2013 -0500 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause net/core/sock_diag.c | 27 ++++++++++----------------- 1 files changed, 10 insertions(+), 17 deletions(-) commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 Author: Brad Spengler Date: Sat Feb 23 10:58:52 2013 -0500 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined arch/arm/include/asm/domain.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7b729586eb81f344fdedf0942fab0acc738a6725 Author: Brad Spengler Date: Fri Feb 22 19:02:51 2013 -0500 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. kernel/fork.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit fadc560d0c486af88da83177735f5515e88acdcc Author: Brad Spengler Date: Thu Feb 21 23:06:48 2013 -0500 put is_hugetlbfs_mnt inside ifdefs grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8252176922d405484f986eb2cc350b7cd3ae586e Author: Brad Spengler Date: Thu Feb 21 23:02:07 2013 -0500 remove unused label kernel/module.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dad4a980f0b625059e215d13da728aa7fd02a374 Author: Brad Spengler Date: Thu Feb 21 23:00:52 2013 -0500 compile fix fs/open.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 Author: Brad Spengler Date: Thu Feb 21 22:57:49 2013 -0500 remove kmalloc_array_error for the same reasons as kcalloc_error include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a Author: Brad Spengler Date: Thu Feb 21 22:49:35 2013 -0500 Initial port of grsecurity for Linux 3.8 Documentation/kernel-parameters.txt | 4 + Makefile | 10 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 14 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 27 +- arch/arm/mm/mmap.c | 6 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 3 +- arch/ia64/mm/hugetlbpage.c | 3 +- arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 3 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 19 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 6 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 3 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 3 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- crypto/ablkcipher.c | 12 +- crypto/aead.c | 9 +- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +- crypto/crypto_user.c | 38 +- crypto/pcompress.c | 3 +- crypto/rng.c | 2 +- crypto/shash.c | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 155 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 5 + fs/fs_struct.c | 26 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 269 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1021 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4017 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 384 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 357 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 174 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 329 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 ++ include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 257 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 66 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/vermagic.h | 9 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 5 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 109 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 80 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 38 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 62 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev.c | 9 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 19 + security/Kconfig | 320 ++- security/apparmor/lsm.c | 2 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/yama/Kconfig | 2 +- tools/gcc/Makefile | 2 +- 286 files changed, 15083 insertions(+), 2067 deletions(-) commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 Author: Brad Spengler Date: Wed Feb 20 21:00:42 2013 -0500 Initial import of pax-linux-3.8-test3.patch Documentation/dontdiff | 43 +- Documentation/kernel-parameters.txt | 7 + Makefile | 97 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 +++- arch/arm/include/asm/cache.h | 3 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/delay.h | 8 +- arch/arm/include/asm/domain.h | 32 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 10 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 20 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 14 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/fault.c | 78 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 186 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 28 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/uaccess.h | 142 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 +++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 12 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 ++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 65 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/io.h | 13 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 6 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 29 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 512 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/head_32.S | 237 ++- arch/x86/kernel/head_64.S | 158 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes-opt.c | 12 +- arch/x86/kernel/kprobes.c | 30 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 247 ++ arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 47 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 68 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 ++- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 555 +++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 92 +- arch/x86/mm/init_32.c | 122 +- arch/x86/mm/init_64.c | 48 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 12 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 18 +- drivers/block/loop.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 8 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_generic.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 6 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 9 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/ramster/tmem.c | 54 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 39 +- drivers/video/vesafb.c | 51 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 604 ++++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/relocation.c | 2 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 356 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 ++ include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 72 +- include/linux/cpu.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 3 + include/linux/mm.h | 91 +- include/linux/mm_types.h | 22 +- include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 55 +- include/linux/moduleloader.h | 18 +- include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/random.h | 5 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 64 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysrq.h | 2 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/gro_cells.h | 6 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 6 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/structs.h | 4 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 4 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 24 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/module.c | 333 ++- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 72 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 2 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/softirq.c | 16 +- kernel/srcu.c | 6 +- kernel/stop_machine.c | 2 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 +- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/list_debug.c | 89 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 54 + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 18 +- mm/memory.c | 404 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 573 +++- mm/mprotect.c | 138 +- mm/mremap.c | 44 +- mm/nommu.c | 11 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 104 +- mm/slab.h | 5 +- mm/slab_common.c | 9 +- mm/slob.c | 200 +- mm/slub.c | 98 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/sctp/socket.c | 2 + net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 4 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 654 ++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 43 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 359 +++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 +++ tools/gcc/latent_entropy_plugin.c | 321 ++ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 32 +- 1311 files changed, 26668 insertions(+), 6394 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 9a7168e3d96ba81ab00bde22d38f7a035cc25466 Author: Brad Spengler Date: Sun Nov 24 17:50:21 2013 -0500 remove unnecessary code/comments after new reload method grsecurity/gracl.c | 4 ---- grsecurity/gracl_policy.c | 13 ------------- 2 files changed, 0 insertions(+), 17 deletions(-) commit 4e61142788b54cbbc4e0d3418987ee892b34ee7d Author: Brad Spengler Date: Sun Nov 24 16:05:01 2013 -0500 Version bumped to 3.0 (we'd been on 2.9.1 for way too long and numerous features have been added since then) Introduce new atomic RBAC reload method, developed as part of sponsorship by EIG This is accompanied by an updated 3.0 gradm which will use the new reload method when -R is passed to gradm. The old method will still be available via gradm -r (which is what a 2.9.1 gradm will continue to use). The new RBAC reload method is atomic in the sense that at no point in the reload process will the system not be covered by a coherent full policy. In contrast to previous reload behavior, it also preserves inherited subjects and special roles. The old RBAC reload method has also been made atomic. Both methods have been updated to perform role_allowed_ip checks only against the IP tagged to the task at the time its role was first applied or changed. This resolves long-standing usability problems with the use of role_allowed_ip and matches the policies created by learning. grsecurity/Makefile | 2 +- grsecurity/gracl.c | 3903 +++++++++++++------------------------------ grsecurity/gracl_alloc.c | 42 +- grsecurity/gracl_compat.c | 3 +- grsecurity/gracl_policy.c | 1838 ++++++++++++++++++++ grsecurity/gracl_segv.c | 12 +- grsecurity/grsec_disabled.c | 7 - grsecurity/grsec_init.c | 15 - include/linux/gracl.h | 43 +- include/linux/grinternal.h | 1 - include/linux/grsecurity.h | 1 - include/linux/sched.h | 2 + 12 files changed, 3082 insertions(+), 2787 deletions(-) commit d8981a4fd03025434a466fd87a0eaea93755bc70 Author: Brad Spengler Date: Sun Nov 24 15:08:28 2013 -0500 compile fix for recent GRKERNSEC_CHROOT_INITRD change init/main.c | 12 +++--------- 1 files changed, 3 insertions(+), 9 deletions(-) commit c3f95fe9875bea3eeb61cad1586b3f9b6226a42f Author: Brad Spengler Date: Sat Nov 23 18:27:37 2013 -0500 Make the recent usermode_helper protection race-free as far as userland is concerned by creating a copy of the path to be executed, then check against that copied path instead of the still-mutable original path include/linux/kmod.h | 3 +++ kernel/kmod.c | 13 +++++++++++++ 2 files changed, 16 insertions(+), 0 deletions(-) commit ecdd0610bef058fd33fee50b489d949c1a0db07a Author: Brad Spengler Date: Sat Nov 23 17:20:15 2013 -0500 Produce a UDEREF message when faulting on kernel access to a non-present page in the userland range. This is purely for consistency of logs, due to there being no domain present to fault based on. An "Unable to handle kernel fault.." oops would already (and still is) generated for these cases, triggering grsec's bruteforce prevention. Reported by acez on IRC arch/arm/mm/fault.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) commit 3f4adfade80bba0d865b5c603bd58da555ca4553 Author: Brad Spengler Date: Sat Nov 23 16:56:46 2013 -0500 Make GRKERNSEC_CHROOT_INITRD depend on the correct initrd option, Also make sure we mark init as run if no initrd was used. Though this should already be enforced in grsec_chroot.c, this should future-proof the feature a bit in case userland somehow changes drastically. Conflicts: init/main.c grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 2 +- init/main.c | 15 +++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) commit d4a9bb63091852b5b49ebd216796b374e5c0dc71 Author: Brad Spengler Date: Sat Nov 23 16:33:20 2013 -0500 limit all usermode helper binaries to /sbin, all other attempts will be logged and rejected kernel/kmod.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit e727db195f8bed17c65d050e1772643d730fe565 Author: Brad Spengler Date: Sat Nov 23 16:02:01 2013 -0500 perform USERCOPY kernel text checks against the linear mapping on amd64 as well fs/exec.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit 7e0e0cf6d81af9c7901e16345737157fd563ccfb Merge: 2fcc3a5 2d1263b Author: Brad Spengler Date: Fri Nov 22 21:11:44 2013 -0500 Merge branch 'pax-test' into grsec-test commit 2d1263be436ef0c7c964a2028dec3fc7e90205a1 Merge: d52f291 e0cd057 Author: Brad Spengler Date: Fri Nov 22 21:11:33 2013 -0500 Merge branch 'linux-3.11.y' into pax-test Conflicts: drivers/net/ethernet/chelsio/cxgb3/sge.c commit 2fcc3a573d2b676c6cdb1aa0c9f61ce723189972 Author: Brad Spengler Date: Fri Nov 22 20:31:37 2013 -0500 Revert "Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69" This reverts commit 8bb32f2682953e1b748a59c4a4363b237c3510df. It caused errors with traceroute, reported to upstream and fixed with http://patchwork.ozlabs.org/patch/293614/ But there's no reason for us to maintain this backport as we're already impervious to recvmsg/msg_name infoleaks Conflicts: net/ipv4/ping.c net/ieee802154/dgram.c | 3 ++- net/ipv4/ping.c | 11 +++++++++-- net/ipv4/raw.c | 4 +++- net/ipv4/udp.c | 7 ++++++- net/ipv6/raw.c | 4 +++- net/ipv6/udp.c | 5 ++++- net/l2tp/l2tp_ip.c | 4 +++- net/phonet/datagram.c | 9 +++++---- 8 files changed, 35 insertions(+), 12 deletions(-) commit 5a0b39755f07014ed0d34a432b89cfbb38b82e0b Author: Hannes Frederic Sowa Date: Mon Nov 18 07:07:45 2013 +0100 Upstream commit: cf970c002d270c36202bd5b9c2804d3097a52da0 ping: prevent NULL pointer dereference on write to msg_name A plain read() on a socket does set msg->msg_name to NULL. So check for NULL pointer first. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv4/ping.c | 34 +++++++++++++++++++--------------- 1 files changed, 19 insertions(+), 15 deletions(-) commit 8bb32f2682953e1b748a59c4a4363b237c3510df Author: Hannes Frederic Sowa Date: Mon Nov 18 04:20:45 2013 +0100 Upstream commit: bceaa90240b6019ed73b49965eac7d167610be69 inet: prevent leakage of uninitialized memory to user in recv syscalls Only update *addr_len when we actually fill in sockaddr, otherwise we can return uninitialized memory from the stack to the caller in the recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) checks because we only get called with a valid addr_len pointer either from sock_common_recvmsg or inet_recvmsg. If a blocking read waits on a socket which is concurrently shut down we now return zero and set msg_msgnamelen to 0. Reported-by: mpb Suggested-by: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ieee802154/dgram.c | 3 +-- net/ipv4/ping.c | 19 +++++++------------ net/ipv4/raw.c | 4 +--- net/ipv4/udp.c | 7 +------ net/ipv6/raw.c | 4 +--- net/ipv6/udp.c | 5 +---- net/l2tp/l2tp_ip.c | 4 +--- net/phonet/datagram.c | 9 ++++----- 8 files changed, 17 insertions(+), 38 deletions(-) commit 642d754081c130a151e7df27e5c07edf2f368106 Author: Jeff Layton Date: Wed Nov 13 09:08:21 2013 -0500 Upstream commit: 6d769f1e1420179d1f83cf1a9cdc585b46c28545 nfs: don't retry detect_trunking with RPC_AUTH_UNIX more than once Currently, when we try to mount and get back NFS4ERR_CLID_IN_USE or NFS4ERR_WRONGSEC, we create a new rpc_clnt and then try the call again. There is no guarantee that doing so will work however, so we can end up retrying the call in an infinite loop. Worse yet, we create the new client using rpc_clone_client_set_auth, which creates the new client as a child of the old one. Thus, we can end up with a *very* long lineage of rpc_clnts. When we go to put all of the references to them, we can end up with a long call chain that can smash the stack as each rpc_free_client() call can recurse back into itself. This patch fixes this by simply ensuring that the SETCLIENTID call will only be retried in this situation if the last attempt did not use RPC_AUTH_UNIX. Note too that with this change, we don't need the (i > 2) check in the -EACCES case since we now have a more reliable test as to whether we should reattempt. Cc: stable@vger.kernel.org # v3.10+ Cc: Chuck Lever Tested-by/Acked-by: Weston Andros Adamson Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit a96ee20d2e099c56fd89b91ee309551e7b50b8f2 Author: Chuck Lever Date: Wed Jul 24 12:28:28 2013 -0400 Upstream commit: d688f7b8f62857c252b886fa16e8b38b83cfaf7e NFS: Use root's credential for lease management when keytab is missing Commit 05f4c350 "NFS: Discover NFSv4 server trunking when mounting" Fri Sep 14 17:24:32 2012 introduced Uniform Client String support, which forces our NFS client to establish a client ID immediately during a mount operation rather than waiting until a user wants to open a file. Normally machine credentials (eg. from a keytab) are used to perform a mount operation that is protected by Kerberos. Before 05fc350, SETCLIENTID used a machine credential, or fell back to a regular user's credential if no keytab is available. On clients that don't have a keytab, performing SETCLIENTID early means there's no user credential to fall back on, since no regular user has kinit'd yet. 05f4c350 seems to have broken the ability to mount with sec=krb5 on clients that don't have a keytab in kernels 3.7 - 3.10. To address this regression, commit 4edaa308 (NFS: Use "krb5i" to establish NFSv4 state whenever possible), Sat Mar 16 15:56:20 2013, was merged in 3.10. This commit forces the NFS client to fall back to AUTH_SYS for lease management operations if no keytab is available. Neil Brown noticed that, since root is required to kinit to do a sec=krb5 mount when a client doesn't have a keytab, we can try to use root's Kerberos credential before AUTH_SYS. Now, when determining a principal and flavor to use for lease management, the NFS client tries in this order: 1. Flavor: AUTH_GSS, krb5i Principal: service principal (via keytab) 2. Flavor: AUTH_GSS, krb5i Principal: user principal established for UID 0 (via kinit) 3. Flavor: AUTH_SYS Principal: UID 0 / GID 0 Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 19 ++++++++++++++++++- 1 files changed, 18 insertions(+), 1 deletions(-) commit 6ebab64904f37af82e950b0c6d321437e810b248 Author: Trond Myklebust Date: Tue Nov 12 17:24:36 2013 -0500 Upstream commit: d07ba8422f1e58be94cc98a1f475946dc1b89f1b SUNRPC: Avoid deep recursion in rpc_release_client In cases where an rpc client has a parent hierarchy, then rpc_free_client may end up calling rpc_release_client() on the parent, thus recursing back into rpc_free_client. If the hierarchy is deep enough, then we can get into situations where the stack simply overflows. The fix is to have rpc_release_client() loop so that it can take care of the parent rpc client hierarchy without needing to recurse. Reported-by: Jeff Layton Reported-by: Weston Andros Adamson Reported-by: Bruce Fields Link: http://lkml.kernel.org/r/2C73011F-0939-434C-9E4D-13A1EB1403D7@netapp.com Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit fcb4306973aed105cc6d042077bf31e21b812008 Author: Trond Myklebust Date: Fri Nov 8 16:03:50 2013 -0500 Upstream commit: a6b31d18b02ff9d7915c5898c9b5ca41a798cd73 SUNRPC: Fix a data corruption issue when retransmitting RPC calls The following scenario can cause silent data corruption when doing NFS writes. It has mainly been observed when doing database writes using O_DIRECT. 1) The RPC client uses sendpage() to do zero-copy of the page data. 2) Due to networking issues, the reply from the server is delayed, and so the RPC client times out. 3) The client issues a second sendpage of the page data as part of an RPC call retransmission. 4) The reply to the first transmission arrives from the server _before_ the client hardware has emptied the TCP socket send buffer. 5) After processing the reply, the RPC state machine rules that the call to be done, and triggers the completion callbacks. 6) The application notices the RPC call is done, and reuses the pages to store something else (e.g. a new write). 7) The client NIC drains the TCP socket send buffer. Since the page data has now changed, it reads a corrupted version of the initial RPC call, and puts it on the wire. This patch fixes the problem in the following manner: The ordering guarantees of TCP ensure that when the server sends a reply, then we know that the _first_ transmission has completed. Using zero-copy in that situation is therefore safe. If a time out occurs, we then send the retransmission using sendmsg() (i.e. no zero-copy), We then know that the socket contains a full copy of the data, and so it will retransmit a faithful reproduction even if the RPC call completes, and the application reuses the O_DIRECT buffer in the meantime. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org net/sunrpc/xprtsock.c | 28 +++++++++++++++++++++------- 1 files changed, 21 insertions(+), 7 deletions(-) commit 2c59d4080ae744532dbe595f6923dcba72279977 Merge: b2b99c6 d52f291 Author: Brad Spengler Date: Mon Nov 18 19:07:55 2013 -0500 Merge branch 'pax-test' into grsec-test commit d52f291621da9227cda5fd647e82dfe9bfc11265 Author: Brad Spengler Date: Mon Nov 18 19:07:14 2013 -0500 Update to pax-linux-3.11.8-test14.patch: - fixed a gcc-4.6 crash caused by a recent change in the latent entropy plugin, reported by Marko Randjelovic and mckinney (http://forums.grsecurity.net/viewtopic.php?f=3&t=3878) mm/page_alloc.c | 2 +- tools/gcc/latent_entropy_plugin.c | 34 ++++++++++++++++++++++++---------- 2 files changed, 25 insertions(+), 11 deletions(-) commit b2b99c6972e345565d561b722de210f071e5e259 Author: Brad Spengler Date: Thu Nov 14 20:47:37 2013 -0500 Upstream commit: 0e033e04c2678dbbe74a46b23fffb7bb918c288e ipv6: fix headroom calculation in udp6_ufo_fragment Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp fragmentation for tunnel traffic.") changed the calculation if there is enough space to include a fragment header in the skb from a skb->mac_header dervived one to skb_headroom. Because we already peeled off the skb to transport_header this is wrong. Change this back to check if we have enough room before the mac_header. This fixes a panic Saran Neti reported. He used the tbf scheduler which skb_gso_segments the skb. The offsets get negative and we panic in memcpy because the skb was erroneously not expanded at the head. Reported-by: Saran Neti Cc: Pravin B Shelar Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/udp_offload.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 012ee7647e16f464f8d1ad004e28eac2ba778158 Author: Dan Carpenter Date: Thu Nov 14 11:21:10 2013 +0300 Upstream commit: f9a23c84486ed350cce7bb1b2828abd1f6658796 isdnloop: use strlcpy() instead of strcpy() These strings come from a copy_from_user() and there is no way to be sure they are NUL terminated. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/isdnloop/isdnloop.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) commit 2a897c9870257c3cd6dd17ec6ff453331dc71a4f Author: Eric Dumazet Date: Thu Nov 14 13:37:54 2013 -0800 Upstream commit: c9e9042994d37cbc1ee538c500e9da1bb9d1bcdf ipv4: fix possible seqlock deadlock ip4_datagram_connect() being called from process context, it should use IP_INC_STATS() instead of IP_INC_STATS_BH() otherwise we can deadlock on 32bit arches, or get corruptions of SNMP counters. Fixes: 584bdf8cbdf6 ("[IPV4]: Fix "ipOutNoRoutes" counter error for TCP and UDP") Signed-off-by: Eric Dumazet Reported-by: Dave Jones Signed-off-by: David S. Miller net/ipv4/datagram.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1a642170613ae336331f2df38aa8f2c1227d3c96 Merge: 60c6423 84d78c7 Author: Brad Spengler Date: Thu Nov 14 20:28:51 2013 -0500 Merge branch 'pax-test' into grsec-test commit 84d78c7b2f5d1517e8c9d5ef2ca178c90e80a730 Author: Brad Spengler Date: Thu Nov 14 20:28:07 2013 -0500 Update to pax-linux-3.11.8-test13.patch: - forward port to 3.11.8 - removed some no longer used code from bpf jit - fixed some atomic_unchecked_t usage in oprofile and uio - fixed a few incorrect uses of static local variables based on an analysis plugin written by Emese Revfy arch/x86/include/asm/mmu_context.h | 8 ++++++++ arch/x86/kernel/setup.c | 2 +- drivers/bluetooth/btwilink.c | 2 +- drivers/md/dm-table.c | 2 +- drivers/message/i2o/i2o_proc.c | 16 ++++++++-------- drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/nfc/nfcwilink.c | 2 +- drivers/oprofile/oprofilefs.c | 4 ++-- drivers/platform/x86/msi-wmi.c | 2 +- drivers/scsi/aic7xxx/aic79xx_pci.c | 18 +++++------------- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 ++++---- drivers/usb/serial/console.c | 2 +- include/linux/filter.h | 4 ---- kernel/audit.c | 2 +- 20 files changed, 41 insertions(+), 45 deletions(-) commit 60c642339ceb814688d1fdfa9bf3f9bc4cd0a38c Author: Brad Spengler Date: Thu Nov 14 20:15:51 2013 -0500 GRKERNSEC_HARDEN_IPC should depend on SYSVIPC grsecurity/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a5bc567fc9cea02e7e0146d4d25bbc25d9903f43 Author: Brad Spengler Date: Thu Nov 14 19:07:11 2013 -0500 Not necessary since CPU_V6 is the only bool that would select CPU_USE_DOMAINS and that depended on !PAX_KERNEXEC && !PAX_MEMORY_UDEREF, but this helps make it more obvious that while we make use of domains, CPU_USE_DOMAINS is disabled as far as the kernel knows arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2568c19e361c8599fb9bb0a58ba758f5cb40dba Author: Brad Spengler Date: Thu Nov 14 19:01:59 2013 -0500 Add a new feature: GRKERNSEC_HARDEN_IPC in response to Tim Brown's research on overly-permissive shared memory found in hundreds of areas in Linux distros: http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ Will let this sit in -test for a while to weed out any app incompatibilities grsecurity/Kconfig | 17 +++++++++++++++++ grsecurity/Makefile | 2 +- grsecurity/grsec_init.c | 4 ++++ grsecurity/grsec_ipc.c | 22 ++++++++++++++++++++++ grsecurity/grsec_sysctl.c | 9 +++++++++ include/linux/grinternal.h | 1 + include/linux/grmsg.h | 1 + ipc/util.c | 5 +++++ 8 files changed, 60 insertions(+), 1 deletions(-) commit 27c3b43bd5ad9c9b877016f26192dbc30da54018 Merge: 08e883f d0a09ad Author: Brad Spengler Date: Wed Nov 13 22:27:13 2013 -0500 Merge branch 'pax-test' into grsec-test commit d0a09ad6430008135b98da6e1941e98a6110b59e Merge: 4e826ac 02709ef Author: Brad Spengler Date: Wed Nov 13 22:27:03 2013 -0500 Merge branch 'linux-3.11.y' into pax-test commit 08e883f3159b541ec8b2740a4b3f35fb25629fd1 Author: Brad Spengler Date: Mon Nov 11 10:48:10 2013 -0500 Fix the overflowable range check just to be correct. Referenced in http://www.x90c.org/advisories/xadv-2013003_linux_kernel.txt but I believe this to be unexploitable due to bounds checks on 'count' from rw_verify_area() in fs/read_write.c drivers/video/arcfb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 094c08532f9877a287ffac7a87b05841a56b4e5d Author: Brad Spengler Date: Sun Nov 10 22:01:33 2013 -0500 Add missing include fs/proc/proc_sysctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e383790f8252620f52895e202cc057c4318da3f4 Author: Brad Spengler Date: Sun Nov 10 17:50:12 2013 -0500 add an option to handle old ARM userlands to properly toggle the KUSER_HELPERS option: GRKERNSEC_OLD_ARM_USERLAND arch/arm/mm/Kconfig | 2 +- grsecurity/Kconfig | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletions(-) commit 9b2775742dbcfcc004f02e5cc6bed6dcd9d73d26 Author: Brad Spengler Date: Sun Nov 10 15:19:27 2013 -0500 On ARM (and other arches) we were defaulting mmap_min_addr to 64K if the LSM-based mmap_min_addr was disabled in config. This caused non-root execs to fail in some cases (via SIGKILL during ELF loading). Fix this by setting a proper default on these architectures like set on the LSM-based mmap_min_addr. Thanks to acez from IRC for debugging. mm/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 17f832897194f46c4759aa02e048ad5623a04eed Author: Brad Spengler Date: Sun Nov 10 13:54:25 2013 -0500 Compatibility fix for LXC: Don't require CAP_SYS_ADMIN to modify our own net namespace's sysctl values, use a CAP_NET_ADMIN check within the user namespace of the process performing the modification CAP_SYS_ADMIN is still required for any other sysctl modification, including modification of sysctls of a net namespace other than our own This allows for LXC containers to not need CAP_SYS_ADMIN to be able to set up their namespace's networking Thanks to ncopa from IRC for testing fs/proc/proc_sysctl.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit b374a895f9ecfccbf3c8536a5a1a51b359a66a20 Merge: fb281bd 4e826ac Author: Brad Spengler Date: Wed Nov 6 17:27:16 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/l2tp/l2tp_core.c commit 4e826ac763867707352d93b7d23ed86e4c6829cf Merge: e309bfb 39773be Author: Brad Spengler Date: Wed Nov 6 17:26:23 2013 -0500 Merge branch 'linux-3.11.y' into pax-test Conflicts: net/compat.c commit fb281bdee5ccb76facfe1172318a867b624011f4 Author: Brad Spengler Date: Wed Nov 6 16:23:36 2013 -0500 Force on DEBUG_LIST so all users can benefit from safe linking/unlinking Conflicts: security/Kconfig security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e249a2a0ee333a6ec0234de20d17670fe0d2b64a Author: Brad Spengler Date: Wed Nov 6 16:19:21 2013 -0500 change DEBUG_LIST WARNs back to BUGs so they can benefit from the kernel bruteforce deterrence Conflicts: lib/list_debug.c lib/list_debug.c | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 42 insertions(+), 23 deletions(-) commit 61f8b4eb5c8b11ff11d28372a44d6e0f3b9b68ba Author: Dan Carpenter Date: Tue Oct 29 23:01:43 2013 +0300 Upstream commit: a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 Staging: sb105x: info leak in mp_get_count() The icount.reserved[] array isn't initialized so it leaks stack information to userspace. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/sb105x/sb_pci_mp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 731cf7d12aa699cc30c18e5fe25b8c72b97df3de Author: Dan Carpenter Date: Tue Oct 29 22:06:04 2013 +0300 Upstream commit: 201f99f170df14ba52ea4c52847779042b7a623b uml: check length in exitcode_proc_write() We don't cap the size of buffer from the user so we could write past the end of the array here. Only root can write to this file. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds arch/um/kernel/exitcode.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 1285d10ec38f216f3c5de7ce085ce43447c78916 Author: Jason Wang Date: Fri Nov 1 15:01:10 2013 +0800 Upstream commit: 6f092343855a71e03b8d209815d8c45bf3a27fcd net: flow_dissector: fail on evil iph->ihl We don't validate iph->ihl which may lead a dead loop if we meet a IPIP skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl is evil (less than 5). This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae (rps: support IPIP encapsulation). Cc: Eric Dumazet Cc: Petr Matousek Cc: Michael S. Tsirkin Cc: Daniel Borkmann Signed-off-by: Jason Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/core/flow_dissector.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afa8cd39a80620059d7de6c382c853afe1ab4cc Author: Ming Lei Date: Thu Oct 31 16:34:17 2013 -0700 Upstream commit: 3d77b50c5874b7e923be946ba793644f82336b75 lib/scatterlist.c: don't flush_kernel_dcache_page on slab page Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper functions") introduces two sg buffer copy helpers, and calls flush_kernel_dcache_page() on pages in SG list after these pages are written to. Unfortunately, the commit may introduce a potential bug: - Before sending some SCSI commands, kmalloc() buffer may be passed to block layper, so flush_kernel_dcache_page() can see a slab page finally - According to cachetlb.txt, flush_kernel_dcache_page() is only called on "a user page", which surely can't be a slab page. - ARCH's implementation of flush_kernel_dcache_page() may use page mapping information to do optimization so page_mapping() will see the slab page, then VM_BUG_ON() is triggered. Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, and this patch fixes the bug by adding test of '!PageSlab(miter->page)' before calling flush_kernel_dcache_page(). Signed-off-by: Ming Lei Reported-by: Aaro Koskinen Tested-by: Simon Baatz Cc: Russell King - ARM Linux Cc: Will Deacon Cc: Aaro Koskinen Acked-by: Catalin Marinas Cc: FUJITA Tomonori Cc: Tejun Heo Cc: "James E.J. Bottomley" Cc: Jens Axboe Cc: [3.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/scatterlist.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 54a2d1367d37e6ff23e91e81e8a293f6db3572c4 Author: Dan Carpenter Date: Tue Oct 29 23:01:11 2013 +0300 Upstream commit: 8d1e72250c847fa96498ec029891de4dc638a5ba Staging: bcm: info leak in ioctl The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel information to user space. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/bcm/Bcmchar.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a2ab9d69265a08280241a2f2152e535316d02f53 Author: Dan Carpenter Date: Tue Oct 29 22:11:06 2013 +0300 Upstream commit: f856567b930dfcdbc3323261bf77240ccdde01f5 aacraid: missing capable() check in compat ioctl In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the check as well. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/scsi/aacraid/linit.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 45be53b2583e3c3d9eb0bad55f22e03ad7943b3e Author: Dan Carpenter Date: Tue Oct 29 23:00:15 2013 +0300 Upstream commit: b5e2f339865fb443107e5b10603e53bbc92dc054 staging: wlags49_h2: buffer overflow setting station name We need to check the length parameter before doing the memcpy(). I've actually changed it to strlcpy() as well so that it's NUL terminated. You need CAP_NET_ADMIN to trigger these so it's not the end of the world. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit afd645c1684265260b64ec8189cbc2703b91f6ab Author: Dan Carpenter Date: Tue Oct 29 22:07:47 2013 +0300 Upstream commit: c2c65cd2e14ada6de44cb527e7f1990bede24e15 staging: ozwpan: prevent overflow in oz_cdev_write() We need to check "count" so we don't overflow the ei->data buffer. Reported-by: Nico Golde Reported-by: Fabian Yamaguchi Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Linus Torvalds drivers/staging/ozwpan/ozcdev.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 4a907baeb462b7e0f50923be5a9d842aec93c97a Author: Linus Torvalds Date: Tue Oct 29 10:21:34 2013 -0700 Fixed a little differently than Linus... Obfuscated upstream security commit: 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Fix a few incorrectly checked [io_]remap_pfn_range() calls Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that really should use the vm_iomap_memory() helper. This trivially converts two of them to the helper, and comments about why the third one really needs to continue to use remap_pfn_range(), and adds the missing size check. Reported-by: Nico Golde Cc: stable@kernel.org Signed-off-by: Linus Torvalds Date: Sun Oct 27 15:17:05 2013 -0400 Merge branch 'pax-test' into grsec-test commit e309bfbf7b506b2294b30233f7a3299173a75cf7 Author: Hugh Dickins Date: Wed Oct 16 13:47:09 2013 -0700 Upstream commit: 57a8f0cdb87da776bf0e4ce7554a9133854fa779 mm: revert mremap pud_free anti-fix Revert commit 1ecfd533f4c5 ("mm/mremap.c: call pud_free() after fail calling pmd_alloc()"). The original code was correct: pud_alloc(), pmd_alloc(), pte_alloc_map() ensure that the pud, pmd, pt is already allocated, and seldom do they need to allocate; on failure, upper levels are freed if appropriate by the subsequent do_munmap(). Whereas commit 1ecfd533f4c5 did an unconditional pud_free() of a most-likely still-in-use pud: saved only by the near-impossiblity of pmd_alloc() failing. Signed-off-by: Hugh Dickins Cc: Chen Gang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mremap.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 0970b16a9df08b8cca6929b6443f67df432ac3e5 Author: Eric Dumazet Date: Tue Oct 1 21:04:11 2013 -0700 Upstream commit: 80ad1d61e72d626e30ebe8529a0455e660ca4693 net: do not call sock_put() on TIMEWAIT sockets commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. We should instead use inet_twsk_put() Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/inet_hashtables.c | 2 +- net/ipv6/inet6_hashtables.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit ed0c9c47bc3468ad88b45b8ec55d0ad335214d28 Author: Andi Kleen Date: Mon Sep 30 13:29:08 2013 -0700 Upstream commit: 58e4e1f6cacddb7823c44bcfb272174553f6c645 igb: Avoid uninitialized advertised variable in eee_set_cur eee_get_cur assumes that the output data is already zeroed. It can read-modify-write the advertised field: if (ipcnfg & E1000_IPCNFG_EEE_100M_AN) 2594 edata->advertised |= ADVERTISED_100baseT_Full; This is ok for the normal ethtool eee_get call, which always zeroes the input data before. But eee_set_cur also calls eee_get_cur and it did not zero the input field. Later on it then compares agsinst the field, which can contain partial stack garbage. Zero the input field in eee_set_cur() too. Cc: jeffrey.t.kirsher@intel.com Cc: netdev@vger.kernel.org Signed-off-by: Andi Kleen Acked-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 651730a8caabce37f78d8e6c84283b96e434d19f Author: Dan Carpenter Date: Thu Oct 3 00:27:20 2013 +0300 Upstream commit: 1661bf364ae9c506bc8795fef70d1532931be1e8 net: heap overflow in __audit_sockaddr() We need to cap ->msg_namelen or it leads to a buffer overflow when we to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to exploit this bug. The call tree is: ___sys_recvmsg() move_addr_to_user() audit_sockaddr() __audit_sockaddr() Reported-by: Jüri Aedla Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Conflicts: net/compat.c net/compat.c | 2 ++ net/socket.c | 24 ++++++++++++++++++++---- 2 files changed, 22 insertions(+), 4 deletions(-) commit b52e008aa27ecec1ca4a2d92ffe2fe874c47fcfc Author: Salva Peiró Date: Wed Oct 16 12:46:50 2013 +0200 Upstream commit: 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 wanxl: fix info leak in ioctl The wanxl_ioctl() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: David S. Miller drivers/net/wan/wanxl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d7e5b4f97fbdd06c03433939efe0e444d877ab4f Author: Geyslan G. Bem Date: Fri Oct 11 16:49:16 2013 -0300 Upstream commit: 3edc8376c06133e3386265a824869cad03a4efd4 ecryptfs: Fix memory leakage in keystore.c In 'decrypt_pki_encrypted_session_key' function: Initializes 'payload' pointer and releases it on exit. Signed-off-by: Geyslan G. Bem Signed-off-by: Tyler Hicks Cc: stable@vger.kernel.org # v2.6.28+ fs/ecryptfs/keystore.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 0ccb7b191245318a36bbd1f59a1846dda72cb738 Author: Colin Ian King Date: Thu Oct 24 14:08:07 2013 +0000 Upstream commit: 43b7c6c6a4e3916edd186ceb61be0c67d1e0969e eCryptfs: fix 32 bit corruption issue Shifting page->index on 32 bit systems was overflowing, causing data corruption of > 4GB files. Fix this by casting it first. https://launchpad.net/bugs/1243636 Signed-off-by: Colin Ian King Reported-by: Lars Duesing Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Tyler Hicks fs/ecryptfs/crypto.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eeb8d56181a3fa3cdfbc106156d4f60cf3a386d4 Author: Brad Spengler Date: Sun Oct 27 13:29:49 2013 -0400 This is a replacement patch only for stable which does fix the problems handled by the following two commits in -net: "ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) "ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) Three frames are written on a corked udp socket for which the output netdevice has UFO enabled. If the first and third frame are smaller than the mtu and the second one is bigger, we enqueue the second frame with skb_append_datato_frags without initializing the gso fields. This leads to the third frame appended regulary and thus constructing an invalid skb. This fixes the problem by always using skb_append_datato_frags as soon as the first frag got enqueued to the skb without marking the packet as SKB_GSO_UDP. The problem with only two frames for ipv6 was fixed by "ipv6: udp packets following an UFO enqueued packet need also be handled by UFO" (2811ebac2521ceac84f2bdae402455baa6a7fb47). Cc: Jiri Pirko Cc: Eric Dumazet Cc: David Miller Signed-off-by: Hannes Frederic Sowa include/linux/skbuff.h | 5 +++++ net/ipv4/ip_output.c | 2 +- net/ipv6/ip6_output.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) commit aead8ff29424c6a5d25eb4614be91a01f9f6af00 Merge: 5cf8361 ddadc82 Author: Brad Spengler Date: Sat Oct 26 08:42:26 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit ddadc822a1de40d3992a5c58ca2f970b5fee57ec Author: Brad Spengler Date: Sat Oct 26 08:41:24 2013 -0400 - fixed miscompilation caused by a kernexec plugin related change in copy_user_generic, by Timo Teräs and Natanael Copa (https://github.com/ncopa/linux-stable-grsec/commit/b8bf456d13988fb38cfe248676327f44a2d2ed2e) - updated config help for latent entropy to reflect recent changes arch/x86/include/asm/uaccess_64.h | 4 ++-- security/Kconfig | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) commit 5cf8361c2a7762aa1cdd3d75655361058ad451ad Author: Johannes Weiner Date: Wed Oct 16 13:47:00 2013 -0700 Upstream commit: 84235de394d9775bfaa7fa9762a59d91fef0c1fc fs: buffer: move allocation failure loop into the allocator Buffer allocation has a very crude indefinite loop around waking the flusher threads and performing global NOFS direct reclaim because it can not handle allocation failures. The most immediate problem with this is that the allocation may fail due to a memory cgroup limit, where flushers + direct reclaim might not make any progress towards resolving the situation at all. Because unlike the global case, a memory cgroup may not have any cache at all, only anonymous pages but no swap. This situation will lead to a reclaim livelock with insane IO from waking the flushers and thrashing unrelated filesystem cache in a tight loop. Use __GFP_NOFAIL allocations for buffers for now. This makes sure that any looping happens in the page allocator, which knows how to orchestrate kswapd, direct reclaim, and the flushers sensibly. It also allows memory cgroups to detect allocations that can't handle failure and will allow them to ultimately bypass the limit if reclaim can not make progress. Reported-by: azurIt Signed-off-by: Johannes Weiner Cc: Michal Hocko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/buffer.c | 14 ++++++++++++-- mm/memcontrol.c | 2 ++ 2 files changed, 14 insertions(+), 2 deletions(-) commit 799326c8683d8d70b2035b1e5ab913c159112b6b Author: Miklos Szeredi Date: Thu Oct 10 16:48:19 2013 +0200 Upstream commit: 43ae9e3fc70ca0057ae0a24ef5eedff05e3fae06 ext[34]: fix double put in tmpfile d_tmpfile() already swallowed the inode ref. Signed-off-by: Miklos Szeredi Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ext3/namei.c | 5 ++--- fs/ext4/namei.c | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) commit 799651db9a3b5b08eac1de0ee05f406df7a9a2e3 Author: Jan Klos Date: Sun Oct 6 21:08:20 2013 +0200 Upstream commit: 2f6c9479633780ba4a3484bba7eba5a721a5cf20 cifs: Fix inability to write files >2GB to SMB2/3 shares When connecting to SMB2/3 shares, maximum file size is set to non-LFS maximum in superblock. This is due to cap_large_files bit being different for SMB1 and SMB2/3 (where it is just an internal flag that is not negotiated and the SMB1 one corresponds to multichannel capability, so maybe LFS works correctly if server sends 0x08 flag) while capabilities are checked always for the SMB1 bit in cifs_read_super(). The patch fixes this by checking for the correct bit according to the protocol version. CC: Stable Signed-off-by: Jan Klos Reviewed-by: Jeff Layton Signed-off-by: Steve French fs/cifs/cifsfs.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 549fe4c5bb5e67cb1351bb09455b1d77abe5ab22 Author: Tim Gardner Date: Sun Oct 13 13:29:03 2013 -0600 Upstream commit: 0c26606cbe4937f2228a27bb0c2cad19855be87a cifs: ntstatus_to_dos_map[] is not terminated Functions that walk the ntstatus_to_dos_map[] array could run off the end. For example, ntstatus_to_dos() loops while ntstatus_to_dos_map[].ntstatus is not 0. Granted, this is mostly theoretical, but could be used as a DOS attack if the error code in the SMB header is bogus. [Might consider adding to stable, as this patch is low risk - Steve] Reviewed-by: Jeff Layton Signed-off-by: Tim Gardner Signed-off-by: Steve French fs/cifs/netmisc.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit ed8c09a96fa260e1864c632e1dd91b1320876305 Author: Eric Dumazet Date: Tue Oct 15 11:54:30 2013 -0700 Upstream commit: c52e2421f7368fd36cbe330d2cf41b10452e39a9 tcp: must unclone packets before mangling them TCP stack should make sure it owns skbs before mangling them. We had various crashes using bnx2x, and it turned out gso_size was cleared right before bnx2x driver was populating TC descriptor of the _previous_ packet send. TCP stack can sometime retransmit packets that are still in Qdisc. Of course we could make bnx2x driver more robust (using ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. We have identified two points where skb_unclone() was needed. This patch adds a WARN_ON_ONCE() to warn us if we missed another fix of this kind. Kudos to Neal for finding the root cause of this bug. Its visible using small MSS. Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Cc: Yuchung Cheng Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) commit e5dcf1772ca2a85952da10a21d0650507dc061d3 Author: Dan Carpenter Date: Mon Oct 14 15:28:38 2013 +0300 Upstream commit: 9e5f1721907fcfbd4b575bcafa0314188f7330a5 yam: integer underflow in yam_ioctl() We cap bitrate at YAM_MAXBITRATE in yam_ioctl(), but it could also be negative. I don't know the impact of using a negative bitrate but let's prevent it. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller include/linux/yam.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1f5d72d633f317248bba25158c326a61394aebf2 Merge: 7ca4328 4df1b96 Author: Brad Spengler Date: Fri Oct 18 19:36:17 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: ipc/shm.c commit 4df1b965687831808af2548487e0f35a2ccc5c29 Merge: e41125e 5070441 Author: Brad Spengler Date: Fri Oct 18 19:35:31 2013 -0400 Merge branch 'linux-3.11.y' into pax-test Conflicts: arch/x86/kernel/setup.c commit 7ca43282302f7777ca3ae48d2552dbd0a6cef525 Author: Brad Spengler Date: Wed Oct 16 18:35:00 2013 -0400 From: Mathias Krause To: Evgeniy Polyakov Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH 2/4] connector: use nlmsg_len() to check message length The current code tests the length of the whole netlink message to be at least as long to fit a cn_msg. This is wrong as nlmsg_len includes the length of the netlink message header. Use nlmsg_len() instead to fix this "off-by-NLMSG_HDRLEN" size check. Cc: stable@vger.kernel.org # v2.6.14+ Signed-off-by: Mathias Krause drivers/connector/connector.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 6c495f94e2f002ed19fb8e265e2746fd6ee08489 Author: Brad Spengler Date: Wed Oct 16 18:36:25 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 1/2] audit: fix info leak in AUDIT_GET requests We leak 4 bytes of kernel stack in response to an AUDIT_GET request as we miss to initialize the mask member of status_set. Fix that. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ Signed-off-by: Mathias Krause kernel/audit.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9557a8727fd46e68f092dec0830a982e85b231f7 Author: Brad Spengler Date: Wed Oct 16 19:02:32 2013 -0400 add 2nd chunk of audit nlmsg_len() fix from minipli kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ceb5f8bae05f3321af941eddb9d2bbe264e0d2cd Author: Brad Spengler Date: Wed Oct 16 18:37:59 2013 -0400 From: Mathias Krause To: linux-audit@redhat.com Cc: Mathias Krause , Al Viro , Eric Paris Subject: [PATCH 2/2] audit: use nlmsg_len() to get message payload length Using the nlmsg_len member of the netlink header to test if the message is valid is wrong as it includes the size of the netlink header itself. Thereby allowing to send short netlink messages that pass those checks. Use nlmsg_len() instead to test for the right message length. The result of nlmsg_len() is guaranteed to be non-negative as the netlink message already passed the checks of nlmsg_ok(). Also switch to min_t() to please checkpatch.pl. Cc: Al Viro Cc: Eric Paris Cc: stable@vger.kernel.org # v2.6.6+ for the 1st hunk, v2.6.23+ for the 2nd kernel/audit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7547b29750381c776dfd47f4b1277a492d5b0f72 Author: Brad Spengler Date: Wed Oct 16 18:41:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik , Bart De Schuymer Subject: [PATCH 1/2] netfilter: ebt_ulog: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Bart De Schuymer Signed-off-by: Mathias Krause Conflicts: net/bridge/netfilter/ebt_ulog.c net/bridge/netfilter/ebt_ulog.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit c1da6a5ba1b529d70214142de4eaa7f1b9d62528 Author: Brad Spengler Date: Wed Oct 16 18:43:01 2013 -0400 From: Mathias Krause To: netfilter-devel@vger.kernel.org Cc: Mathias Krause , Pablo Neira Ayuso , Patrick McHardy , Jozsef Kadlecsik Subject: [PATCH 2/2] netfilter: ipt_ULOG: fix info leaks The ulog messages leak heap bytes by the means of padding bytes and incompletely filled string arrays. Fix those by memset(0)'ing the whole struct before filling it. Cc: Pablo Neira Ayuso Cc: Patrick McHardy Cc: Jozsef Kadlecsik Signed-off-by: Mathias Krause Conflicts: net/ipv4/netfilter/ipt_ULOG.c net/ipv4/netfilter/ipt_ULOG.c | 7 +------ 1 files changed, 1 insertions(+), 6 deletions(-) commit 2965f6e6122325a18e69296ad3817c66ca59b7e3 Author: Brad Spengler Date: Wed Oct 16 18:49:45 2013 -0400 From: Mathias Krause To: "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org Subject: [PATCH net] unix_diag: fix info leak When filling the netlink message we miss to wipe the pad field, therefore leak one byte of heap memory to userland. Fix this by setting pad to 0. Signed-off-by: Mathias Krause net/unix/diag.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c6bc48165dc213ad8b24fbd872d5c01deb4508bc Author: Mathias Krause Date: Mon Sep 30 22:03:06 2013 +0200 Upstream commit: e727ca82e0e9616ab4844301e6bae60ca7327682 proc connector: fix info leaks Initialize event_data for all possible message types to prevent leaking kernel stack contents to userland (up to 20 bytes). Also set the flags member of the connector message to 0 to prevent leaking two more stack bytes this way. Cc: stable@vger.kernel.org # v2.6.15+ Signed-off-by: Mathias Krause Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) commit 6398c8e93f1f8fcf80ae2f024a8cca9ea84ccd04 Author: AKASHI Takahiro Date: Wed Oct 9 15:58:29 2013 +0100 Upstream commit: 3c1532df5c1b54b5f6246cdef94eeb73a39fe43a ARM: 7851/1: check for number of arguments in syscall_get/set_arguments() In ftrace_syscall_enter(), syscall_get_arguments(..., 0, n, ...) if (i == 0) { ...; n--;} memcpy(..., n * sizeof(args[0])); If 'number of arguments(n)' is zero and 'argument index(i)' is also zero in syscall_get_arguments(), none of arguments should be copied by memcpy(). Otherwise 'n--' can be a big positive number and unexpected amount of data will be copied. Tracing system calls which take no argument, say sync(void), may hit this case and eventually make the system corrupted. This patch fixes the issue both in syscall_get_arguments() and syscall_set_arguments(). Cc: Acked-by: Will Deacon Signed-off-by: AKASHI Takahiro Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/include/asm/syscall.h | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit c062c6b6774efea3e8b21dc5262f8bf9b34609c2 Author: Dave Jones Date: Thu Oct 10 20:05:35 2013 -0400 Upstream commit: 6e4ea8e33b2057b85d75175dd89b93f5e26de3bc ext4: fix memory leak in xattr If we take the 2nd retry path in ext4_expand_extra_isize_ea, we potentionally return from the function without having freed these allocations. If we don't do the return, we over-write the previous allocation pointers, so we leak either way. Spotted with Coverity. [ Fixed by tytso to set is and bs to NULL after freeing these pointers, in case in the retry loop we later end up triggering an error causing a jump to cleanup, at which point we could have a double free bug. -- Ted ] Signed-off-by: Dave Jones Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen Cc: stable@vger.kernel.org fs/ext4/xattr.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 224e55268fbd4f81fca479e315c9483df591411d Author: Salva Peiró Date: Fri Oct 11 12:50:03 2013 +0300 Upstream commit: 96b340406724d87e4621284ebac5e059d67b2194 farsync: fix info leak in ioctl The fst_get_iface() code fails to initialize the two padding bytes of struct sync_serial_settings after the ->loopback member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/wan/farsync.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 2df2f7f9ca7c383331795980a56a2f47a0d0dfd9 Author: James Hogan Date: Mon Oct 7 12:14:26 2013 +0100 Upstream commit: 8b3c569a3999a8fd5a819f892525ab5520777c92 MIPS: stack protector: Fix per-task canary switch Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary per task) was merged in v3.11 and introduced assembly in the MIPS resume functions to update the value of the current canary in __stack_chk_guard. However it used PTR_L resulting in a load of the canary value, instead of PTR_LA to construct its address. The value is intended to be random but is then treated as an address in the subsequent LONG_S (store). This was observed to cause a fault and panic: CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4 Oops[#1]: ... $24 : 139fea20 1e1f7cb6 ... Call Trace: [<8000cc0c>] resume+0xac/0x118 [<8034f2a4>] __schedule+0x5f8/0x78c [<8034f4e0>] schedule_preempt_disabled+0x20/0x2c [<80348eec>] rest_init+0x74/0x84 [<804dc990>] start_kernel+0x43c/0x454 Code: 3c18804b 8f184030 8cb901f8 00c0e021 8cb002f0 8cb102f4 8cb202f8 8cb302fc This can also be forced by modifying arch/mips/include/asm/stackprotector.h so that the default __stack_chk_guard value is more likely to be a bad (or unaligned) pointer. Fix it to use PTR_LA instead, to load the address of the canary value, which the LONG_S can then use to write into it. Reported-by: bobjones (via #mipslinux on IRC) Signed-off-by: James Hogan Cc: Ralf Baechle Cc: Gregory Fong Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/6026/ Signed-off-by: Ralf Baechle arch/mips/kernel/octeon_switch.S | 2 +- arch/mips/kernel/r2300_switch.S | 2 +- arch/mips/kernel/r4k_switch.S | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 4541f6c6871c1cffa3637ccbc817a37d6f093d1c Author: Fan Du Date: Tue Sep 17 15:14:13 2013 +0800 Upstream commit: 33fce60d6a6e137035f8e23a89d7fd55f3a24cda xfrm: Guard IPsec anti replay window against replay bitmap For legacy IPsec anti replay mechanism: bitmap in struct xfrm_replay_state could only provide a 32 bits window size limit in current design, thus user level parameter sadb_sa_replay should honor this limit, otherwise misleading outputs("replay=244") by setkey -D will be: 192.168.25.2 192.168.22.2 esp mode=transport spi=147561170(0x08cb9ad2) reqid=0(0x00000000) E: aes-cbc 9a8d7468 7655cf0b 719d27be b0ddaac2 A: hmac-sha1 2d2115c2 ebf7c126 1c54f186 3b139b58 264a7331 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=1 pid=4854 refcnt=0 192.168.22.2 192.168.25.2 esp mode=transport spi=255302123(0x0f3799eb) reqid=0(0x00000000) E: aes-cbc 6485d990 f61a6bd5 e5660252 608ad282 A: hmac-sha1 0cca811a eb4fa893 c47ae56c 98f6e413 87379a88 seq=0x00000000 replay=244 flags=0x00000000 state=mature created: Sep 17 14:00:00 2013 current: Sep 17 14:00:22 2013 diff: 22(s) hard: 30(s) soft: 26(s) last: Sep 17 14:00:00 2013 hard: 0(s) soft: 0(s) current: 1408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 22 hard: 0 soft: 0 sadb_seq=0 pid=4854 refcnt=0 And also, optimizing xfrm_replay_check window checking by setting the desirable x->props.replay_window with only doing the comparison once for all when xfrm_state is first born. Signed-off-by: Fan Du Signed-off-by: Steffen Klassert net/key/af_key.c | 3 ++- net/xfrm/xfrm_replay.c | 3 +-- net/xfrm/xfrm_user.c | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) commit 3853002f1fb21ca8e23784e9eaeb971eaebc7541 Author: Thomas Egerer Date: Thu Sep 19 13:19:19 2013 +0200 Upstream commit: cd808fc9a6c7cd3a4311d9d2cffc4adbeaef5f6c xfrm: Fix aevent generation for each received packet If asynchronous events are enabled for a particular netlink socket, the notify function is called by the advance function. The notify function creates and dispatches a km_event if a replay timeout occurred, or at least replay_maxdiff packets have been received since the last asynchronous event has been sent. The function is supposed to return if neither of the two events were detected for a state, or replay_maxdiff is equal to zero. Replay_maxdiff is initialized in xfrm_state_construct to the value of the xfrm.sysctl_aevent_rseqth (2 by default), and updated if for a state if the netlink attribute XFRMA_REPLAY_THRESH is set. If, however, replay_maxdiff is set to zero, then all of the three notify implementations perform a break from the switch statement instead of checking whether a timeout occurred, and -- if not -- return. As a result an asynchronous event is generated for every replay update of a state that has a zero replay_maxdiff value. This patch modifies the notify functions such that they immediately return if replay_maxdiff has the value zero, unless a timeout occurred. Signed-off-by: Thomas Egerer Signed-off-by: Steffen Klassert net/xfrm/xfrm_replay.c | 51 +++++++++++++++++++++++++---------------------- 1 files changed, 27 insertions(+), 24 deletions(-) commit dafbbf04fb91cc92c049dcf7cabcc92fd5d29cb8 Author: Steffen Klassert Date: Tue Oct 8 10:49:45 2013 +0200 Upstream commit: e7d8f6cb2f8735693396872f4608bbe305e8baee xfrm: Add refcount handling to queued policies We need to ensure that policies can't go away as long as the hold timer is armed, so take a refcont when we arm the timer and drop one if we delete it. Bug was introduced with git commit a0073fe18 ("xfrm: Add a state resolution packet queue") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 24 +++++++++++++++++------- 1 files changed, 17 insertions(+), 7 deletions(-) commit b4948dc963442682534b3a039664b564c764e4f8 Author: Steffen Klassert Date: Tue Oct 8 10:49:51 2013 +0200 Upstream commit: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0 xfrm: check for a vaild skb in xfrm_policy_queue_process We might dreference a NULL pointer if the hold_queue is empty, so add a check to avoid this. Bug was introduced with git commit a0073fe18 ("xfrm: Add a state resolution packet queue") Signed-off-by: Steffen Klassert net/xfrm/xfrm_policy.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit fad7f264b264b0b17a307aa16162cb43c7688a30 Author: Marc Kleine-Budde Date: Mon Oct 7 23:19:58 2013 +0200 Upstream commit: c33a39c575068c2ea9bffb22fd6de2df19c74b89 net: vlan: fix nlmsg size calculation in vlan_get_size() This patch fixes the calculation of the nlmsg size, by adding the missing nla_total_size(). Cc: Patrick McHardy Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller net/8021q/vlan_netlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 675e5611464fe6b4d41e7d8ba56ed845286b28dd Author: François Cachereul Date: Wed Oct 2 10:16:02 2013 +0200 Upstream commit: e18503f41f9b12132c95d7c31ca6ee5155e44e5c l2tp: fix kernel panic when using IPv4-mapped IPv6 addresses IPv4 mapped addresses cause kernel panic. The patch juste check whether the IPv6 address is an IPv4 mapped address. If so, use IPv4 API instead of IPv6. [ 940.026915] general protection fault: 0000 [#1] [ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse [ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 [ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 [ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 [ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 [ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 [ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 [ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 [ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 [ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 [ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 [ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 [ 940.026915] Stack: [ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 [ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 [ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 [ 940.026915] Call Trace: [ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 [ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] [ 940.026915] [] ? pskb_expand_head+0x161/0x214 [ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] [ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] [ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] [ 940.026915] [] ? vfs_write+0xa2/0x106 [ 940.026915] [] ? SyS_write+0x56/0x8a [ 940.026915] [] ? system_call_fastpath+0x16/0x1b [ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 [ 940.026915] RIP [] ip6_xmit+0x276/0x326 [ 940.026915] RSP [ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- [ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt Signed-off-by: François CACHEREUL Signed-off-by: David S. Miller net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- net/l2tp/l2tp_core.h | 3 +++ 2 files changed, 26 insertions(+), 4 deletions(-) commit 2db6fe58460d400bc8b995fa2328be03e27e55e1 Merge: 28f9622 e41125e Author: Brad Spengler Date: Tue Oct 15 10:00:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/ds.c net/sysctl_net.c commit e41125e4742f332cd8cd8cf0c00cb189dba0e037 Merge: 740e5ec a145cb9 Author: Brad Spengler Date: Tue Oct 15 09:58:29 2013 -0400 Merge branch 'linux-3.11.y' into pax-test commit 28f9622091224541efadf3ae006f0e5651c7fa45 Author: Brad Spengler Date: Tue Oct 1 22:48:34 2013 -0400 Fix this strlcpy crap properly arch/sparc/kernel/ds.c | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) commit 837193210e4125fe4e9e554b28d7bc33985f3554 Author: David S. Miller Date: Fri Sep 27 13:46:04 2013 -0700 Upstream commit: 2bd161a605f1f84a5fc8a4fe8410113a94f79355 sparc64: Fix buggy strlcpy() conversion in ldom_reboot(). Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using strlcpy() instead of strcpy()") added a bug to ldom_reboot in arch/sparc/kernel/ds.c - strcpy(full_boot_str + strlen("boot "), boot_command); + strlcpy(full_boot_str + strlen("boot "), boot_command, + sizeof(full_boot_str + strlen("boot "))); That last sizeof() expression evaluates to sizeof(size_t) which is not what was intended. Also even the corrected: sizeof(full_boot_str) + strlen("boot ") is not right as the destination buffer length is just plain "sizeof(full_boot_str)" and that's what the final argument should be. Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc25f7a8bc9f268e659f0265bcdb4dcac648c249 Author: Hannes Frederic Sowa Date: Sun Sep 29 05:40:50 2013 +0200 Upstream commit: 3da812d860755925da890e8c713f2d2e2d7b1bae ipv6: gre: correct calculation of max_headroom gre_hlen already accounts for sizeof(struct ipv6_hdr) + gre header, so initialize max_headroom to zero. Otherwise the if (encap_limit >= 0) { max_headroom += 8; mtu -= 8; } increments an uninitialized variable before max_headroom was reset. Found with coverity: 728539 Cc: Dmitry Kozlov Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller Conflicts: net/ipv6/ip6_gre.c net/ipv6/ip6_gre.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 0d68ac550952d0eaf60851497ceee68dbba24516 Merge: 64257ad 740e5ec Author: Brad Spengler Date: Tue Oct 1 18:11:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/hid/hid-core.c drivers/hid/hid-lg2ff.c drivers/hid/hid-lg3ff.c drivers/hid/hid-lg4ff.c drivers/hid/hid-lgff.c drivers/hid/hid-logitech-dj.c drivers/hid/hid-steelseries.c drivers/hid/hid-zpff.c include/linux/hid.h commit 740e5ec087969afd43ae0b552b4e05914437ed32 Merge: c38c6b0 db20388 Author: Brad Spengler Date: Tue Oct 1 17:40:46 2013 -0400 Merge branch 'linux-3.11.y' into pax-test commit 64257ad95c51285d415f93ebdd486fae6bb9415d Author: Hannes Frederic Sowa Date: Sat Sep 21 06:27:00 2013 +0200 Upstream commit: 2811ebac2521ceac84f2bdae402455baa6a7fb47 ipv6: udp packets following an UFO enqueued packet need also be handled by UFO In the following scenario the socket is corked: If the first UDP packet is larger then the mtu we try to append it to the write queue via ip6_ufo_append_data. A following packet, which is smaller than the mtu would be appended to the already queued up gso-skb via plain ip6_append_data. This causes random memory corruptions. In ip6_ufo_append_data we also have to be careful to not queue up the same skb multiple times. So setup the gso frame only when no first skb is available. This also fixes a shortcoming where we add the current packet's length to cork->length but return early because of a packet > mtu with dontfrag set (instead of sutracting it again). Found with trinity. Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Reported-by: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 53 ++++++++++++++++++++---------------------------- 1 files changed, 22 insertions(+), 31 deletions(-) commit ee4ab63f6dfd57e8c5d67e1e154b86d1139937f6 Author: Dan Carpenter Date: Tue Sep 24 15:27:45 2013 -0700 Just a whitespace fix to sync with upstream as we already applied this fix via Vasiliy Kulikov in 2010. It fell through the cracks upstream cciss: fix info leak in cciss_ioctl32_passthru() The arg64 struct has a hole after ->buf_size which isn't cleared. Or if any of the calls to copy_from_user() fail then that would cause an information leak as well. This was assigned CVE-2013-2147. Signed-off-by: Dan Carpenter Acked-by: Mike Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: drivers/block/cciss.c drivers/block/cciss.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 2a5d630a83f5ddd2ab0ce9cb32a93ad3e1f6dc3e Author: Paul E. McKenney Date: Tue Sep 24 18:29:11 2013 -0700 Upstream commit: 22356f447ceb8d97a4885792e7d9e4607f712e1b mm: Place preemption point in do_mlockall() loop There is a loop in do_mlockall() that lacks a preemption point, which means that the following can happen on non-preemptible builds of the kernel. Dave Jones reports: "My fuzz tester keeps hitting this. Every instance shows the non-irq stack came in from mlockall. I'm only seeing this on one box, but that has more ram (8gb) than my other machines, which might explain it. INFO: rcu_preempt self-detected stall on CPU { 3} (t=6500 jiffies g=470344 c=470343 q=0) sending NMI to all CPUs: NMI backtrace for cpu 3 CPU: 3 PID: 29664 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #32 Call Trace: lru_add_drain_all+0x15/0x20 SyS_mlockall+0xa5/0x1a0 tracesys+0xdd/0xe2" This commit addresses this problem by inserting the required preemption point. Reported-by: Dave Jones Signed-off-by: Paul E. McKenney Cc: KOSAKI Motohiro Cc: Michel Lespinasse Cc: Andrew Morton Signed-off-by: Linus Torvalds mm/mlock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 042ecff756f1246abb9c84dd20ad9f6e9c429ed9 Author: Brad Spengler Date: Fri Sep 27 21:06:17 2013 -0400 Don't log attempts to create a socket with a family that the kernel doesn't support Further, if the kernel doesn't support the socket family, instead of returning -EACCES, return -EAFNOSUPPORT -- should resolve the need to allow ipv6 sockets in RBAC policy despite a kernel that doesn't support ipv6 observed during a Debian userland update necessitating a policy change grsecurity/gracl_ip.c | 7 +++---- net/socket.c | 26 +++++++++++++++----------- 2 files changed, 18 insertions(+), 15 deletions(-) commit 55f1e409275973513a3314fe5bfa76a4781c0db7 Merge: 2eac654 c38c6b0 Author: Brad Spengler Date: Fri Sep 27 20:35:04 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/hid/hid-picolcd_core.c commit c38c6b0bbbe53bd528aeeb4a059764abc028c276 Merge: 115bf6a a3308b5 Author: Brad Spengler Date: Fri Sep 27 20:34:15 2013 -0400 Merge branch 'linux-3.11.y' into pax-test Conflicts: arch/x86/ia32/ia32_signal.c arch/x86/include/asm/checksum_32.h arch/x86/include/asm/mmu_context.h arch/x86/kernel/signal.c arch/x86/lib/csum-wrappers_64.c include/linux/compat.h commit 2eac65435fdffca548a56e5187840908438fc95c Merge: ba0ebde 115bf6a Author: Brad Spengler Date: Thu Sep 26 20:00:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit 115bf6af0083ea28c751d551a39cfdba1798e9dc Author: Brad Spengler Date: Thu Sep 26 19:59:14 2013 -0400 Update to pax-linux-3.11.1-test10.patch: - added missing exports for module_alloc_exec/module_free_exec on arm, by Arnaud Fontaine - fixed potential .exit.text section reference problem with REFCOUNT on arm, reported by Corey Minyard - fixed REFCOUNT false positive in the new percpu refcount code, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=486040) - fixed an integer overflow in the ELF loader that happens to be harmless due to another overflow, found by Emese Revfy's new size overflow plugin (not yet released) - beefed up latent entropy extraction - latent_entropy itself will be initialized to a compile-time random value (instead of 0) - entropy will be collected from various irq and softirq handlers arch/arm/kernel/module.c | 2 ++ arch/arm/kernel/vmlinux.lds.S | 2 +- block/blk-iopoll.c | 2 +- block/blk-softirq.c | 2 +- fs/binfmt_elf.c | 8 +++++--- include/linux/genhd.h | 2 +- include/linux/random.h | 4 ++-- kernel/hrtimer.c | 2 +- kernel/rcutiny.c | 2 +- kernel/rcutree.c | 2 +- kernel/sched/fair.c | 2 +- kernel/softirq.c | 4 ++-- kernel/timer.c | 2 +- lib/percpu-refcount.c | 2 +- net/core/dev.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 2 +- 16 files changed, 24 insertions(+), 20 deletions(-) commit ba0ebdedeb2e128654dac48641bdc9d8b34530d6 Author: Brad Spengler Date: Sun Sep 22 18:14:07 2013 -0400 Revert "Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db" This reverts commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf. net/netlink/genetlink.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit ca27c99c4f2df039e21ec15c52824d84e2cd2f35 Merge: f1e4228 90db383 Author: Brad Spengler Date: Wed Sep 18 17:34:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 90db383fd7d650172d52229b0116ad7604c9bec1 Author: Brad Spengler Date: Wed Sep 18 17:32:42 2013 -0400 Update to pax-linux-3.11.1-test9.patch: - fixed some arm compile regressions, reported by Arnaud Ebalard and Michael Tremer - better implementation of __read_only for modules - fixed a regression and an apparently needed kuser emulation on arm, reported by Arnaud Ebalard arch/arm/kernel/entry-common.S | 12 ++++++------ arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 ++-- arch/arm/mm/fault.c | 26 +++++++++++++++++++++++++- arch/x86/include/asm/cache.h | 4 ---- drivers/bus/arm-cci.c | 2 +- drivers/clk/socfpga/clk.c | 2 +- drivers/mmc/host/mmci.c | 4 +++- drivers/net/ethernet/chelsio/cxgb3/sge.c | 2 +- include/linux/cache.h | 4 ++++ net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- scripts/module-common.lds | 4 ++++ 12 files changed, 49 insertions(+), 19 deletions(-) commit 43fd6b476981f2b72f1fcb7dd4de6b04643e0810 Author: Brad Spengler Date: Wed Sep 18 17:32:25 2013 -0400 Revert "mark sctp_af_inet forward declaration as __read_only to fix compile error" This reverts commit 5e30989102e2d0df166ab6ff915b90f675f8786f. net/sctp/protocol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f1e42285e17479067b6cbcffc43916720e6dedd3 Merge: 456ca17 5e30989 Author: Brad Spengler Date: Mon Sep 16 21:42:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5e30989102e2d0df166ab6ff915b90f675f8786f Author: Brad Spengler Date: Mon Sep 16 21:41:44 2013 -0400 mark sctp_af_inet forward declaration as __read_only to fix compile error net/sctp/protocol.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 456ca176141f10355c1569b29225c9ce4b7db18e Merge: b406eac 5df8f36 Author: Brad Spengler Date: Mon Sep 16 20:02:05 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5df8f36fbb39fbd47e04945001d11e52c16fc0b6 Author: Brad Spengler Date: Mon Sep 16 20:01:38 2013 -0400 Update to pax-linux-3.11.1-test7.patch: - fixed arm compile error, reported by Arnaud Ebalard - fixed NULL deref due to some xfrm constification, reported by marcin1j (http://forums.grsecurity.net/viewtopic.php?f=3&t=3743) - fixed od_ops constification, fixes cpufreq ondemand on AMD - latent entropy will now be gathered from module init code as well (i.e., at module load/init time) - __read_only will now be enforced in modules as well - removed unneccessary __read_only from ntfs arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/x86/include/asm/cache.h | 4 ++++ drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 2 +- fs/ntfs/file.c | 4 ++-- include/linux/init.h | 5 ----- include/net/xfrm.h | 5 ++++- init/main.c | 9 +++------ mm/page_alloc.c | 1 + net/ipv4/xfrm4_policy.c | 4 ++-- net/ipv6/xfrm6_policy.c | 4 ++-- net/xfrm/xfrm_policy.c | 11 ++--------- 12 files changed, 23 insertions(+), 30 deletions(-) commit b406eac579bb3a5faa1c9d73b8af5530f942009a Author: Brad Spengler Date: Mon Sep 16 12:53:22 2013 -0400 Backport commit from https://git.kernel.org/cgit/linux/kernel/git/klassert/ipsec.git/commit/?h=testing&id=4479ff76c43607b680f9349128d8493228b49dce author Steffen Klassert 2013-09-09 07:39:01 (GMT) committer Steffen Klassert 2013-09-16 07:39:37 (GMT) xfrm: Fix replay size checking on async events We pass the wrong netlink attribute to xfrm_replay_verify_len(). It should be XFRMA_REPLAY_ESN_VAL and not XFRMA_REPLAY_VAL as we currently doing. This causes memory corruptions if the replay esn attribute has incorrect length. Fix this by passing the right attribute to xfrm_replay_verify_len(). Reported-by: Michael Rossberg Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 9eeb1f53a99068a1f2a77e4d250e334165b789c9 Merge: 84843a3 0a0ced6 Author: Brad Spengler Date: Sun Sep 15 11:24:30 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/wireless/ath/ath10k/core.c drivers/net/wireless/ath/ath10k/htc.c commit 0a0ced69ec737fc1abe5bc1c5a66579a22e9bb1d Author: Brad Spengler Date: Sun Sep 15 11:21:43 2013 -0400 Update to pax-linux-3.11.1-test6.patch: - forward port to 3.11.1 - fixed some CONSTIFY fallout, reported by spender - fixed INVPCID on i386, reported by spender - simplified/consolidated the recent security_ops change arch/x86/include/asm/mmu_context.h | 4 ++-- arch/x86/include/asm/tlbflush.h | 6 +++--- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- drivers/net/wireless/ath/ath10k/core.c | 6 +++--- drivers/net/wireless/ath/ath10k/htc.c | 7 ++++--- include/linux/security.h | 2 -- security/security.c | 3 --- security/selinux/hooks.c | 5 +++-- 8 files changed, 16 insertions(+), 19 deletions(-) commit 84843a394cde0578be728cb5fd34da9859dcf110 Author: Brad Spengler Date: Sun Sep 15 09:19:21 2013 -0400 remove unnecessary check from when protocol was signed net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit cc7c916cac4c2eb0ec243690627e2b6a13234fef Author: Brad Spengler Date: Sun Sep 15 08:53:27 2013 -0400 resync with PaX security/selinux/hooks.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit fdeadf7ba061242685e07a2504c6be99161f292c Author: Brad Spengler Date: Sat Sep 14 23:04:53 2013 -0400 Fix constification of ath10k_hif_cb struct located on stack drivers/net/wireless/ath/ath10k/hif.h | 1 + drivers/net/wireless/ath/ath10k/htc.c | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-) commit 73c6875760e610cb636f86566a1be7a744d89b82 Author: Brad Spengler Date: Sat Sep 14 22:41:06 2013 -0400 use a no_const typedef for ath10k_htc_ops, which is located on the stack drivers/net/wireless/ath/ath10k/core.c | 6 +++--- drivers/net/wireless/ath/ath10k/htc.h | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) commit bffb0279b95b717c739365a5a25ca0391e7479b1 Author: Brad Spengler Date: Sat Sep 14 22:13:46 2013 -0400 fix compilation error under constify drivers/net/wireless/ath/ath10k/core.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1044c726fd98de89a711c6655f811600d4051e46 Merge: ffc8003 e39d12a Author: Brad Spengler Date: Sat Sep 14 21:57:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit e39d12a3b877293ba677bf7642c8887144ae1576 Author: Brad Spengler Date: Sat Sep 14 21:56:56 2013 -0400 Update to pax-linux-3.11-test5.patch: - backported 1ecfd533f4c528b0b4cc5bc115c4c47f0b5e4828 (pud leak in alloc_new_pmd) - build_string doesn't need to account for the null terminator, fix some usage in the kernexec plugin mm/mremap.c | 5 ++++- tools/gcc/kernexec_plugin.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) commit ffc8003e9c6d9a26c92ca83a8cdc48f1bf0d7a4b Author: Brad Spengler Date: Sat Sep 14 21:48:03 2013 -0400 fix compile error introduced by pipacs security/selinux/hooks.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 874e80f445b1325df45f04cc317f67587e241218 Author: Brad Spengler Date: Sat Sep 14 21:12:45 2013 -0400 Fix invalid dependency causing warning: warning: (DEBUG_WW_MUTEX_SLOWPATH) selects DEBUG_LOCK_ALLOC which has unmet direct dependencies (DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN) lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 76675229b0398d812bd885c2ea9ebdc66cd5d74a Author: Brad Spengler Date: Sat Sep 14 19:53:56 2013 -0400 change unsigned long descriptor array to u64, for 32bit kernels on Haswell CPUs arch/x86/include/asm/tlbflush.h | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b6dd7c7dd3e78d549c4c0e18f7803aa918d3a838 Author: Daniel Borkmann Date: Sat Sep 7 16:44:59 2013 +0200 Upstream commit: a0fb05d1aef0f5df936f80b726d1b3bfd4275f95 net: sctp: fix bug in sctp_poll for SOCK_SELECT_ERR_QUEUE If we do not add braces around ... mask |= POLLERR | sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0; ... then this condition always evaluates to true as POLLERR is defined as 8 and binary or'd with whatever result comes out of sock_flag(). Hence instead of (X | Y) ? A : B, transform it into X | (Y ? A : B). Unfortunatelty, commit 8facd5fb73 ("net: fix smatch warnings inside datagram_poll") forgot about SCTP. :-( Introduced by 7d4c04fc170 ("net: add option to enable error queue packets waking select"). Signed-off-by: Daniel Borkmann Cc: Jacob Keller Acked-by: Neil Horman Acked-by: Vlad Yasevich Acked-by: Jacob Keller Signed-off-by: David S. Miller net/sctp/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4ad458cf887df99b3de3ce11fb83cd27bd13d986 Author: Jason Wang Date: Wed Sep 11 18:09:48 2013 +0800 Upstream commit: 662ca437e714caaab855b12415d6ffd815985bc0 tuntap: correctly handle error in tun_set_iff() Commit c8d68e6be1c3b242f1c598595830890b65cea64a (tuntap: multiqueue support) only call free_netdev() on error in tun_set_iff(). This causes several issues: - memory of tun security were leaked - use after free since the flow gc timer was not deleted and the tfile were not detached This patch solves the above issues. Reported-by: Wannes Rombouts Cc: Michael S. Tsirkin Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/net/tun.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit b504140d8590bd67ed481ea84824a9846dde2d74 Author: Herbert Xu Date: Sun Sep 8 14:33:50 2013 +1000 Upstream commit: 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa crypto: api - Fix race condition in larval lookup crypto_larval_lookup should only return a larval if it created one. Any larval created by another entity must be processed through crypto_larval_wait before being returned. Otherwise this will lead to a larval being killed twice, which will most likely lead to a crash. Cc: stable@vger.kernel.org Reported-by: Kees Cook Tested-by: Kees Cook Signed-off-by: Herbert Xu crypto/api.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit f4212fa9ec1c34c59fabc43904e16112b776b6b2 Author: Daniel Borkmann Date: Wed Sep 11 16:58:36 2013 +0200 Upstream commit: 95ee62083cb6453e056562d91f597552021e6ae7 net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport does not seem to have the desired effect: SCTP + IPv4: 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): SCTP + IPv6: 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] Moreover, Alan says: This problem was seen with both Racoon and Racoon2. Other people have seen this with OpenSwan. When IPsec is configured to encrypt all upper layer protocols the SCTP connection does not initialize. After using Wireshark to follow packets, this is because the SCTP packet leaves Box A unencrypted and Box B believes all upper layer protocols are to be encrypted so it drops this packet, causing the SCTP connection to fail to initialize. When IPsec is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" string on the other end, results in cleartext on the wire where SCTP eventually does not report any errors, thus in the latter case that Alan reports, the non-paranoid user might think he's communicating over an encrypted transport on SCTP although he's not (tcpdump ... -X): ... 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the receiver side. Initial follow-up analysis from Alan's bug report was done by Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). This has the implication that it probably never really got updated along with changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since a call to inet6_csk_xmit() would solve this problem, but result in unecessary route lookups, let us just use the cached flowi6 instead that we got through sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), we do the route lookup / flow caching in sctp_transport_route(), hold it in tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() instead to get the correct source routed dst entry, which we assign to the skb. Also source address routing example from 625034113 ("sctp: fix sctp to work with ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 it is actually 'recommended' to not use that anyway due to traffic amplification [1]. So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if we overwrite the flow destination here, the lower IPv6 layer will be unable to put the correct destination address into IP header, as routing header is added in ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, result of this patch is that we do not have any XfrmInTmplMismatch increase plus on the wire with this patch it now looks like: SCTP + IPv6: 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 This fixes Kernel Bugzilla 24412. This security issue seems to be present since 2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have its fun with that. lksctp-tools IPv6 regression test suite passes as well with this patch. [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf Reported-by: Alan Chester Reported-by: Alexey Dobriyan Signed-off-by: Daniel Borkmann Cc: Steffen Klassert Cc: Hannes Frederic Sowa Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/ipv6.c | 42 +++++++++++++----------------------------- 1 files changed, 13 insertions(+), 29 deletions(-) commit 726915e42b1a23b88cd420029003d82208a30006 Author: Kees Cook Date: Fri Sep 13 14:52:04 2013 -0700 Upstream commit: 35a4a5733b0a8290de39558b82896ab795b108a7 isdn: clean up debug format string usage Avoid unneeded local string buffers for constructing debug output. Also cleans up debug calls that contain a single parameter so that they cannot be accidentally parsed as format strings. Signed-off-by: Kees Cook Cc: Karsten Keil Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: David S. Miller drivers/isdn/hisax/amd7930_fn.c | 4 +- drivers/isdn/hisax/avm_pci.c | 4 +- drivers/isdn/hisax/config.c | 2 +- drivers/isdn/hisax/diva.c | 4 +- drivers/isdn/hisax/elsa.c | 2 +- drivers/isdn/hisax/elsa_ser.c | 2 +- drivers/isdn/hisax/hfc_pci.c | 2 +- drivers/isdn/hisax/hfc_sx.c | 2 +- drivers/isdn/hisax/hscx_irq.c | 4 +- drivers/isdn/hisax/icc.c | 4 +- drivers/isdn/hisax/ipacx.c | 8 +++--- drivers/isdn/hisax/isac.c | 4 +- drivers/isdn/hisax/isar.c | 6 ++-- drivers/isdn/hisax/jade.c | 18 ++++---------- drivers/isdn/hisax/jade_irq.c | 4 +- drivers/isdn/hisax/l3_1tr6.c | 50 ++++++++++++++------------------------- drivers/isdn/hisax/netjet.c | 2 +- drivers/isdn/hisax/q931.c | 6 ++-- drivers/isdn/hisax/w6692.c | 8 +++--- 19 files changed, 57 insertions(+), 79 deletions(-) commit 4c90e693066a984f2c3a05bd2b75fe2273906eb3 Author: Brad Spengler Date: Sat Sep 14 19:16:48 2013 -0400 Fix a bad git merge, re-applied a previously reverted patch arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 5dea4b212b0405d6bcbea57516d77b21035d1178 Author: Brad Spengler Date: Sat Sep 14 16:56:37 2013 -0400 finish porting namei.c fs/namei.c | 50 +++++++++++--------------------------------------- 1 files changed, 11 insertions(+), 39 deletions(-) commit a7d5c5e2d0fd4831df19247e41c73c362809b00f Author: Brad Spengler Date: Sat Sep 14 16:44:08 2013 -0400 cred->user -> current_user() fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit be3db5fa6532557384fb66d2d9297d77666912cf Author: Brad Spengler Date: Sat Sep 14 16:36:24 2013 -0400 Fix GRKERNSEC_DENYUSB dependency as reported by Victor Roman of Funtoo Linux grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce9afc12137b65991bfc7cce70e28d86bbb76956 Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 84aa149aa0f178516f5784d028522d60d35696c9 Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB Signed-off-by: Brad Spengler grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1145b56059535549be226da9891b56ab2d902b2f Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit cc604c1c66e7034ad7ddc7fb3cec749e0e5828a3 Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user Signed-off-by: Brad Spengler grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) commit 06f8e6fe41a0de311b0c94bf853cb2c15aee67d4 Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast Signed-off-by: Brad Spengler grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 74dc00678ec84a254617b500a2880974dac95220 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() Signed-off-by: Brad Spengler grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f9b60ffe6e67563faa8d207fa6d00bd04252cf4f Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it Signed-off-by: Brad Spengler drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 889852764d245f44e416da4eb203fda0bd327584 Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit f30e932a87f25b53779d1f92b49923f8a2dc9834 Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit f9eac59133855befee23d0c899e0d0e6ebcd3d44 Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 9f5ae466957014bc300929374ebb7afdd9d116d6 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit b643b8f8af23488d92f16a817bf16c162d612ce1 Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 975723a41239b1befae172e88082ff4422753508 Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 54b39084efe20a3f10fcb58ee8327d7b6250b7cd Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 05c3db7daee82d79c628c15b304f8621159e14f3 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit a79f25f59fdd0abaf4ecfab93017aa49de089498 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 6fe8eb06e432f165872d3486fdce0d09de1515b3 Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit cd5ea45deb4aae3a6ca7b99e261d771792c2e8bf Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c147e32922dd91edf1969b8a6eb333aafb4abb79 Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 51b66e0a8cfd2eedb4f3275c7ffc2f7a831b4683 Author: Kees Cook Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org Signed-off-by: Brad Spengler drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit 4ab7b9ed96612f5621898cead7163b6eecf30c7c Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs Signed-off-by: Brad Spengler arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 8a6f59dd3e43d20d8e999d50001b85ba605a4dac Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit abde07f6c047c0331f511318cb49a36d49218dfc Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files Signed-off-by: Brad Spengler include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7a430f97a2f6538693cb8e354c67c874f24c5ebf Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Brad Spengler net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit ab0fc298348a3fce6c8aaf4bef11f388b1bf4782 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings Signed-off-by: Brad Spengler arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit d502375416b17270008ebdf11f1c3be7837f7c50 Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 Signed-off-by: Brad Spengler include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit f6c363aba68cccff2815a488a7e9ed68990100d2 Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages Signed-off-by: Brad Spengler arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 279d4c6643931d6488b2d5f1e7d29db8a3c3a347 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 Signed-off-by: Brad Spengler security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 55ee7adc9d4cd900fd86a4cfad7e0841b4373ee1 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! Signed-off-by: Brad Spengler kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 17 deletions(-) commit 5c0737b045d057152a39154746d8c8e5d59185ed Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b9cb48614b154a4c9a4caec48f5c6a391c7b4eb8 Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs Signed-off-by: Brad Spengler mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit abc10b7630ee1a61c18e7b03b3cbbc9849a346c6 Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include Signed-off-by: Brad Spengler grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 448fdce6e5e32cc5dc8f6a649d58104c11cbe2f5 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation Signed-off-by: Brad Spengler include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d4d49138661d5cb646f0dd012178447380b79956 Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping Signed-off-by: Brad Spengler fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit cfa6b85e91c7e8e7f00eeaf1908d22cbec4b0a15 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define Signed-off-by: Brad Spengler grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 4a307f7d3ff3ab232c0b6341415088e7618c494e Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 78011eb5c2454b8afc96b98bd86ac172e589b13c Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. Signed-off-by: Brad Spengler arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 17cdb36c3bee85c0985f7cc18aa8405fc7838cad Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e670dc535e4501fd12d8bf00f1e1306c44266fe7 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 2834fe28e69176da6ac4989c6e3dc713faafefe5 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit 2669672647f6955f0e5154596492c73cd4fda330 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t Signed-off-by: Brad Spengler include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 75de5da79f5e03936a79ffe2c827462000001985 Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 9055a8feb8493a30d1ad0fcef25eb496630d223f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 080577d5a71de3d2700c4c17e1d13c67bc9b6720 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 129b6204587740fd082e731a54d00e8a9fc35f8b Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1a8481118c2da1cf9610ec5ba9ad950358e8cd3f Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit 67fc73af0876d311c0d01d3b16fa429f44af12b9 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 32f9c3609f8d6c5c893c848e0bd76e0d8d3fa096 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 798adb5cab6c3a8056e1b415e6f34a270f369721 Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 4d4945ce90d83784634b898f83cb5a7699537733 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 2e0b7505d92a89b872d9ebccae57720e3c00e4a2 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6db464f72eff84f77335b69dc2748a3759e151d1 Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit c5c54a2490dd8ec3fcad322d5c64b8cdfc6ce8d7 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit e78a78dcfc089142273243b54509840d3b50c538 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo Signed-off-by: Brad Spengler grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b27005e62bebc09e6604a6f5dc099742bb6b4434 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 101b84a778c254dfd7399f5bcd6264ff437f1176 Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship Signed-off-by: Brad Spengler grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 9b2b2be730d058a2bac5ded5b51d087aa65eed9e Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT Signed-off-by: Brad Spengler fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3e182e4da46de4c6b9a9f45d41030bef19260954 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error Signed-off-by: Brad Spengler mm/madvise.c | 11 +++++------ 1 files changed, 5 insertions(+), 6 deletions(-) commit 0e4d6c92225be5ed70eb4d826d020c1e49fb4870 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel Signed-off-by: Brad Spengler mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 32537d92b8da84f38bf45eb85b6953f452064936 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes Signed-off-by: Brad Spengler fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit a03302441afb0f56cccc9648a5d5e3c4c4d0db70 Author: Brad Spengler Date: Sat Sep 14 16:15:10 2013 -0400 Initial port of grsecurity to 3.11 using new git method Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 12 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 128 ++- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2000 +++++++++++--------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 256 +++- fs/namespace.c | 16 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 166 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 ++- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 69 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 341 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 +++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 235 files changed, 4384 insertions(+), 1312 deletions(-) commit a76b033c58b4886552911442f1b89e0cee041dae Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches Signed-off-by: Brad Spengler arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit d1cf217118e0750f54aca9136d8c6a41f0ae439c Author: Brad Spengler Date: Sat Sep 14 14:36:40 2013 -0400 Initial import of pax-linux-3.11-test4.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 23 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 95 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 42 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/kvm/arm.c | 8 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 104 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 185 +- arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 728 +++- arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/smtc_proc.h | 2 +- arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/smtc-proc.c | 6 +- arch/mips/kernel/smtc.c | 2 +- arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 12 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 16 +- arch/x86/ia32/ia32entry.S | 157 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 16 +- arch/x86/include/asm/desc.h | 74 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 8 +- arch/x86/include/asm/futex.h | 20 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 128 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 124 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 82 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 29 +- arch/x86/include/asm/smap.h | 64 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/tlbflush.h | 74 +- arch/x86/include/asm/uaccess.h | 112 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 14 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 130 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 356 +- arch/x86/kernel/entry_64.S | 669 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 228 +- arch/x86/kernel/head_64.S | 138 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 67 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 20 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 42 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 5 +- arch/x86/kernel/setup.c | 65 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 19 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 28 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 12 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 62 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 89 +- arch/x86/lib/copy_user_nocache_64.S | 22 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 13 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 22 +- arch/x86/lib/memmove_64.S | 36 +- arch/x86/lib/memset_64.S | 11 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 18 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 571 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 45 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 36 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 139 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 39 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 45 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-cgroup.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 43 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/socfpga/clk.c | 7 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 24 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/host1x/drm/dc.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hid/uhid.c | 6 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bcache/super.c | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/vxlan.c | 2 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.h | 4 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 12 +- drivers/tty/hvc/hvsi_lib.c | 6 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/dwc3/gadget.c | 2 - drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/hyperv_fb.c | 4 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 648 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 18 +- fs/dcache.c | 3 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 38 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 6 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 41 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 5 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fdtable.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 17 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/math64.h | 8 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 19 + include/linux/proc_ns.h | 2 +- include/linux/random.h | 15 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/security.h | 2 +- include/linux/seq_file.h | 1 + include/linux/signal.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 48 +- include/linux/slab_def.h | 32 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 18 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 17 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 18 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 84 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 12 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 4 +- kernel/fork.c | 170 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 2 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 10 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 24 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 74 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 49 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 32 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 14 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 10 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mmap.c | 588 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 44 +- mm/shmem.c | 19 +- mm/slab.c | 108 +- mm/slab.h | 15 +- mm/slab_common.c | 60 +- mm/slob.c | 206 +- mm/slub.c | 88 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 10 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 2 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/skbuff.c | 6 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ieee802154/6lowpan.c | 2 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 20 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/output_core.c | 15 +- net/ipv6/ping.c | 28 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 10 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 4 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 690 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 12 +- security/selinux/avc.c | 6 +- security/selinux/hooks.c | 6 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 8 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 471 ++ tools/gcc/latent_entropy_plugin.c | 321 + tools/gcc/size_overflow_hash.data | 6350 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2113 +++++++ tools/gcc/stackleak_plugin.c | 327 + tools/gcc/structleak_plugin.c | 277 + tools/lib/lk/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1664 files changed, 32957 insertions(+), 7636 deletions(-) commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c Merge: c3ccfb2 777e08c Author: Brad Spengler Date: Sun Sep 8 19:49:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 Author: Brad Spengler Date: Sun Sep 8 19:47:32 2013 -0400 Update to pax-linux-3.10.11-test26.patch: - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 14 +- tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- 3 files changed, 247 insertions(+), 194 deletions(-) commit 5c3161364270c842d901789faac731f79a9f9cd6 Merge: cf9c476 85cdabb Author: Brad Spengler Date: Sun Sep 8 19:24:25 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c3ccfb29794a03413095422100ce90d40ef7df0f Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit d260badf708d6aa16c44f56f54727532dcae826e Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 Author: Dan Carpenter Date: Thu Aug 29 11:47:00 2013 +0300 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 mISDN: return -EINVAL on error in dsp_control_req() If skb->len is too short then we should return an error. Otherwise we read beyond the end of skb->data for several bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/mISDN/dsp_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit da68dbcd96c617923a0aedb177d36b2701f9c858 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit ce0e893adc830ee110f97071cc17e661fb35ae3d Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd Merge: 7ee3899 cf9c476 Author: Brad Spengler Date: Sun Sep 1 13:56:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit cf9c47690fa0f3da590de766ea8c6a543984ee3c Author: Brad Spengler Date: Sun Sep 1 13:56:16 2013 -0400 Update to pax-linux-3.10.10-test25.patch: - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop block/blk-cgroup.c | 4 ++-- drivers/video/hyperv_fb.c | 4 ++-- fs/namespace.c | 4 ++-- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/output_core.c | 15 ++++++--------- net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- 7 files changed, 21 insertions(+), 27 deletions(-) commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa Merge: fd0338c 2bdeae7 Author: Brad Spengler Date: Sat Aug 31 22:07:38 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 Author: Brad Spengler Date: Sat Aug 31 22:06:55 2013 -0400 Update to pax-linux-3.10.10-test24.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users drivers/acpi/apei/ghes.c | 4 ++-- drivers/ata/libata-core.c | 4 ++-- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/block/drbd/drbd_nl.c | 4 ++-- drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/hv/hv_balloon.c | 18 +++++++++--------- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/input/misc/ims-pcu.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/v4l2-core/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/pci/hotplug/pciehp_hpc.c | 4 +--- drivers/regulator/core.c | 4 ++-- drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ drivers/staging/android/timed_output.c | 6 +++--- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/target/sbp/sbp_target.c | 4 ++-- drivers/tty/hvc/hvsi.c | 12 ++++++------ drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/btrfs/delayed-inode.c | 6 +++--- fs/btrfs/delayed-inode.h | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- net/ceph/messenger.c | 4 ++-- net/core/netpoll.c | 4 ++-- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 43 files changed, 93 insertions(+), 95 deletions(-) commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 Merge: 1bdf7ec 85099d2 Author: Brad Spengler Date: Sat Aug 31 21:07:29 2013 -0400 Merge branch 'pax-test' into grsec-test commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed Author: Brad Spengler Date: Sat Aug 31 21:06:55 2013 -0400 Update to pax-linux-3.10.10-test23.patch: - added the necessary atomic_unchecked_t conversion for mips - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/arm/kvm/arm.c | 8 ++++---- arch/arm/mm/context.c | 10 +++++----- arch/mips/kernel/irq.c | 6 +++--- arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- 8 files changed, 45 insertions(+), 45 deletions(-) commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 Merge: 995a168 38ee86c Author: Brad Spengler Date: Fri Aug 30 19:23:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 38ee86c05df0f8db582df8776b9f23f317d42bbb Author: Brad Spengler Date: Fri Aug 30 19:23:11 2013 -0400 Update to pax-linux-3.10.10-test22.patch: - fixed !REFCOUNT/mips compilation, by Corey Minyard - fixed a few more format strings arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- drivers/md/bcache/super.c | 2 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- drivers/pci/hotplug/pciehp_hpc.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- drivers/vfio/vfio.c | 4 ++-- fs/ntfs/super.c | 6 +++--- include/linux/workqueue.h | 6 +++--- net/mac80211/main.c | 2 +- sound/pci/hda/hda_codec.c | 8 ++------ 11 files changed, 32 insertions(+), 25 deletions(-) commit 995a16841e2097c3a9dfc652e856469679c4a0ba Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 Merge: be2497c 1052971 Author: Brad Spengler Date: Thu Aug 29 20:44:29 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/sched.h commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 Merge: e902dad 8bf3379 Author: Brad Spengler Date: Thu Aug 29 20:39:50 2013 -0400 Update to pax-linux-3.10.10-test21.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 Merge: 081c22b e902dad Author: Brad Spengler Date: Wed Aug 28 20:52:44 2013 -0400 Merge branch 'pax-test' into grsec-test commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 Author: Brad Spengler Date: Wed Aug 28 20:51:21 2013 -0400 Update to pax-linux-3.10.9-test21.patch: - removed unnecessary type cast in do_PrefetchAbort, noticed by spender - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov - fixed a REFCOUNT false positive in UHID - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network arch/arm/mm/fault.c | 2 +- arch/mips/kernel/traps.c | 2 -- drivers/hid/uhid.c | 6 +++--- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/usb/dwc3/gadget.c | 2 -- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- 10 files changed, 14 insertions(+), 16 deletions(-) commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 8044382257ec75a03f3d784ce048ef14e94b90ca Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 270ba9096ddecdc3cf6c4d76e6892184820116be Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 60115e8108e508060815bce5ef9504233c81898c Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38627769bb2b9a550e251b2caf1babda7566fb4a Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 813f51e0881e4ea6d221da828b1cced02ad9694d Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 95e3cfb5a995dabe45b98cafb77e59d074de151f Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 96a55ce1b2f3af376c400a02059174e79ce4399c Author: Brad Spengler Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit eb1106eef5f17bfda833ca3cf89e315919173257 Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 Author: Brad Spengler Date: Wed Aug 28 17:01:21 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 Author: Andy Lutomirski Date: Thu Aug 22 11:39:15 2013 -0700 Upstream commit: d661684cf6820331feae71146c35da83d794467e net: Check the correct namespace when spoofing pid over SCM_RIGHTS This is a security bug. The follow-up will fix nsproxy to discourage this type of issue from happening again. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/core/scm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 8333e0981469a226a47d0142ff31090a48db95a4 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 xen/events: initialize local per-cpu mask for all possible events The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk CC: stable@vger.kernel.org drivers/xen/events.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2a9a83768433937a2b7a97001ba1627156c0efed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit e6fe57dee152671afd618d6bc8cbf23155be6c34 Merge: cdc8f7d f2095a4 Author: Brad Spengler Date: Tue Aug 27 18:13:35 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c security/Kconfig commit f2095a4787f7d332e5919f0bd00f8de6021ad612 Author: Brad Spengler Date: Tue Aug 27 18:08:23 2013 -0400 Update to pax-linux-3.10.9-test20.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - added REFCOUNT support for mips, by Corey Minyard - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) arch/arm/mm/fault.c | 11 +- arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- arch/mips/kernel/traps.c | 14 +- arch/x86/include/asm/tlbflush.h | 4 + arch/x86/include/asm/uaccess_64.h | 2 +- fs/ntfs/file.c | 2 +- kernel/events/internal.h | 4 +- kernel/events/uprobes.c | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 +- security/Kconfig | 2 +- tools/gcc/kernexec_plugin.c | 18 +- tools/gcc/latent_entropy_plugin.c | 26 +- tools/gcc/size_overflow_plugin.c | 3 +- 14 files changed, 750 insertions(+), 70 deletions(-) commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 Merge: 5a9ae57 745975e Author: Brad Spengler Date: Mon Aug 26 20:27:33 2013 -0400 Merge branch 'pax-test' into grsec-test commit 745975e3b3b74b64e00e85778f9a22714d1274f2 Author: Brad Spengler Date: Mon Aug 26 20:26:33 2013 -0400 Fix compilation when UDEREF is enabled and KERNEXEC is disabled, as reported by fabled on the forums: http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 arch/arm/include/asm/pgtable.h | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 Merge: 486ec00 f68df21 Author: Brad Spengler Date: Tue Aug 20 20:15:20 2013 -0400 Merge branch 'pax-test' into grsec-test commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 Author: Brad Spengler Date: Tue Aug 20 20:14:50 2013 -0400 Update to pax-linux-3.10.9-test18.patch: - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) - forward port to 3.10.9 arch/x86/kernel/entry_64.S | 18 +++++++++--------- arch/x86/kernel/i386_ksyms_32.c | 4 ++++ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f Merge: f47a293 d8fed0e Author: Brad Spengler Date: Tue Aug 20 20:12:47 2013 -0400 Merge branch 'pax-test' into grsec-test commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 Merge: f6ace8e 0a4b6d4 Author: Brad Spengler Date: Tue Aug 20 20:12:33 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit f47a293a1440da2a3e2c239d43d636e37ca74f10 Merge: f1e8ec7 f6ace8e Author: Brad Spengler Date: Tue Aug 20 18:20:05 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/kernel/perf_event.c include/linux/sched.h commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 Merge: b4fa847 6f54059 Author: Brad Spengler Date: Tue Aug 20 18:18:02 2013 -0400 Update to pax-linux-3.10.8-test18.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca Merge: 6f88011 b4fa847 Author: Brad Spengler Date: Tue Aug 20 18:05:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 Author: Brad Spengler Date: Tue Aug 20 18:04:14 2013 -0400 Update to pax-linux-3.10.7-test18.patch: - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) - fixed a UDEREF resume regression due to the constification of clone_pgd_mask - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause arch/arm/kernel/process.c | 2 +- arch/x86/include/asm/processor.h | 25 ++----------------------- arch/x86/kernel/cpu/common.c | 4 ++++ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/staging/zcache/tmem.c | 4 ++-- drivers/staging/zcache/tmem.h | 6 ++---- 6 files changed, 47 insertions(+), 30 deletions(-) commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 Merge: 6eba999 5de93c8 Author: Brad Spengler Date: Sun Aug 18 22:03:19 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db Author: Brad Spengler Date: Sun Aug 18 22:02:47 2013 -0400 Update to pax-linux-3.10.7-test15.patch: - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) - fixed some new REFCOUNT false positives, caught by inspection arch/x86/kernel/cpu/common.c | 5 +++-- arch/x86/kernel/entry_64.S | 11 +++++++---- fs/ceph/super.c | 4 ++-- mm/backing-dev.c | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) commit 94c119587c76723c1072237b98fff9886ccb7689 Author: Brad Spengler Date: Sun Aug 18 20:49:39 2013 -0400 fix pipacs' DEMORGAN typo arch/x86/include/asm/tlbflush.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 Merge: df347f6 64a293e Author: Brad Spengler Date: Sun Aug 18 18:13:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 Author: Brad Spengler Date: Sun Aug 18 18:12:37 2013 -0400 Update to pax-linux-3.10.7-test14.patch: - fixed compile error introduced by the previous PCID change - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) arch/x86/include/asm/tlbflush.h | 2 +- kernel/posix-timers.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 Merge: d8efbc5 e11b314 Author: Brad Spengler Date: Sun Aug 18 08:15:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit e11b314734c5b7317f5468be75305ad812e78c2b Author: Brad Spengler Date: Sun Aug 18 08:14:26 2013 -0400 Update to pax-linux-3.10.7-test13.patch: - always enable the use of PCID and INVPCID when available in the CPU - kvm guest kernels can use these features even if the host kernel lacks UDEREF arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- 2 files changed, 70 insertions(+), 47 deletions(-) commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c8feffa95ce2db280160015027b52bb41a344c8 Merge: dbf6930 0bb1c2b Author: Brad Spengler Date: Sat Aug 17 11:57:50 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 Author: Brad Spengler Date: Sat Aug 17 11:56:43 2013 -0400 Update to pax-linux-3.10.7-test12.patch: - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause - fixed some arm compile problems arch/x86/include/asm/tlbflush.h | 2 +- drivers/clocksource/bcm_kona_timer.c | 2 +- kernel/signal.c | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) commit dbf69305ad4f8a037aae95af90f9201f556dcb48 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 Merge: 68bd16f f562e3e Author: Brad Spengler Date: Sat Aug 17 10:35:02 2013 -0400 Merge branch 'pax-test' into grsec-test commit f562e3ef7737ea8d80431a722479b36a12504ace Author: Brad Spengler Date: Sat Aug 17 10:34:51 2013 -0400 add uderef_64.c arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ 1 files changed, 37 insertions(+), 0 deletions(-) commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 Author: Asbjoern Sloth Toennesen Date: Mon Aug 12 16:30:09 2013 +0000 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by: Asbjoern Sloth Toennesen Reviewed-by: Vlad Yasevich Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c7bc5bafddddff55ed4687203a977e96f72540a Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb Author: Daniel Borkmann Date: Fri Aug 9 16:25:21 2013 +0200 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/transport.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3925eab5483946fd746575a46f97bee9d566bb77 Author: Stephane Grosjean Date: Fri Aug 9 11:44:06 2013 +0200 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e can: pcan_usb: fix wrong memcpy() bytes length Fix possibly wrong memcpy() bytes length since some CAN records received from PCAN-USB could define a DLC field in range [9..15]. In that case, the real DLC value MUST be used to move forward the record pointer but, only 8 bytes max. MUST be copied into the data field of the struct can_frame object of the skb given to the network core. Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c1ac6642baae4a400d1f87115024d1bb1ef53598 Author: Linus Lüssing Date: Tue Aug 6 20:21:15 2013 +0200 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 batman-adv: fix potential kernel paging errors for unicast transmissions There are several functions which might reallocate skb data. Currently some places keep reusing their old ethhdr pointer regardless of whether they became invalid after such a reallocation or not. This potentially leads to kernel paging errors. This patch fixes these by refetching the ethdr pointer after the potential reallocations. Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli net/batman-adv/bridge_loop_avoidance.c | 2 ++ net/batman-adv/gateway_client.c | 13 ++++++++++++- net/batman-adv/gateway_client.h | 3 +-- net/batman-adv/soft-interface.c | 9 ++++++++- net/batman-adv/unicast.c | 13 ++++++++++--- 5 files changed, 33 insertions(+), 7 deletions(-) commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue_core.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f Author: Pablo Neira Ayuso Date: Thu Jul 25 10:46:46 2013 +0200 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 netfilter: xt_TCPOPTSTRIP: fix possible off by one access Fix a possible off by one access since optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen that stores the TCP header length, to save some cycles. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 4634def261cf5f635bc60afe8a6ad436b3ec151e Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 Author: Dave Jones Date: Fri Aug 9 11:16:34 2013 -0700 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e 8139cp: Fix skb leak in rx_status_loop failure path. Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 ("8139cp: Add dma_mapping_error checking") Signed-off-by: Dave Jones Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 227b279491a0bbcc70ca3654f34903282c378600 Author: Timo Teräs Date: Tue Aug 6 13:45:43 2013 +0300 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b ip_gre: fix ipgre_header to return correct offset Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar Signed-off-by: Timo Teräs Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit f02bce292d1c2fe610be509c96593e70b3de387b Author: Julia Lawall Date: Mon Aug 5 16:47:38 2013 +0200 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 net/vmw_vsock/af_vsock.c: drop unneeded semicolon Drop the semicolon at the end of the list_for_each_entry loop header. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 Author: Tiger Yang Date: Tue Aug 13 16:00:58 2013 -0700 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as the struct file pointer, it finally result in a null pointer dereference in ocfs2_duplicate_clusters_by_page. This patch replace file pointer with inode pointer in cow_duplicate_clusters to fix this issue. [jeff.liu@oracle.com: rebased patch against linux-next tree] Signed-off-by: Tiger Yang Signed-off-by: Jie Liu Cc: Joel Becker Cc: Mark Fasheh Acked-by: Tao Ma Tested-by: David Weber Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 2 +- fs/ocfs2/file.c | 6 ++-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- fs/ocfs2/refcounttree.h | 6 ++-- 5 files changed, 16 insertions(+), 53 deletions(-) commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 Author: Dan Carpenter Date: Thu Aug 15 15:52:57 2013 +0300 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 26ad267ddda451919357965a0cf271ca24d1bcf2 Author: Weiping Pan Date: Tue Aug 13 21:46:56 2013 +0800 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 tun: compare with 0 instead of total_len Since we set "len = total_len" in the beginning of tun_get_user(), so we should compare the new len with 0, instead of total_len, or the if statement always returns false. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller drivers/net/tun.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 Author: Guenter Roeck Date: Fri Aug 16 20:50:55 2013 -0700 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 s390: Fix broken build Fix this build error: In file included from fs/exec.c:61:0: arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range invalidation corner cases"). Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] Signed-off-by: Linus Torvalds arch/s390/include/asm/tlb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4e57312c2de2a25ddb181d129dafbc0251062c33 Author: Linus Torvalds Date: Thu Aug 15 11:42:25 2013 -0700 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce Fix TLB gather virtual address range invalidation corner cases Ben Tebulin reported: "Since v3.7.2 on two independent machines a very specific Git repository fails in 9/10 cases on git-fsck due to an SHA1/memory failures. This only occurs on a very specific repository and can be reproduced stably on two independent laptops. Git mailing list ran out of ideas and for me this looks like some very exotic kernel issue" and bisected the failure to the backport of commit 53a59fc67f97 ("mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). That commit itself is not actually buggy, but what it does is to make it much more likely to hit the partial TLB invalidation case, since it introduces a new case in tlb_next_batch() that previously only ever happened when running out of memory. The real bug is that the TLB gather virtual memory range setup is subtly buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: enable tlb flush range in generic mmu_gather"), and the range handling was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots"), but that fix was not complete. The problem with the TLB gather virtual address range is that it isn't set up by the initial tlb_gather_mmu() initialization (which didn't get the TLB range information), but it is set up ad-hoc later by the functions that actually flush the TLB. And so any such case that forgot to update the TLB range entries would potentially miss TLB invalidates. Rather than try to figure out exactly which particular ad-hoc range setup was missing (I personally suspect it's the hugetlb case in zap_huge_pmd(), which didn't have the same logic as zap_pte_range() did), this patch just gets rid of the problem at the source: make the TLB range information available to tlb_gather_mmu(), and initialize it when initializing all the other tlb gather fields. This makes the patch larger, but conceptually much simpler. And the end result is much more understandable; even if you want to play games with partial ranges when invalidating the TLB contents in chunks, now the range information is always there, and anybody who doesn't want to bother with it won't introduce subtle bugs. Ben verified that this fixes his problem. Reported-bisected-and-tested-by: Ben Tebulin Build-testing-by: Stephen Rothwell Build-testing-by: Richard Weinberger Reviewed-by: Michal Hocko Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/arm/include/asm/tlb.h | 7 +++++-- arch/arm64/include/asm/tlb.h | 7 +++++-- arch/ia64/include/asm/tlb.h | 9 ++++++--- arch/s390/include/asm/tlb.h | 8 ++++++-- arch/sh/include/asm/tlb.h | 6 ++++-- arch/um/include/asm/tlb.h | 6 ++++-- fs/exec.c | 4 ++-- include/asm-generic/tlb.h | 2 +- mm/hugetlb.c | 2 +- mm/memory.c | 36 +++++++++++++++++++++--------------- mm/mmap.c | 4 ++-- 11 files changed, 57 insertions(+), 34 deletions(-) commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 Merge: 5568c80 ffceabf Author: Brad Spengler Date: Sat Aug 17 09:11:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit ffceabfcc65c60109ba5fca694d78d4dc7047809 Author: Brad Spengler Date: Sat Aug 17 09:10:44 2013 -0400 Update to pax-linux-3.10.7-test11.patch: - simplified some arm code - disabled preemption when calling show_regs, reported by Corey Minyard - added PCID based support for UDEREF on amd64 (blog will have more details) - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc - nopcid turns it off - by default a strong form of UDEREF is used under PCID - pax_weakuderef switches to the older, less secure UDEREF - fixed several bugs that would also have manifested under SMAP - INVPCID is used when available (Haswell) - added a few more return insn instrumentation in new amd64 crypto code Documentation/kernel-parameters.txt | 7 + arch/arm/include/asm/uaccess.h | 3 + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ arch/x86/ia32/ia32_signal.c | 2 +- arch/x86/ia32/ia32entry.S | 24 ++++- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/fpu-internal.h | 2 + arch/x86/include/asm/futex.h | 4 + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- arch/x86/include/asm/pgtable.h | 10 +- arch/x86/include/asm/processor.h | 15 +++- arch/x86/include/asm/segment.h | 5 +- arch/x86/include/asm/smap.h | 64 +++++++++++- arch/x86/include/asm/tlbflush.h | 63 +++++++++-- arch/x86/include/asm/uaccess.h | 18 +++- arch/x86/include/asm/xsave.h | 4 + arch/x86/kernel/cpu/common.c | 38 +++++++ arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- arch/x86/kernel/head_32.S | 2 +- arch/x86/kernel/head_64.S | 8 +- arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/setup.c | 8 +- arch/x86/kernel/signal.c | 4 +- arch/x86/kernel/smpboot.c | 15 ++- arch/x86/lib/copy_user_64.S | 50 +-------- arch/x86/lib/copy_user_nocache_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 11 ++- arch/x86/lib/memcpy_64.S | 4 +- arch/x86/lib/memmove_64.S | 2 +- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/usercopy_64.c | 5 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/fault.c | 29 ++++-- arch/x86/mm/init.c | 7 +- arch/x86/mm/init_64.c | 9 ++- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 3 + arch/x86/platform/efi/efi_32.c | 2 +- arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/realmode/rm/trampoline_64.S | 1 + fs/exec.c | 2 + include/asm-generic/uaccess.h | 8 ++ include/linux/compat.h | 1 + include/linux/preempt.h | 19 +++ include/linux/signal.h | 1 + include/linux/smp.h | 2 + init/main.c | 14 ++- kernel/signal.c | 16 +++ security/Kconfig | 5 + tools/lib/lk/Makefile | 2 +- tools/perf/Makefile | 2 +- 64 files changed, 673 insertions(+), 136 deletions(-) commit 5568c8059e78d6d002815409df4e90c83b3b08a8 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 Author: Brad Spengler Date: Fri Aug 16 22:55:24 2013 -0400 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b arch/arm/kernel/perf_event.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3637bc893b57a227b01852fe34685ab237285b10 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 11802e1f961a088c39af58d1c1b14d861eedfb35 Author: Brad Spengler Date: Fri Aug 16 22:53:30 2013 -0400 More ARM backports arch/arm/kernel/entry-armv.S | 3 ++- arch/arm/kernel/fiq.c | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0a3dac834746de241c10d4978bf61b4f146ba89d Merge: dc19474 e12de30 Author: Brad Spengler Date: Fri Aug 16 17:39:01 2013 -0400 Merge branch 'pax-test' into grsec-test commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 Author: Brad Spengler Date: Fri Aug 16 17:34:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch: - Emese fixed a size overflow false positive reported by Sven Vermeulen - fixed some arm compile problems reported by spender - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard eventually we'll have full REFCOUNT support on mips arch/arm/kernel/process.c | 5 ++- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 3 ++ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ mm/internal.h | 2 +- 5 files changed, 65 insertions(+), 4 deletions(-) commit dc19474d0ea6ea3c939544ae5f906067b1784a10 Merge: 51b78c0 82266f9 Author: Brad Spengler Date: Thu Aug 15 21:47:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 82266f90a3f87ab5017329fb539aebf94c42253a Author: Brad Spengler Date: Thu Aug 15 21:14:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch arch/arm/kernel/process.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 51b78c06d1f41614f593cd36456b4af559e9d7fa Merge: e32d904 cb77ead Author: Brad Spengler Date: Thu Aug 15 20:53:45 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit cb77ead0eccb5abb75f7e437a3725d0254558ccd Merge: 13675b8 519be45 Author: Brad Spengler Date: Thu Aug 15 20:50:47 2013 -0400 Update to pax-linux-3.10.7-test8.patch Merge branch 'linux-3.10.y' into pax-test commit e32d904b87292288e74e2637b900fd1115687b8e Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c Author: Oleg Nesterov Date: Thu Aug 8 18:55:32 2013 +0200 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 another local DoS found in reaction to the one I reported, we don't allow unpriv user ns use so this doesn't matter much to us userns: limit the maximum depth of user_namespace->parent chain Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/user_namespace.h | 1 + kernel/user_namespace.c | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) commit 223ac007ef18bf3a5095ba0a56675c1f16200149 Merge: 1c92de4 13675b8 Author: Brad Spengler Date: Thu Aug 8 20:45:24 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 13675b848cf02bffd26924b2b84d927095bc253d Author: Brad Spengler Date: Thu Aug 8 20:43:52 2013 -0400 Update to pax-linux-3.10.5-test8.patch: - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard arch/arm/include/asm/pgtable-2level.h | 4 +++- arch/arm/mm/proc-v7-2level.S | 3 --- arch/mips/mm/fault.c | 8 ++++++++ arch/x86/include/asm/processor.h | 3 ++- include/linux/math64.h | 2 +- security/Kconfig | 2 -- 6 files changed, 14 insertions(+), 8 deletions(-) commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 Merge: e65aa3d 1660f49 Author: Brad Spengler Date: Mon Aug 5 18:50:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 1660f496848b8400d263f7920989dae15e72185a Merge: 7f91ba1 dc51cd2 Author: Brad Spengler Date: Mon Aug 5 18:50:12 2013 -0400 Update to pax-linux-3.10.5-test7.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/head_64.S mm/mempolicy.c commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 50d20ebce56b6e0b9622685930e007e46c7c04bb Author: Daniel Borkmann Date: Fri Aug 2 11:32:43 2013 +0200 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by: Daniel Borkmann Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/devinet.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 Author: Himanshu Madhani Date: Fri Aug 2 23:15:56 2013 -0400 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 qlcnic: Free up memory in error path. Signed-off-by: Himanshu Madhani Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a Author: Shahed Shaikh Date: Fri Aug 2 23:15:54 2013 -0400 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f qlcnic: Fix MAC address filter issue on 82xx adapter Driver was passing the address of a pointer instead of the pointer itself. Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 24 ++++++++++++++++++++++-- 2 files changed, 22 insertions(+), 19 deletions(-) commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b8966a5d577e9220fbc63306eee978f819f24e2e Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1704c23fdc55b68f512dc9927940e72237f3f43e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit faf81c100c8565524e21c9af780a0ad2ce3fd925 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c Merge: 65019c9 7f91ba1 Author: Brad Spengler Date: Wed Jul 31 17:47:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 65019c9bd05f860437071cbf00e2027fd2d68615 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 Author: Brad Spengler Date: Wed Jul 31 17:46:00 2013 -0400 Update to pax-linux-3.10.4-test7.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - fixed a UDEREF/i386 regression, __get_user_8 would always fail arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/lib/getuser.S | 4 +- arch/x86/xen/smp.c | 2 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- fs/exec.c | 50 +++++++++++++-------------- include/linux/sched.h | 2 + 14 files changed, 88 insertions(+), 47 deletions(-) commit 043130da54cb7cc8dc44e0ce889d426e889a0532 Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ed0a195abd4e41c2449a020a53a19c74dc866d78 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit e75b3f504692b97960a7530ad0855d91441d79c0 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e5abbaf95313066a724e1a843d4fc902a9a6450e Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 877d6c2f8b3518ff39601084560bb33c58d35a1f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 23278a1ee1c7738dd1e7005241394d32b82196e4 Author: Brad Spengler Date: Tue Jul 30 19:48:58 2013 -0400 revert recent PaX change that causes boot failures with 32bit userland arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit ec27f71a813656fea8ab37faecb2b485fe99d08e Merge: 3a11bcf 05f0a61 Author: Brad Spengler Date: Tue Jul 30 19:42:21 2013 -0400 Merge branch 'pax-test' into grsec-test commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 Author: Brad Spengler Date: Tue Jul 30 19:41:44 2013 -0400 Update to pax-linux-3.10.4-test6.patch: - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender include/linux/syscalls.h | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8b744005f8bae565e24c1fd88af77e6e619b9434 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b93b829afcc98b6108b18d99ff63c53642d0b951 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit ac695a081d1124fb28bec46814535d34c5e40611 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 82631f451cc7432b6c5578cf8d24155473feb25c Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 84c4a433dfb096e4a1162ee5e68025122c70b421 Merge: c9d3ed3 9fe5897 Author: Brad Spengler Date: Mon Jul 29 17:08:56 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9fe58978938e357642885866ca48090a7753d403 Merge: 8f693ad 6f7bb6b Author: Brad Spengler Date: Mon Jul 29 17:08:43 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 Merge: d5e5bfd 8f693ad Author: Brad Spengler Date: Sun Jul 28 10:03:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8f693ade9b3e448f92706d34148b00a087637f70 Author: Brad Spengler Date: Sun Jul 28 10:02:16 2013 -0400 Update to pax-linux-3.10.3-test5.patch: - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) - fixed handling of faulting userland accesses for UDEREF/arm, from spender - updated the size overflow hash table, from Emese arch/arm/kernel/entry-armv.S | 3 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- 7 files changed, 513 insertions(+), 55 deletions(-) commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 Merge: 19e077b 8a8a0d0 Author: Brad Spengler Date: Thu Jul 25 21:05:18 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 Author: Brad Spengler Date: Thu Jul 25 21:04:09 2013 -0400 Update to pax-linux-3.10.3-test4.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 ++++ fs/buffer.c | 2 +- fs/dcache.c | 3 ++- include/linux/slab.h | 7 +++++++ include/linux/slab_def.h | 4 ++++ kernel/fork.c | 2 +- mm/rmap.c | 6 ++++-- mm/slab.c | 27 +++++++++++++++++++++++++++ mm/slab.h | 12 +++++++++++- mm/slab_common.c | 14 ++++++++++++++ mm/slob.c | 5 +++++ mm/slub.c | 11 +++++++++++ net/core/skbuff.c | 6 ++++-- security/Kconfig | 23 +++++++++++++++++------ 14 files changed, 112 insertions(+), 14 deletions(-) commit 19e077bfff54ca211d0142c07cb6dd88069a390c Merge: 960ec51 c8f7f51 Author: Brad Spengler Date: Thu Jul 25 19:53:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit c8f7f51591207b82530214300e86277028919286 Merge: d5142e3 81a4648 Author: Brad Spengler Date: Thu Jul 25 19:52:29 2013 -0400 Update to pax-linux-3.10.3-test3.patch: - fixed some compile issues reported by Michael Tremer and spender - fixed an i386 regression with the lower address space gap on i386, reported by cnu Merge branch 'linux-3.10.y' into pax-test Conflicts: kernel/time/tick-broadcast.c commit 960ec51ab2142544fbae563d4fd5744775408965 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 Merge: ab95b58 d5142e3 Author: Brad Spengler Date: Sun Jul 21 22:47:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit d5142e31785f8c32c7338c51fcc27313bdd4a84e Merge: f36ae8c 0f4a56e Author: Brad Spengler Date: Sun Jul 21 22:47:34 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit ab95b5842899d61ff5c30f4582e72029b3155be8 Author: Brad Spengler Date: Sun Jul 21 22:28:40 2013 -0400 compile fix with constification reported by Michael Tremer drivers/gpu/host1x/drm/dc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 817cd2d1e7a55720326599dd8f542578eef30927 Author: Hannes Frederic Sowa Date: Fri Jul 12 23:46:33 2013 +0200 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 ipv6: only static routes qualify for equal cost multipathing Static routes in this case are non-expiring routes which did not get configured by autoconf or by icmpv6 redirects. To make sure we actually get an ecmp route while searching for the first one in this fib6_node's leafs, also make sure it matches the ecmp route assumptions. v2: a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF already ensures that this route, even if added again without RTF_EXPIRES (in case of a RA announcement with infinite timeout), does not cause the rt6i_nsiblings logic to go wrong if a later RA updates the expiration time later. v3: a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, because an pmtu event could update the RTF_EXPIRES flag and we would not count this route, if another route joins this set. We now filter only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that don't get changed after rt6_info construction. Cc: Nicolas Dichtel Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_fib.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) commit 77db8196d51b043e2e2d124094da101b0f01bccb Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 926473317fd7953137ef97835edd36dabc584b01 Author: Brad Spengler Date: Wed Jul 17 21:29:02 2013 -0400 add missing asm/pgtable.h include, reported by Michael Tremer drivers/clk/socfpga/clk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c592ae0001b31932ef1491784dfa374058797c66 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 Merge: 9c96441 f36ae8c Author: Brad Spengler Date: Sun Jul 14 19:23:13 2013 -0400 Merge branch 'pax-test' into grsec-test commit f36ae8c741ae32b1caff10825be12c327792c925 Author: Brad Spengler Date: Sun Jul 14 19:22:15 2013 -0400 Update to pax-linux-3.10-test2.patch: - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer - spender fixed an madvise regression, reported by Peter Keel - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) - fixed a headers_install regression, reported by Mathias Krause - fixed a SLOB compile regression, reported by Mathias Krause arch/arm/include/asm/uaccess.h | 4 ++-- arch/arm/mm/mmu.c | 15 +++++++++++++-- drivers/clk/socfpga/clk.c | 6 ++++-- mm/madvise.c | 4 ++-- mm/slab.c | 4 ++-- mm/slob.c | 4 ++-- scripts/headers_install.sh | 2 +- 7 files changed, 26 insertions(+), 13 deletions(-) commit 9c9644156a49637050741d9165df79174e59b0ef Author: Brad Spengler Date: Sun Jul 14 19:19:54 2013 -0400 Fix sparc64 compilation, reported by Blake Self arch/sparc/kernel/sys_sparc_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error mm/madvise.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a10e377d0eddd37e8a3665b135e546ab03d9d171 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 08c5adca34d408772255b313f90d82c250c1d967 Author: Brad Spengler Date: Sun Jul 14 11:26:34 2013 -0400 don't make high vector mapping non-present on old ARM architectures, no point in emulating some vector entries when the processor doesn't even support XN arch/arm/mm/mmu.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 2b40781d4197a89a003616af584884e36361c5b2 Author: Brad Spengler Date: Sun Jul 14 09:51:58 2013 -0400 Temporary compile fix for code incorrectly modifying const data Wrap a cast version of the code with open/close Thanks to Michael Tremer for the report drivers/clk/socfpga/clk.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a8258c1b4098c396cd4ea719e20858182feac1c1 Author: Brad Spengler Date: Sun Jul 14 09:41:16 2013 -0400 Fix missing right parens in pipacs' "improvement" of my ARM code ;) Thanks to Michael Tremer for reporting arch/arm/include/asm/uaccess.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8542e1e973be7cc9a009d2ada8033576b2890e6f Merge: 86f446e 2577f8e Author: Brad Spengler Date: Sat Jul 13 20:46:58 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/memcontrol.c commit 2577f8e4ec41efb347706a59c6838de20f0c90da Merge: 75a36f0 cb5d8be Author: Brad Spengler Date: Sat Jul 13 20:43:42 2013 -0400 Merge branch 'linux-3.10.y' into pax-test Conflicts: crypto/algapi.c drivers/block/nbd.c commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 Author: Brad Spengler Date: Fri Jul 12 23:02:11 2013 -0400 we always want the vector page to be noaccess for userland therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY which turns into supervisor rwx, userland rx, we instead omit that entirely, leaving it as supervisor rwx only Fixes booting on ARMv5 and earlier, which need to write directly to the high vector mapping via set_tls when context switching Thanks to Michael Tremer for the bugreport arch/arm/mm/mmu.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 90cd0827eef656ec884f19c977873fefe2f2e47d Author: Cong Wang Date: Sat Jun 29 12:02:59 2013 +0800 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 gre: fix a regression in ioctl When testing GRE tunnel, I got: # ip tunnel show get tunnel gre0 failed: Invalid argument get tunnel gre1 failed: Invalid argument This is a regression introduced by commit c54419321455631079c7d ("GRE: Refactor GRE tunneling code.") because previously we only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the check is moved for all commands. So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. After this patch I got: # ip tunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit Cc: Pravin B Shelar Cc: "David S. Miller" Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 Author: Cong Wang Date: Sat Jun 29 13:00:57 2013 +0800 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 vti: remove duplicated code to fix a memory leak vti module allocates dev->tstats twice: in vti_fb_tunnel_init() and in vti_tunnel_init(), this lead to a memory leak of dev->tstats. Just remove the duplicated operations in vti_fb_tunnel_init(). (candidate for -stable) Cc: Stephen Hemminger Cc: Saurabh Mohan Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd Author: Michal Schmidt Date: Mon Jul 1 17:23:05 2013 +0200 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a bnx2x: remove zeroing of dump data buffer There is no need to initialize the dump data with zeros. data is allocated with vzalloc, so it's already zero-filled. More importantly, the memset is harmful, because dump->len (the length requested by userspace) can be bigger than the allocated buffer (whose size is determined by asking the driver's .get_dump_flag method). Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c771072b72c261f9bddd6734dca6979c1b96e7df Author: Michal Schmidt Date: Mon Jul 1 17:23:06 2013 +0200 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 bnx2x: fix dump flag handling bnx2x interprets the dump flag as an index of a register preset. It is important to validate the index to avoid out of bounds memory accesses. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ 2 files changed, 5 insertions(+), 0 deletions(-) commit aed315c8fad9b2044143b46b239574b1b72135ce Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit 5c57991e66216e386dcc875d34c33f0edd038569 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit cd83094a85d9bbd5a67332156407d53cf8835432 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c Author: Michael S. Tsirkin Date: Sun Jul 7 14:26:53 2013 +0300 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 vhost-net: fix use-after-free in vhost_net_flush vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 088806db74ac2f08c106202bc5498585a9ee529f Author: Michal Hocko Date: Mon Jul 8 16:00:29 2013 -0700 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b memcg, kmem: fix reference count handling on the error path mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. This is not correct because only memcg_propagate_kmem takes an additional reference while mem_cgroup_sockets_init is allowed to fail as well (although no current implementation fails) but it doesn't take any reference. This all suggests that it should be memcg_propagate_kmem that should clean up after itself so this patch moves mem_cgroup_put over there. Unfortunately this is not that easy (as pointed out by Li Zefan) because memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if memcg_propagate_kmem fails so the additional reference is dropped in that case in kmem_cgroup_destroy which means that the reference would be dropped two times. The easiest way then would be to simply remove mem_cgrroup_put from mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right thing. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.8] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 08bfb6e700d13886ed722c2236e1ec10f03a95df Author: Michal Hocko Date: Mon Jul 8 16:00:27 2013 -0700 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Revert "memcg: avoid dangling reference count in creation failure" This reverts commit e4715f01be697a. mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops an additional reference from all parents so the additional mem_cgrroup_put(parent) potentially causes use-after-free. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 3267ec559f48327a1836eccecd53215afc5810d0 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit cdfeb4049e7cb38702215b2c356ce0407974ac79 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08c87e049c8a50707908785d950fd48c334f4c09 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 Author: Brad Spengler Date: Fri Jul 12 20:38:45 2013 -0400 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums Unlike slub, slab can initally create two of the kmalloc_caches which will be used later for generic kmallocs of their particular aligned size (since the later loop in the unified allocator code skips any already-existing kmalloc_caches) mm/slab.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit e2d027c7e0f106be683c0c72482b8285daefcbe6 Author: Brad Spengler Date: Tue Jul 9 20:58:40 2013 -0400 commit successful merges Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 129 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 4 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/mwave/tp3780i.c | 1 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/resize.c | 17 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 234 ++- fs/namespace.c | 16 + fs/notify/fanotify/fanotify_user.c | 1 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 70 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 343 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 ++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 242 files changed, 4385 insertions(+), 2042 deletions(-) commit 043a378c0f72ed92cc30182c48abce39867ac93f Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 Author: Brad Spengler Date: Tue Jul 9 17:35:47 2013 -0400 Initial import of pax-linux-3.10-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 14 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 122 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 33 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 28 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 +- arch/x86/kernel/entry_64.S | 548 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 143 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 2 + arch/x86/kernel/setup.c | 21 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 13 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 98 +- arch/x86/mm/init_32.c | 113 +- arch/x86/mm/init_64.c | 38 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 11 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/algapi.c | 2 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/nbd.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 45 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 6 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/output.c | 2 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 607 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/lockd/svc.c | 2 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 10 +- fs/nfs/callback.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 40 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 65 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 42 +- include/linux/slab_def.h | 28 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 10 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 83 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 10 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 11 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 22 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 6 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 15 +- mm/mmap.c | 606 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 79 +- mm/slab.h | 5 +- mm/slab_common.c | 46 +- mm/slob.c | 201 +- mm/slub.c | 79 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_core.c | 8 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 6 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 676 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 +++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1607 files changed, 30734 insertions(+), 7318 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40d67e38a42d4e94b43b3d7400addc662b9857dc Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit a1fff2c95162314626dd96bec71d951a8c1c4708 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00131c458eea5200971c8fc326e90fdb6c2d0baa Merge: 37b97a9 47beb61 Author: Brad Spengler Date: Thu Jul 4 15:02:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 Author: Brad Spengler Date: Thu Jul 4 15:01:37 2013 -0400 Update to pax-linux-3.9.9-test13.patch: - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/entry-armv.S | 4 ++-- arch/arm/mm/Kconfig | 2 +- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/page.h | 1 + arch/x86/kernel/entry_32.S | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- arch/x86/kernel/head64.c | 12 ++++++------ arch/x86/kernel/head_64.S | 16 ++++++++++++---- arch/x86/mm/init.c | 8 ++++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ 15 files changed, 64 insertions(+), 44 deletions(-) commit 89085d2d0643813a62f23d1199a335dc1e129bc0 Merge: 963af7f 0adf2e7 Author: Brad Spengler Date: Thu Jul 4 14:55:44 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 Author: Brad Spengler Date: Thu Jul 4 13:29:51 2013 -0400 update log arguments grsecurity/grsec_sig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 3 +-- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit ef808866c070aa1901bd2224521baaf5d145a3a7 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 Author: Brad Spengler Date: Wed Jul 3 16:14:09 2013 -0400 fix renamed export of csum_partial_copy_from_user, as reported by fabled on the forums arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 318235973c2a548c3d25562645d6b69f66e85934 Author: Brad Spengler Date: Wed Jul 3 16:09:16 2013 -0400 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error reported on the forums by fabled arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b569a7f60fab7a522d8c142765c8b847bbce8a1e Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- 1 files changed, 27 insertions(+), 3 deletions(-) commit c22280b85088978bd8b45bd23096879459b48008 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 Author: Brad Spengler Date: Sat Jun 29 13:10:02 2013 -0400 on context switch, make sure we switch DACR when domain support and KERNEXEC is disabled but UDEREF is enabled arch/arm/kernel/entry-armv.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08d017fa51370921694ce087b28c96fec92993d4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be Author: Michael S. Tsirkin Date: Sun Jun 23 17:19:03 2013 +0300 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 tun: fix recovery from gup errors get user pages might fail partially in tun zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 Author: Balazs Peter Odor Date: Sat Jun 22 19:24:43 2013 +0200 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 netfilter: nf_nat_sip: fix mangling In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) there were some missing brackets around the logging information, thus always returning drop. Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 Signed-off-by: Balazs Peter Odor Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_sip.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b0471b6c1160858fc646d8e94628fd1299f61692 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Bluetooth: Fix invalid length check in l2cap_information_rsp() The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Cc: stable@vger.kernel.org Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan net/bluetooth/l2cap_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4184af98c360d825e638b268b1a9847232e8d299 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 1fe6f23c9acd14d832d056909ff326bde418e645 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 4d4464407611527ef6b6b5475cfcab6121b3da66 Merge: 59571a9 963af7f Author: Brad Spengler Date: Thu Jun 27 18:54:52 2013 -0400 Merge branch 'pax-test' into grsec-test commit 963af7f7f591759b731ce6325ceb583a72fcf423 Merge: c51e25a 55db48a Author: Brad Spengler Date: Thu Jun 27 18:54:42 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 59571a9db7485f530a1e865a13cacc4c991ec41f Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 Author: Brad Spengler Date: Wed Jun 26 18:33:06 2013 -0400 update rand_threadstack code to continue the search for a gap if the first choice doesn't have enough space, instead of returning ENOMEM mm/mmap.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 87020d4a4d83038d65ff1fd519938840f6888b9e Merge: 2682346 c51e25a Author: Brad Spengler Date: Wed Jun 26 18:25:32 2013 -0400 Merge branch 'pax-test' into grsec-test commit c51e25a23f30a1198076bd085f19b2073caf164d Author: Brad Spengler Date: Wed Jun 26 18:24:54 2013 -0400 Update to pax-linux-3.9.7-test12.patch: - fixed a regression on PARAVIRT/amd64 kernels - simplified the recent vm_unmapped_area_info based change arch/x86/kernel/entry_64.S | 8 ++++---- mm/mmap.c | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) commit 26823469a08e59cb67bea18d448d9e8c65f82e08 Author: Brad Spengler Date: Tue Jun 25 21:26:51 2013 -0400 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX vm_unmapped_area code is complete arch/x86/kernel/sys_i386_32.c | 5 +++++ grsecurity/Kconfig | 2 +- mm/mmap.c | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 Merge: e58fe8c c4e0704 Author: Brad Spengler Date: Tue Jun 25 19:08:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/sys_i386_32.c commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 Author: Brad Spengler Date: Tue Jun 25 19:05:39 2013 -0400 Update to pax-linux-3.9.7-test11.patch: - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure - fixed the recent nested nmi related fixes some more - fixed a regression in kernel memory initialization on relocatable i386 kernels - empty_zero_page can be read-only on amd64 as well arch/arm/mm/mmap.c | 6 -- arch/x86/kernel/entry_64.S | 8 +-- arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/setup.c | 2 +- arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- drivers/lguest/core.c | 2 +- include/linux/mm.h | 6 +- include/linux/vmalloc.h | 2 +- mm/mmap.c | 30 +++++++- 9 files changed, 83 insertions(+), 134 deletions(-) commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f Author: Brad Spengler Date: Sun Jun 23 14:36:35 2013 -0400 compile fix, reported by KDE on forums kernel/printk.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 1fc9a5e2e267205d28302e1e86ca0da434561111 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d x86/efi: Fix dummy variable buffer allocation 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Matt Fleming arch/x86/platform/efi/efi.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 Author: Dave Kleikamp Date: Tue Jun 18 09:05:36 2013 -0500 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 sparc: tsb must be flushed before tlb This fixes a race where a cpu may re-load a tlb from a stale tsb right after it has been flushed by a remote function call. I still see some instability when stressing the system with parallel kernel builds while creating memory pressure by writing to /proc/sys/vm/nr_hugepages, but this patch improves the stability significantly. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d93b62f6485db9aadda34322a6867868db07f56f Merge: 4ef62f5 71d83e9 Author: Brad Spengler Date: Fri Jun 21 16:52:55 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 71d83e97c936563913bcfb5a25c45b2021a331eb Author: Brad Spengler Date: Fri Jun 21 16:48:42 2013 -0400 Update to pax-linux-3.9.7-test10.patch: - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - fixed a locking issue with track_exec_limit reported by spender - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 2 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/iommu/irq_remapping.c | 2 +- drivers/video/output.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/nfs/callback.c | 4 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfscache.c | 3 +- init/initramfs.c | 2 +- kernel/rcutree.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mmap.c | 4 +- mm/slub.c | 2 +- mm/vmalloc.c | 15 +++---- net/bluetooth/hci_core.c | 8 ++-- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- 40 files changed, 116 insertions(+), 111 deletions(-) commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c Merge: 39efd8f 256eff7 Author: Brad Spengler Date: Fri Jun 21 16:45:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/printk.c commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 Merge: e6e3059 485f25f Author: Brad Spengler Date: Thu Jun 20 22:14:24 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d Author: Brad Spengler Date: Tue Jun 18 17:20:18 2013 -0400 add apparmor compat patch security/apparmor/Kconfig | 9 ++ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 0 deletions(-) commit 49bee3c5341687504669bf62becf4a419a226ba0 Author: Brad Spengler Date: Mon Jun 17 18:48:04 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) commit 5a450f1c46f0c84379518aee878993d3f4a331b6 Author: Theodore Ts'o Date: Thu Jun 6 11:14:31 2013 -0400 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 ext4: verify group number in verify_group_input() before using it Check the group number for sanity earilier, before calling routines such as ext4_bg_has_super() or ext4_group_overhead_blocks(). Reported-by: Jonathan Salwan Signed-off-by: "Theodore Ts'o" fs/ext4/resize.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e13515ad7a9c7634599a105b2527752e527a905d Author: Saurabh Mohan Date: Mon Jun 10 17:45:10 2013 -0700 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 net/ipv4: ip_vti clear skb cb before tunneling. If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af361b412e816e894fb42ddff7a0545b7def64c0 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1f43aca088c35dda35abf76e08544e534c71fed4 Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f Author: Andy Lutomirski Date: Wed Jun 5 19:38:26 2013 +0000 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab net: Unbreak compat_sys_{send,recv}msg I broke them in this commit: commit 1be374a0518a288147c6a7398792583200a67261 Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It also reverts some unnecessary checks in sys_socketcall. Apparently I was suffering from underscore blindness the first time around. Signed-off-by: Andy Lutomirski Tested-by: Eric Dumazet Signed-off-by: David S. Miller include/linux/socket.h | 3 ++ net/compat.c | 13 +++++++- net/socket.c | 72 ++++++++++++++++++++++-------------------------- 3 files changed, 47 insertions(+), 41 deletions(-) commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 Upstream commit: 1be374a0518a288147c6a7398792583200a67261 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. Miller" Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Cc: David S. Miller Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller net/socket.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb67a67049ace7b94ad7e2febfac69816d50d85 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 Author: Johan Hedberg Date: Tue May 28 13:46:30 2013 +0300 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 Bluetooth: Fix missing length checks for L2CAP signalling PDUs There has been code in place to check that the L2CAP length header matches the amount of data received, but many PDU handlers have not been checking that the data received actually matches that expected by the specific PDU. This patch adds passing the length header to the specific handler functions and ensures that those functions fail cleanly in the case of an incorrect amount of data. Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- 1 files changed, 52 insertions(+), 18 deletions(-) commit 628be2427afb241b5a1aa24bc5907d05287e1f25 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 066d9226bc6c569d5f420c978b758e0bddd23444 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 94e2a91600b07d39825e7059195f35eb611a39a2 Merge: 20cc761 e6e3059 Author: Brad Spengler Date: Thu Jun 13 16:23:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a Merge: c6aadb1 4b73feb Author: Brad Spengler Date: Thu Jun 13 16:23:39 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 20cc7613e38cde07adc73179a91d6c15292e8d43 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 386ba837978cc8a1111440bdcd8600f2df4634a4 Author: Brad Spengler Date: Wed Jun 12 20:37:48 2013 -0400 fix deadlock when booting i386 kernel without NX mm/mmap.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc43377e1e757cd37a06be0187884a42af718aab Merge: 3cdea63 c6aadb1 Author: Brad Spengler Date: Tue Jun 11 18:50:39 2013 -0400 Merge branch 'pax-test' into grsec-test commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 Author: Brad Spengler Date: Tue Jun 11 18:49:36 2013 -0400 Update to pax-linux-3.9.4-test9.patch: - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort arch/x86/kernel/setup.c | 2 +- mm/mlock.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 3cdea63e90607d8d55820b101854091623feedb8 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 373a2b5df78f82b9d3db72bd6577e29a71591323 Author: Brad Spengler Date: Mon Jun 10 21:16:46 2013 -0400 Backport infoleak fix by Dan Carpenter in cpqarray: https://lkml.org/lkml/2013/6/3/131 drivers/block/cpqarray.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 251e84b9b05e063981b20be154c9389862f94759 Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 383d89bf95818b05a485a6e8b118963b5bcbc83e Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1c590aa70c95ebd76ba9672aa23d800b81780615 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 Merge: 4e85539 117c3fa Author: Brad Spengler Date: Sun Jun 9 17:30:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit 117c3fa8d26c3806103123560f807d99071b60b6 Merge: ed9b427 5dd2e98 Author: Brad Spengler Date: Sun Jun 9 17:30:00 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5771263fe368cd384127dd17d7596a7e1a4e2eec Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c01c9af268cb066f240aec53454b8b74d8d01688 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 Author: Timo Teräs Date: Wed May 22 01:40:47 2013 +0000 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 xfrm: properly handle invalid states as an error The error exit path needs err explicitly set. Otherwise it returns success and the only caller, xfrm_output_resume(), would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is NULL. Bug introduced in commit bb65a9cb (xfrm: removes a superfluous check and add a statistic). Signed-off-by: Timo Teräs Cc: Li RongQing Cc: Steffen Klassert Signed-off-by: David S. Miller net/xfrm/xfrm_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit c18cef940310c06bdf86d64d8cb227e56e165300 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c47de62893a9f269be0a272c2840aac1e2a35c68 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce869e6f799f95fcac340420ba3612503df80dbf Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5dc65cd34d442783118a17c518e2daedb90a31d0 Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit 84619a3501fd38285a72d9e963f58d1827beedd6 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e Author: Brad Spengler Date: Sat Jun 1 13:43:26 2013 -0400 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" Applying upstream fix instead This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings drivers/usb/atm/cxacru.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 Author: Brad Spengler Date: Sat Jun 1 11:30:17 2013 -0400 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 8578566969d91678a3d7d5251b4eafc6d7775314 Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 Merge: 643b294 ed9b427 Author: Brad Spengler Date: Wed May 29 19:19:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit ed9b4276488528d0c3803df1dc0df804238241e0 Author: Brad Spengler Date: Wed May 29 19:18:45 2013 -0400 Updated to pax-linux-3.9.4-test8.patch: - fixed some fallout detected by the checker plugin arch/x86/kernel/crash_dump_64.c | 2 +- drivers/base/devtmpfs.c | 6 +++--- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/mem.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- drivers/i2c/i2c-dev.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 4 ++-- fs/compat_ioctl.c | 4 ++-- fs/exec.c | 2 +- fs/namespace.c | 8 ++++---- fs/proc/vmcore.c | 12 ++++++++---- fs/read_write.c | 2 +- include/linux/syscalls.h | 8 ++++---- init/do_mounts_initrd.c | 8 ++++---- init/main.c | 4 ++-- kernel/events/core.c | 2 +- kernel/events/internal.h | 10 +++++----- mm/page_io.c | 2 +- security/keys/internal.h | 2 +- tools/gcc/checker_plugin.c | 1 + 24 files changed, 63 insertions(+), 54 deletions(-) commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 Author: Brad Spengler Date: Wed May 29 18:51:31 2013 -0400 eliminate gcc warning fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 Author: Brad Spengler Date: Wed May 29 18:30:20 2013 -0400 use BUILD_BUG() instead of BUILD_BUG_ON(1) arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5343410354267368e5809f3ad8d9a264f141be18 Author: Brad Spengler Date: Wed May 29 17:57:41 2013 -0400 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON for unknown opcodes arch/x86/net/bpf_jit_comp.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- 1 files changed, 39 insertions(+), 40 deletions(-) commit 163a5539b36247865d39b2bcfa8efc03a62124a6 Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 3e54faf888d324d5f362dcba16173ea7bba61e8a Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 2d74639040ba6ce47f57ec010714ec06529c4b42 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 65d05c7ea468c23c175105526dd4f163302a92cf Merge: 1a98d0a 6ce3a135 Author: Brad Spengler Date: Sat May 25 07:48:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/vm86_32.c commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 Merge: 79bdd65 0bfd8ff Author: Brad Spengler Date: Sat May 25 07:46:55 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 Author: Brad Spengler Date: Thu May 23 18:42:23 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2b80ef8586061e32e986b31608717c25d1e7c54 Merge: cb45fbd 79bdd65 Author: Brad Spengler Date: Thu May 23 17:58:53 2013 -0400 Merge branch 'pax-test' into grsec-test commit 79bdd65dac68267bc1b201c6b4a99966a373c305 Author: Brad Spengler Date: Thu May 23 17:57:46 2013 -0400 Update to pax-linux-3.9.3-test7.patch: - fixed some size overflow related warnings (hash table, attributes) - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/page_64.h | 2 +- arch/x86/kernel/head64.c | 2 +- tools/gcc/constify_plugin.c | 48 ++- tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ 4 files changed, 651 insertions(+), 592 deletions(-) commit cb45fbda4967b1b544a754fbdc92d73283379522 Merge: 62588fa 57c11b8 Author: Brad Spengler Date: Mon May 20 17:32:17 2013 -0400 Merge branch 'pax-test' into grsec-test commit 57c11b85acd841a088aa4df8e60be337880df8cd Merge: 0598b37 4bb0869 Author: Brad Spengler Date: Mon May 20 17:32:08 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 Merge: e261c7b 0598b37 Author: Brad Spengler Date: Fri May 17 22:57:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 Author: Brad Spengler Date: Fri May 17 22:57:07 2013 -0400 Update to pax-linux-3.9.2-test6.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado arch/x86/include/asm/pgtable.h | 9 +++++++-- tools/gcc/structleak_plugin.c | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit e261c7bc611e9127bbb7bd95cddd51524bf255ae Author: Brad Spengler Date: Thu May 16 22:54:12 2013 -0400 add offset to topdown check, fixes compilation arch/x86/kernel/sys_x86_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 Author: Brad Spengler Date: Thu May 16 20:57:41 2013 -0400 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, reported by lulzh3ad on irc security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d4593e84707cdf6deb6b925c18c676a476b1613 Merge: 43cd0c0 39a877f Author: Brad Spengler Date: Thu May 16 20:39:11 2013 -0400 Merge branch 'pax-test' into grsec-test commit 39a877f192ed305d88edac10a14a9e8e1e161f3f Author: Brad Spengler Date: Thu May 16 20:37:35 2013 -0400 Update to pax-linux-3.9.2-test105.patch: - fixed !EFI boot problem, reported by spender - fixed a few compile warnings - fixed some more compile errors due to constification - fixed some arm fallout, reported by Michael Tremer arch/arm/include/asm/psci.h | 2 +- arch/arm/kernel/psci.c | 2 +- arch/x86/kernel/sys_x86_64.c | 3 +-- arch/x86/realmode/init.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- drivers/irqchip/irq-gic.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- drivers/platform/x86/chromeos_laptop.c | 2 +- fs/jfs/super.c | 4 ++-- include/linux/irqchip/arm-gic.h | 2 ++ include/sound/compress_driver.h | 2 +- net/mac80211/cfg.c | 4 ++-- sound/soc/fsl/fsl_ssi.c | 2 +- 14 files changed, 31 insertions(+), 22 deletions(-) commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 Author: Brad Spengler Date: Thu May 16 20:35:22 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 56a166129d817f6634c8c230e6ec497669bdfaca Author: Amerigo Wang Date: Thu May 9 21:56:37 2013 +0000 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f ipv6,gre: do not leak info to user-space There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d6f50dae2653ad912952da40417a8ccbd59c7699 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 01322c6951bed4eedefbd2178dbd99292b365d99 Author: Brad Spengler Date: Mon May 13 17:19:57 2013 -0400 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its existing stack-heap gap code for the new unified vm_unmapped_area grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 Author: Brad Spengler Date: Mon May 13 15:40:32 2013 -0400 fix NX fault on early boot arch/x86/realmode/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 Author: Brad Spengler Date: Mon May 13 10:48:13 2013 -0400 compile fix, we weren't using %pa anyway and it's now being used by upstream for physical address printing lib/vsprintf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d Author: Brad Spengler Date: Mon May 13 10:39:52 2013 -0400 compile fix grsecurity/grsec_chroot.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b Author: Brad Spengler Date: Mon May 13 10:35:36 2013 -0400 compile fixes grsecurity/grsec_chroot.c | 2 +- include/linux/grinternal.h | 8 ++++---- include/linux/grsecurity.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 Author: Brad Spengler Date: Mon May 13 10:27:18 2013 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 Author: Brad Spengler Date: Mon May 13 10:23:17 2013 -0400 Initial port of grsecurity for 3.9.2 Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 6 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 181 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 241 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1031 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 387 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 187 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 + include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 242 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 68 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/net/secure_seq.h | 1 + include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 13 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 64 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/8021q/vlan.c | 7 + net/core/dev_ioctl.c | 4 + net/core/net-procfs.c | 5 + net/core/secure_seq.c | 4 +- net/core/sock_diag.c | 7 + net/ipv4/af_inet.c | 5 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 2 +- net/sctp/probe.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/tipc/link.c | 11 +- net/unix/af_unix.c | 31 +- security/Kconfig | 342 ++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 291 files changed, 15221 insertions(+), 2052 deletions(-) commit 88854c350c899bceca4a94598c42bed44d0dc91b Author: Brad Spengler Date: Mon May 13 07:37:47 2013 -0400 Initial import of pax-linux-3.9.2-test2.patch Documentation/dontdiff | 45 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 6 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 15 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/kernel/us3_cpufreq.c | 69 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 21 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 6 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page_64.h | 2 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 113 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 530 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 1 - arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 120 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 19 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 248 + arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 57 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 +- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 90 +- arch/x86/mm/init_32.c | 119 +- arch/x86/mm/init_64.c | 44 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 2 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 10 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 605 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/super.c | 2 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 6 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compat.h | 6 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 110 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 2 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 68 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 8 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 6 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 576 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 105 +- mm/slab.h | 5 +- mm/slab_common.c | 11 +- mm/slob.c | 201 +- mm/slub.c | 99 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 14 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 6 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.pl | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 675 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 518 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 ++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 276 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1555 files changed, 30474 insertions(+), 7126 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 Merge: 814820a 3a59a59 Author: Brad Spengler Date: Sun May 12 21:51:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f Author: Brad Spengler Date: Sun May 12 21:50:07 2013 -0400 Update to pax-linux-3.8.13-test24.patch: - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/arm/kernel/vmlinux.lds.S | 4 ++-- arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes-opt.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- kernel/trace/trace.h | 2 +- net/socket.c | 2 +- security/Kconfig | 2 +- 22 files changed, 67 insertions(+), 34 deletions(-) commit 814820abfe5b9a34401d838b2510431a4cd92be9 Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ed0428c4ef6c5498870772f212ac651216eb8d0c Merge: 2452d8d dbf932a Author: Brad Spengler Date: Sun May 12 21:18:25 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/cpu/perf_event_intel_uncore.c arch/x86/mm/init.c commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 Author: Brad Spengler Date: Sun May 12 20:24:01 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit c75e4664fe4d20da1639f70d9def097c4f20856b Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04638852588cf243f865f5a73aa9dab94fab53b7 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff Merge: 539fff0 2452d8d Author: Brad Spengler Date: Wed May 8 18:13:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a Merge: 6c850d8 9c9ab76 Author: Brad Spengler Date: Wed May 8 18:13:31 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/irq.c kernel/trace/trace_stack.c commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a Author: Brad Spengler Date: Tue May 7 21:43:00 2013 -0400 turn counter into a flag grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 418102925c0cfb0de51b0a021abaa575e28fafa6 Author: Peter Zijlstra Date: Fri May 3 14:11:25 2013 +0200 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL We should always have proper privileges when requesting kernel data. Signed-off-by: Peter Zijlstra Cc: Cc: Andi Kleen Cc: eranian@google.com Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] Signed-off-by: Ingo Molnar Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f Author: Brad Spengler Date: Wed May 1 18:30:48 2013 -0400 remove references to CONFIG_X86_WP_WORKS_OK arch/um/defconfig | 1 - security/Kconfig | 2 +- 2 files changed, 1 insertions(+), 2 deletions(-) commit 408da6791f93ffe00d26bfe919f1b2218fe0804d Merge: a8dbe8e 6c850d8 Author: Brad Spengler Date: Wed May 1 18:28:44 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/mm/ultra.S drivers/tty/tty_io.c commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf Merge: cdbcbef 9fa1d01 Author: Brad Spengler Date: Wed May 1 18:25:18 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 55eba82aca97aa56378e000840c48965557721e8 Author: Brad Spengler Date: Mon Apr 29 18:43:03 2013 -0400 compilation fix kernel/trace/trace.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3bf912b54af6df7fbebc68b5999554562056c5c Merge: 5b72e37 cdbcbef Author: Brad Spengler Date: Mon Apr 29 18:34:42 2013 -0400 Merge branch 'pax-test' into grsec-test commit cdbcbef45c4f003cbee11e10668a35d424c17c60 Author: Brad Spengler Date: Mon Apr 29 18:33:35 2013 -0400 Update to pax-linux-3.8.10-test21.patch: - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) - reverted the nested NMI fix in search for a real one - simplified the arm_delay_ops constification arch/arm/include/asm/delay.h | 8 ++++---- arch/arm/lib/delay.c | 17 +++++------------ arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 11 files changed, 34 insertions(+), 26 deletions(-) commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 5344a24e2320d61dbdb88aae04922f0799deefd0 Author: Zhao Hongjiang Date: Fri Apr 26 11:03:53 2013 +0800 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad aio: fix possible invalid memory access when DEBUG is enabled dprintk() shouldn't access @ring after it's unmapped. Signed-off-by: Zhao Hongjiang Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 Merge: ba54c97 4d05084 Author: Brad Spengler Date: Fri Apr 26 18:17:20 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kvm/x86.c include/linux/capability.h commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 Merge: c664779 bb8dd67 Author: Brad Spengler Date: Fri Apr 26 18:15:45 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 Author: David S. Miller Date: Wed Apr 24 16:52:18 2013 -0700 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. Reported-by: Meelis Roos Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 Author: David S. Miller Date: Fri Apr 19 17:26:26 2013 -0400 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 sparc64: Fix race in TLB batch processing. As reported by Dave Kleikamp, when we emit cross calls to do batched TLB flush processing we have a race because we do not synchronize on the sibling cpus completing the cross call. So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) and either flushes are missed or flushes will flush the wrong addresses. Fix this by using generic infrastructure to synchonize on the completion of the cross call. This first required getting the flush_tlb_pending() call out from switch_to() which operates with locks held and interrupts disabled. The problem is that smp_call_function_many() cannot be invoked with IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). We get the batch processing outside of locked IRQ disabled sections by using some ideas from the powerpc port. Namely, we only batch inside of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a region, we flush TLBs synchronously. 1) Get rid of xcall_flush_tlb_pending and per-cpu type implementations. 2) Do TLB batch cross calls instead via: smp_call_function_many() tlb_pending_func() __flush_tlb_pending() 3) Batch only in lazy mmu sequences: a) Add 'active' member to struct tlb_batch b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE c) Set 'active' in arch_enter_lazy_mmu_mode() d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() e) Check 'active' in tlb_batch_add_one() and do a synchronous flush if it's clear. 4) Add infrastructure for synchronous TLB page flushes. a) Implement __flush_tlb_page and per-cpu variants, patch as needed. b) Likewise for xcall_flush_tlb_page. c) Implement smp_flush_tlb_page() to invoke the cross-call. d) Wire up global_flush_tlb_page() to the right routine based upon CONFIG_SMP 5) It turns out that singleton batches are very common, 2 out of every 3 batch flushes have only a single entry in them. The batch flush waiting is very expensive, both because of the poll on sibling cpu completeion, as well as because passing the tlb batch pointer to the sibling cpus invokes a shared memory dereference. Therefore, in flush_tlb_pending(), if there is only one entry in the batch perform a completely asynchronous global_flush_tlb_page() instead. Reported-by: Dave Kleikamp Signed-off-by: David S. Miller Acked-by: Dave Kleikamp arch/sparc/include/asm/pgtable_64.h | 1 + arch/sparc/include/asm/switch_to_64.h | 3 +- arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- arch/sparc/kernel/smp_64.c | 41 ++++++++++- arch/sparc/mm/tlb.c | 38 +++++++++- arch/sparc/mm/tsb.c | 57 ++++++++++++---- arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- 7 files changed, 241 insertions(+), 55 deletions(-) commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 Author: Linus Torvalds Date: Fri Apr 19 15:32:32 2013 +0000 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 net: fix incorrect credentials passing Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/net/scm.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98ad6adbc48759e4f9eae435d3e51ba487155685 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3600395e8fef3ae712e72f9b68c3609639616df8 Author: Thomas Graf Date: Thu Apr 11 10:57:18 2013 +0000 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 tcp: Reallocate headroom if it would overflow csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. Verify if the acking and collapsing resulted in a headroom exceeding what csum_start can cover and reallocate the headroom if so. A big thank you to Jim Foraker and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker Signed-off-by: Thomas Graf Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 Author: Ivan Vecera Date: Fri Apr 12 16:49:24 2013 +0200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f be2net: take care of __vlan_put_tag return value The driver should use return value of __vlan_put_tag with appropriate NULL-check instead of old skb pointer. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 Author: Wei Yongjun Date: Fri Apr 12 03:17:12 2013 +0000 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 tuntap: fix error return code in tun_set_iff() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. [ Bug added in linux-3.8 , commit 4008e97f866db665 ("tuntap: fix ambigious multiqueue API") ] Signed-off-by: Wei Yongjun Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2b45b5f52c2a8930f80c62de392a62516c83e225 Author: Bjørn Mork Date: Tue Apr 16 00:17:07 2013 +0000 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 net: cdc_mbim: remove bogus sizeof() The intention was to test against the constant, not the size of the constant. Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 17d7408795519037a5a1272c7888238e20830bfe Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text fs/exec.c | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) commit 3cb37d0c0c77dc3928ff8417f982139f95366eba Merge: e87c19f c664779 Author: Brad Spengler Date: Wed Apr 17 20:06:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit c664779987cb0c27a242029f0e0db812e3236203 Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e87c19f8312355b8658e5138c16bfa6043a379c8 Merge: 802d119 d0c636c Author: Brad Spengler Date: Wed Apr 17 16:57:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit d0c636ceaaf406e606898ce3e770e32fb043ea8a Merge: bc88628 2396403 Author: Brad Spengler Date: Wed Apr 17 16:57:01 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/paravirt.c commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b Author: Brad Spengler Date: Sun Apr 14 21:39:51 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1a860d7d67051559ab2e6d10f9888649c92904e6 Author: Brad Spengler Date: Sun Apr 14 21:34:46 2013 -0400 A denied setfsuid by the RBAC system would result in an abort_creds() being called with an uninitalized pointer, introduced by a bad forward-port kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 Merge: c38d142 bc88628 Author: Brad Spengler Date: Sun Apr 14 21:28:33 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit bc88628a6a8fcccaabb90908640809b0540df225 Author: Brad Spengler Date: Sun Apr 14 21:26:41 2013 -0400 Update to pax-linux-3.8.7-test20.patch: - fixed KERNEXEC and NMI nesting problem reported by stef&hunger - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- security/Kconfig | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) commit c38d142744489fc4d9be80188b6435a278438fd9 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93019624b80ba59798393942798d7f6ed0c1dbc6 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 5277b052b5fab36729e1255fb3b12f47a4b12867 Author: Dave Hansen Date: Fri Apr 12 16:23:54 2013 -0700 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables This patch attempts to fix: https://bugzilla.kernel.org/show_bug.cgi?id=56461 The symptom is a crash and messages like this: chrome: Corrupted page table at address 34a03000 *pdpt = 0000000000000000 *pde = 0000000000000000 Bad pagetable: 000f [#1] PREEMPT SMP Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: enable tlb flush range support for x86") since that code started to free unused pagetables. On x86-32 PAE kernels, that new code has the potential to free an entire PMD page and will clear one of the four page-directory-pointer-table (aka pgd_t entries). The hardware aggressively "caches" these top-level entries and invlpg does not actually affect the CPU's copy. If we clear one we *HAVE* to do a full TLB flush, otherwise we might continue using a freed pmd page. (note, we do this properly on the population side in pud_populate()). This patch tracks whenever we clear one of these entries in the 'struct mmu_gather', and ensures that we follow up with a full tlb flush. BTW, I disassembled and checked that: if (tlb->fullmm == 0) and if (!tlb->fullmm && !tlb->need_flush_all) generate essentially the same code, so there should be zero impact there to the !PAE case. Signed-off-by: Dave Hansen Cc: Peter Anvin Cc: Ingo Molnar Cc: Artem S Tashkinov Signed-off-by: Linus Torvalds arch/x86/include/asm/tlb.h | 2 +- arch/x86/mm/pgtable.c | 7 +++++++ include/asm-generic/tlb.h | 7 ++++++- mm/memory.c | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) commit 521e573fc77d1783c1d4636dfbb4617a922f043d Merge: 032f626 f807619 Author: Brad Spengler Date: Fri Apr 12 19:29:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit f80761993b85df96fc142dfc3a317cadc0f8eae5 Author: Brad Spengler Date: Fri Apr 12 19:28:21 2013 -0400 Update to pax-linux-3.8.7-test19.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) - fixed the structleak plugin to compile for gcc 4.5-4.6 as well Makefile | 2 +- arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 Merge: a3a770e 89886f5 Author: Brad Spengler Date: Fri Apr 12 18:38:40 2013 -0400 Merge branch 'pax-test' into grsec-test commit 89886f561cc0d1c42a99624ec8c3704711088155 Merge: 9123489 531ec28 Author: Brad Spengler Date: Fri Apr 12 18:38:30 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a3a770e18578841e4fbe2aa0831a22811b4812cf Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 Author: Konrad Rzeszutek Wilk Date: Fri Mar 29 10:20:56 2013 -0400 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/mmu.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb Author: Neil Horman Date: Tue Apr 9 23:19:00 2013 +0000 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 e100: Add dma mapping error check e100 uses pci_map_single, but fails to check for a dma mapping error after its use, resulting in a stack trace: [ 46.656594] ------------[ cut here ]------------ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() [ 46.657004] Hardware name: To Be Filled By O.E.M. [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] [ 46.657004] Modules linked in: [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core sata_promise crc_itu_t [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 [ 46.657004] Call Trace: [ 46.657004] [] warn_slowpath_common+0x70/0xa0 [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 [ 46.657004] [] check_unmap+0x47b/0x950 [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] [ 46.657004] [] ? net_rx_action+0xa1/0x370 [ 46.657004] [] net_rx_action+0x172/0x370 [ 46.657004] [] __do_softirq+0xef/0x3d0 [ 46.657004] [] call_softirq+0x1c/0x30 [ 46.657004] [] do_softirq+0x85/0xc0 [ 46.657004] [] irq_exit+0xd5/0xe0 [ 46.657004] [] do_IRQ+0x56/0xc0 [ 46.657004] [] common_interrupt+0x72/0x72 [ 46.657004] [] ? _raw_spin_unlock_irqrestore+0x3b/0x70 [ 46.657004] [] __slab_free+0x58/0x38b [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 [ 46.657004] [] ? kmem_cache_free+0x97/0x320 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] kmem_cache_free+0x312/0x320 [ 46.657004] [] sock_destroy_inode+0x34/0x40 [ 46.657004] [] destroy_inode+0x38/0x60 [ 46.657004] [] evict+0x10e/0x1a0 [ 46.657004] [] iput+0xf5/0x180 [ 46.657004] [] dput+0x248/0x310 [ 46.657004] [] __fput+0x171/0x240 [ 46.657004] [] ____fput+0xe/0x10 [ 46.657004] [] task_work_run+0xac/0xe0 [ 46.657004] [] do_exit+0x26d/0xc30 [ 46.657004] [] ? finish_task_switch+0x7c/0x120 [ 46.657004] [] ? retint_swapgs+0x13/0x1b [ 46.657004] [] do_group_exit+0x49/0xc0 [ 46.657004] [] sys_exit_group+0x14/0x20 [ 46.657004] [] system_call_fastpath+0x16/0x1b [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- [ 46.657004] Mapped at: [ 46.657004] [] debug_dma_map_page+0x91/0x140 [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the dma_mapping_error check in the obvious place This was reported previously here: http://article.gmane.org/gmane.linux.network/257893 But nobody stepped up and fixed it. CC: Josh Boyer CC: e1000-devel@lists.sourceforge.net Signed-off-by: Neil Horman Reported-by: Michal Jaegermann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- 1 files changed, 25 insertions(+), 11 deletions(-) commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 Author: Trond Myklebust Date: Wed Apr 10 12:44:18 2013 -0400 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Make sure that we set the status to 0 on success. Missed in testing because it never appears when doing multiple mounts to _different_ servers. Signed-off-by: Trond Myklebust Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list fs/nfs/nfs4client.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea Author: Yuval Mintz Date: Wed Apr 10 13:34:39 2013 +0300 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b bnx2x: Prevent null pointer dereference in AFEX mode The cnic module is responsible for initializing various bnx2x structs via callbacks provided by the bnx2x module. One such struct is the queue object for the FCoE queue. If a device is working in AFEX mode and its configuration allows FCoE yet the cnic module is not loaded, it's very likely a null pointer dereference will occur, as the bnx2x will erroneously access the FCoE's queue object. Prevent said access until cnic properly registers itself. Signed-off-by: Yuval Mintz Signed-off-by: Ariel Elior Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2908830232725db624aaa052f7ad38d1f98bf541 Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit d40b572e845a5fb561e3c4a80cc306cd38888a4e Author: Christoph Paasch Date: Sun Apr 7 04:53:15 2013 +0000 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd ipv6/tcp: Stop processing ICMPv6 redirect messages Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske Signed-off-by: Christoph Paasch Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c7d5c2524456ef3ea9194840e7a9a75069a46824 Author: Brad Spengler Date: Wed Apr 10 20:32:54 2013 -0400 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit acac2380fd97acee4367d2aa24c74322dcf1d22b Author: Trond Myklebust Date: Fri Apr 5 16:11:11 2013 -0400 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list It is unsafe to use list_for_each_entry_safe() here, because when we drop the nn->nfs_client_lock, we pin the _current_ list entry and ensure that it stays in the list, but we don't do the same for the _next_ list entry. Use of list_for_each_entry() is therefore the correct thing to do. Also fix the refcounting in nfs41_walk_client_list(). Finally, ensure that the nfs_client has finished being initialised and, in the case of NFSv4.1, that the session is set up. Signed-off-by: Trond Myklebust Cc: Chuck Lever Cc: Bryan Schumaker Cc: stable@vger.kernel.org [>= 3.7] fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) commit a6cf5f387b882ac0ce655b75f623f86c075517be Author: Chuck Lever Date: Fri Mar 22 12:52:59 2013 -0400 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e SUNRPC: Remove extra xprt_put() While testing error cases where rpc_new_client() fails, I saw some oopses. If rpc_new_client() fails, it already invokes xprt_put(). Thus __rpc_clone_client() does not need to invoke it again. Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" Fri Sep 14, 2012. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org [>=3.7] Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9529169b8c405874fd543b785f53c74fa0501c2a Author: Christopher Harvey Date: Fri Apr 5 10:51:15 2013 -0400 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. This change properly enables the "requester" in G200ER cards that is responsible for getting pixels out of memory and clocking them out to the screen. Signed-off-by: Christopher Harvey Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- 1 files changed, 3 insertions(+), 10 deletions(-) commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a Author: Al Viro Date: Thu Mar 28 13:30:23 2013 -0400 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee ecryptfs: close rmmod race Signed-off-by: Al Viro fs/ecryptfs/miscdev.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83280e384ae3ceadad30369ced111dc7d4b46085 Author: Andrey Vagin Date: Tue Apr 9 17:33:29 2013 +0400 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 mnt: release locks on error path in do_loopback do_loopback calls lock_mount(path) and forget to unlock_mount if clone_mnt or copy_mnt fails. [ 77.661566] ================================================ [ 77.662939] [ BUG: lock held when returning to user space! ] [ 77.664104] 3.9.0-rc5+ #17 Not tainted [ 77.664982] ------------------------------------------------ [ 77.666488] mount/514 is leaving the kernel with locks still held! [ 77.668027] 2 locks held by mount/514: [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 Signed-off-by: Andrey Vagin Signed-off-by: Al Viro fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 679e536b9d9536d804f049fe942367a596253e6d Author: Alex Williamson Date: Tue Mar 26 11:33:16 2013 -0600 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson drivers/vfio/pci/vfio_pci.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5261a6384ee42499b29495aaae40b271e77d394 Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 Merge: 97bca88 9123489 Author: Brad Spengler Date: Tue Apr 9 17:18:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9123489428c58668a89f316db6619739cbdd2c2a Author: Brad Spengler Date: Tue Apr 9 17:17:46 2013 -0400 Update to pax-linux-3.8.6-test18.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 97bca8889e0f1e853f16b7026c39c6729a8587ab Merge: 675a41e e9d6073 Author: Brad Spengler Date: Mon Apr 8 21:32:59 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/us3_cpufreq.c commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef Author: Brad Spengler Date: Mon Apr 8 21:19:03 2013 -0400 Update to pax-linux-3.8.6-test17.patch: - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/sparc/include/asm/uaccess.h | 7 ---- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- tools/gcc/structleak_plugin.c | 15 ++++---- 6 files changed, 28 insertions(+), 69 deletions(-) commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5a216624a06429488f24ce47db093da042f90e48 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit e476ca18d21788898cd3acd1b57049971a2fb70f Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 Author: Johannes Berg Date: Tue Mar 19 20:26:57 2013 +0100 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d cfg80211: fix wdev tracing crash Arend reported a crash in tracing if the driver returns an ERR_PTR() value from the add_virtual_intf() callback. This is due to the tracing then still attempting to dereference the "pointer", fix this by using IS_ERR_OR_NULL(). Reported-by: Arend van Spriel Tested-by: Arend van Spriel Signed-off-by: Johannes Berg net/wireless/trace.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd Author: Johannes Berg Date: Mon Mar 25 11:51:14 2013 +0100 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b mac80211: fix remain-on-channel cancel crash If a ROC item is canceled just as it expires, the work struct may be scheduled while it is running (and waiting for the mutex). This results in it being run after being freed, which obviously crashes. To fix this don't free it when aborting is requested but instead mark it as "to be freed", which makes the work a no-op and allows freeing it outside. Cc: stable@vger.kernel.org [3.6+] Reported-by: Jouni Malinen Tested-by: Jouni Malinen Signed-off-by: Johannes Berg net/mac80211/cfg.c | 6 ++++-- net/mac80211/ieee80211_i.h | 3 ++- net/mac80211/offchannel.c | 23 +++++++++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 Author: Stone Piao Date: Fri Mar 29 19:21:21 2013 -0700 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f mwifiex: limit channel number not to overflow memory Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: # 3.5+ Signed-off-by: Stone Piao Signed-off-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 207c411512bdaf0e4271f93ecac6ca26588da36f Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f Author: Wei Yongjun Date: Fri Mar 22 01:28:18 2013 +0000 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_queue_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a79feb7d3251eca577d83d7f69eee2b961ab2924 Author: Pablo Neira Ayuso Date: Sat Mar 23 16:57:59 2013 +0100 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 netfilter: nfnetlink_acct: return -EINVAL if object name is empty If user-space tries to create accounting object with an empty name, then return -EINVAL. Reported-by: Michael Zintakis Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 Author: Matthias Schiffer Date: Sat Mar 30 10:23:12 2013 +0000 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: Matthias Schiffer Signed-off-by: Pablo Neira Ayuso net/ipv6/netfilter/ip6t_NPT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d12cae44a9d12441d81c489178803237219d403d Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f Author: Cong Wang Date: Fri Mar 22 19:14:07 2013 +0000 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb 8021q: fix a potential use-after-free vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/8021q/vlan.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit fff29c277024a39845d4b535083c8dafc21b45d9 Author: Hong zhi guo Date: Sat Mar 23 02:27:50 2013 +0000 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 bridge: fix crash when set mac address of br interface When I tried to set mac address of a bridge interface to a mac address which already learned on this bridge, I got system hang. The cause is straight forward: function br_fdb_change_mac_address calls fdb_insert with NULL source nbp. Then an fdb lookup is performed. If an fdb entry is found and it's local, it's OK. But if it's not local, source is dereferenced for printk without NULL check. Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller net/bridge/br_fdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 Author: Kumar Amit Mehta Date: Sat Mar 23 20:10:25 2013 +0000 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a bnx2x: fix assignment of signed expression to unsigned variable fix for incorrect assignment of signed expression to unsigned variable. Signed-off-by: Kumar Amit Mehta Acked-by: Dmitry Kravkov Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b964e1e61f0f0ccaa380be3342f956c604054bdc Author: Eric W. Biederman Date: Thu Mar 21 02:30:41 2013 -0700 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 yama: Better permission check for ptraceme Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" security/yama/yama_lsm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit b94e71c7b6abe75989edff18aca2781233fa143b Author: Stanislav Kinsbursky Date: Mon Apr 1 11:40:51 2013 +0400 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d ipc: set msg back to -EAGAIN if copy wasn't performed Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Linus Torvalds ipc/msg.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f07957378e0f55abb81da8e23b124a608fbe1cc Author: Paul Bolle Date: Wed Apr 3 12:24:45 2013 +0100 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 ARM: 7690/1: mm: fix CONFIG_LPAE typos CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix up the two typos under arch/arm/. The fix to head.S is slightly scary, but this is just for setting up an early io-mapping for the serial port when running on a big-endian, LPAE system. Since these systems don't exist in the wild (at least, I have no access to one outside of kvmtool, which doesn't provide a serial port suitable for earlyprintk), then we can revisit the code later if it causes any problems. Signed-off-by: Paul Bolle Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/kernel/head.S | 2 +- arch/arm/kernel/setup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 984ba346b2d8f158473e9723ba145031368431ed Author: Catalin Marinas Date: Tue Mar 26 23:35:04 2013 +0100 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down all use of the old entries. This patch implements the erratum workaround which consists of: 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. 2. Send IPI to the CPUs that are running the same mm (and ASID) as the one being invalidated (or all the online CPUs for global pages). 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception return code already). Signed-off-by: Catalin Marinas Signed-off-by: Russell King Conflicts: arch/arm/include/asm/tlbflush.h arch/arm/kernel/smp_tlb.c arch/arm/mm/context.c arch/arm/Kconfig | 10 +++++ arch/arm/include/asm/highmem.h | 7 ++++ arch/arm/include/asm/mmu_context.h | 2 + arch/arm/include/asm/tlbflush.h | 15 ++++++++ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ arch/arm/mm/context.c | 6 ++- 6 files changed, 104 insertions(+), 2 deletions(-) commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 53f5096daa14967938bc154e6c41f9119863fb36 Merge: e988d7c 0a45285 Author: Brad Spengler Date: Fri Apr 5 17:32:31 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 0a452855444d02502df6eb21ef3083cf303f71e1 Merge: 0277fa1 00cfbb8 Author: Brad Spengler Date: Fri Apr 5 17:31:15 2013 -0400 Update to pax-linux-3.8.6-test16.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/intel_display.c commit e988d7c8d946c816a2cb97f0d38048a1584966b8 Merge: baec40e 0277fa1 Author: Brad Spengler Date: Wed Apr 3 22:05:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0277fa123b486cf11420967e4568d7653e225fd3 Author: Brad Spengler Date: Wed Apr 3 22:04:48 2013 -0400 Update to pax-linux-3.8.5-test15.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) drivers/media/pci/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) commit baec40e6708fd5ae2000cad6c70c5980c998b91c Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 Merge: 6b69c35 0db9d15 Author: Brad Spengler Date: Tue Apr 2 17:47:27 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0db9d156826bdd50510086fde837648a3dfd370e Author: Brad Spengler Date: Tue Apr 2 17:46:05 2013 -0400 Update to pax-linux-3.8.5-test14.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/moduleloader.h | 4 +- tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 47 deletions(-) commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 01e1d503fd2220adaaec0b92ea19441bdff73555 Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit cd5ff114d958470f471c63775278e8c05e774630 Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 295ba16cc53df2375261accbedd6575ea327770a Merge: 18340f1 278a989 Author: Brad Spengler Date: Fri Mar 29 17:36:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/exec.c include/linux/thread_info.h commit 278a989c831d62193c7b3d119fe2302babd45d12 Author: Brad Spengler Date: Fri Mar 29 17:34:34 2013 -0400 Resync with pax-linux-3.8.5-test13.patch arch/arm/include/asm/pgtable.h | 3 ++- arch/arm/lib/delay.c | 1 + fs/exec.c | 8 ++++---- include/linux/compiler.h | 1 + include/linux/proc_fs.h | 2 +- include/linux/thread_info.h | 6 +++--- include/linux/zlib.h | 3 ++- init/main.c | 4 ++-- kernel/user_namespace.c | 2 +- lib/list_debug.c | 4 ++-- mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 1 + net/core/sysctl_net_core.c | 3 +-- tools/gcc/constify_plugin.c | 1 + 15 files changed, 24 insertions(+), 17 deletions(-) commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 Merge: 05f01ae e8cfeae Author: Brad Spengler Date: Fri Mar 29 17:30:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 Merge: b461cb7 aa4cfde Author: Brad Spengler Date: Fri Mar 29 17:30:44 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/nfsd/vfs.c commit 05f01ae4c3479541586a2387f916a6620889c479 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eea6ade59490784e83e08ec67322288fcf14cb31 Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e Merge: c3dc9a6 b461cb7 Author: Brad Spengler Date: Thu Mar 28 20:54:24 2013 -0400 Merge branch 'pax-test' into grsec-test commit b461cb7b1d85490430ef7896c247794af72c3749 Author: Brad Spengler Date: Thu Mar 28 20:54:11 2013 -0400 Add structleak plugin tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 270 insertions(+), 0 deletions(-) commit c3dc9a6ef10782894bb11fd088fd712db44d8062 Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e Merge: d8503a3 74bec16 Author: Brad Spengler Date: Thu Mar 28 20:47:10 2013 -0400 Merge branch 'pax-test' into grsec-test commit 74bec16b657147a5575b1f14f4423a717ba317a6 Author: Brad Spengler Date: Thu Mar 28 20:46:13 2013 -0400 Update to pax-linux-3.8.4-test13.patch: - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Makefile | 5 +++- arch/x86/include/asm/compat.h | 2 +- arch/x86/mm/fault.c | 3 +- fs/binfmt_elf.c | 2 +- include/linux/compiler.h | 42 ++++++++++++++-------------------------- security/Kconfig | 16 +++++++++++++++ tools/gcc/Makefile | 2 + tools/gcc/constify_plugin.c | 7 +++++- 8 files changed, 47 insertions(+), 32 deletions(-) commit d8503a3a35d68b9ba1615d29335aef3f70d51465 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 0b1c6223105a05d5a84e39a5e951868e37610e1c Merge: 93ff726 0deb54c Author: Brad Spengler Date: Mon Mar 25 18:35:15 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 Author: Brad Spengler Date: Mon Mar 25 18:35:05 2013 -0400 fix typo arch/x86/mm/ioremap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 Merge: be9f8b8 f95e53a Author: Brad Spengler Date: Mon Mar 25 18:30:06 2013 -0400 Merge branch 'pax-test' into grsec-test commit f95e53abadb6e4665866e4502ff9f518514193e1 Author: Brad Spengler Date: Mon Mar 25 18:29:25 2013 -0400 Update to pax-linux-3.8.4-test12.patch: - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by mcp - last fix for aslr gap accounting, promise (thanks to spender) arch/x86/mm/ioremap.c | 3 +++ fs/binfmt_elf.c | 5 ++--- mm/mmap.c | 2 +- net/sctp/socket.c | 19 +++++++++++++++---- tools/perf/util/include/linux/compiler.h | 8 ++++++++ 5 files changed, 29 insertions(+), 8 deletions(-) commit be9f8b82b0d8a21d7515fb6e44a907623381c5df Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee Author: Linus Torvalds Date: Fri Mar 22 11:44:04 2013 -0700 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 vfs,proc: guarantee unique inodes in /proc Dave Jones found another /proc issue with his Trinity tool: thanks to the namespace model, we can have multiple /proc dentries that point to the same inode, aliasing directories in /proc//net/ for example. This ends up being a total disaster, because it acts like hardlinked directories, and causes locking problems. We rely on the topological sort of the inodes pointed to by dentries, and if we have aliased directories, that odering becomes unreliable. In short: don't do this. Multiple dentries with the same (directory) inode is just a bad idea, and the namespace code should never have exposed things this way. But we're kind of stuck with it. This solves things by just always allocating a new inode during /proc dentry lookup, instead of using "iget_locked()" to look up existing inodes by superblock and number. That actually simplies the code a bit, at the cost of potentially doing more inode [de]allocations. That said, the inode lookup wasn't free either (and did a lot of locking of inodes), so it is probably not that noticeable. We could easily keep the old lookup model for non-directory entries, but rather than try to be excessively clever this just implements the minimal and simplest workaround for the problem. Reported-and-tested-by: Dave Jones Analyzed-by: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/proc/inode.c fs/proc/inode.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb Author: Vladimir Davydov Date: Fri Mar 22 15:04:51 2013 -0700 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only mnt_drop_write() must be called only if mnt_want_write() succeeded, otherwise the mnt_writers counter will diverge. mnt_writers counters are used to check if remounting FS as read-only is OK, so after an extra mnt_drop_write() call, it would be impossible to remount mqueue FS as read-only. Besides, on umount a warning would be printed like this one: ===================================== [ BUG: bad unlock balance detected! ] 3.9.0-rc3 #5 Not tainted ------------------------------------- a.out/12486 is trying to release lock (sb_writers) at: mnt_drop_write+0x1f/0x30 but there are no more locks to release! Signed-off-by: Vladimir Davydov Cc: Doug Ledford Cc: KOSAKI Motohiro Cc: "Eric W. Biederman" Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e Author: Brad Spengler Date: Sat Mar 23 13:02:32 2013 -0400 Don't use constify plugin if not enabled in config, reported by Alexey Vlasov Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afb82e020593249ac394e9859397c3e0ef5341c Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 Author: Brad Spengler Date: Sat Mar 23 12:13:12 2013 -0400 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak drivers/gpu/drm/i915/i915_debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44cb11a9470f72157601d0ad4d572d111f90f504 Author: Brad Spengler Date: Fri Mar 22 18:11:42 2013 -0400 use VM_DONTDUMP fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fd5f0d92b0fbec02029dad124501a9c80e527a32 Author: Brad Spengler Date: Fri Mar 22 17:08:48 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit b49ab1c73edb6442eec609b26bba4d850b3111b6 Merge: 5e9a707 783ade9 Author: Brad Spengler Date: Thu Mar 21 21:56:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 Author: Brad Spengler Date: Thu Mar 21 21:55:31 2013 -0400 Update to pax-linux-3.8.3-test11.patch: - rewrote the ASLR gap accounting code once again - fixed ptrace compat bug found by the size overflow plugin fs/binfmt_elf.c | 25 ++++++++++++------------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 5 +++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 32 insertions(+), 26 deletions(-) commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a Author: Brad Spengler Date: Thu Mar 21 19:37:33 2013 -0400 Make the constify plugin usage actually depend on the introduced config option (it was still forced on) tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1974b4f58d9d729c80ac1987785446115304a54c Author: Brad Spengler Date: Thu Mar 21 16:12:38 2013 -0400 fix failed merge arch/arm/mm/fault.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit 675a8ab4a8fe8315df348735a37a302a7535224c Author: Brad Spengler Date: Wed Mar 20 23:36:14 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 Author: Andy Honig Date: Wed Feb 20 14:48:10 2013 -0800 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- 2 files changed, 22 insertions(+), 29 deletions(-) commit 0bcac31b57c381001feb69fd6ec8069e61e03432 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695c59887e4ec10b0b695ab4f645d1226c433be0 Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e Merge: aec3cd4 c522e3a Author: Brad Spengler Date: Wed Mar 20 19:38:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 Merge: c57d855 405acc3 Author: Brad Spengler Date: Wed Mar 20 19:38:11 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 Author: Brad Spengler Date: Tue Mar 19 19:56:04 2013 -0400 include linux/compiler.h include/linux/zlib.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit dd65c05cd24faf8946d4941434a553ee285c35a3 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit e297b4f150b769efdc4c547d3caf1e3c0f24735f Author: Brad Spengler Date: Tue Mar 19 18:33:45 2013 -0400 Fix size_overflow false positive reported by slashbeast include/linux/zlib.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be Author: Brad Spengler Date: Tue Mar 19 17:35:36 2013 -0400 fix up failed merge arch/arm/mm/fault.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f00195c633f91cfbd8c1f530d2c371b713026e20 Author: Brad Spengler Date: Mon Mar 18 22:27:33 2013 -0400 Fix compile error reported by KDE on the forums kernel/user_namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 Merge: 0949569 c57d855 Author: Brad Spengler Date: Mon Mar 18 22:20:46 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 Author: Brad Spengler Date: Mon Mar 18 21:22:03 2013 -0400 Update to pax-linux-3.8.2-test9.patch: arm changes from spender - removed userland access to the vectors page - removed obsolete sigreturn trampoline handling - added emulation for __kuser_get_tls - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) - fixed recent sysfs/power_supply attr breakage reported by Steven Allen - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. arch/arm/kernel/process.c | 5 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/traps.c | 7 - arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 23 +- arch/arm/mm/mmu.c | 2 +- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/mm/fault.c | 4 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/power/power_supply_core.c | 1 + drivers/usb/core/message.c | 2 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 5 +- fs/exec.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/linux/compat.h | 4 +- include/linux/completion.h | 6 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/err.h | 4 +- include/linux/math64.h | 6 +- include/linux/sched.h | 2 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/uapi/linux/byteorder/little_endian.h | 4 +- include/uapi/linux/swab.h | 6 +- kernel/sched/core.c | 6 +- kernel/signal.c | 3 + kernel/time.c | 2 +- kernel/timer.c | 2 +- lib/div64.c | 4 +- mm/page-writeback.c | 2 +- net/socket.c | 2 + scripts/package/builddeb | 1 + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- tools/gcc/size_overflow_plugin.c | 1072 ++-- 53 files changed, 6227 insertions(+), 3951 deletions(-) commit 09495691bb31f11ec14d9127429f9a0f3f716f22 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deb85b00d0f9f886e264e116313f298401ec5c59 Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2126421f123513f604ceef2b23ba9ed516de7e58 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 Author: Brad Spengler Date: Sat Mar 16 16:43:45 2013 -0400 add user_arg_ptr back to exec.c fs/exec.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 3 +++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 16 insertions(+), 15 deletions(-) commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1cd623d11a462d151ea8a5cace4521e1724911a3 Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc Merge: 9cdf9bc db4cb92 Author: Brad Spengler Date: Thu Mar 14 20:23:14 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/keys/compat.c commit db4cb924546e3fec3a59f78d056f48176eaf7100 Author: Brad Spengler Date: Thu Mar 14 20:22:24 2013 -0400 Update to pax-linux-3.8.2-test8.patch arch/arm/include/asm/cache.h | 2 ++ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- arch/arm/mach-omap2/omap_device.c | 4 ++-- arch/arm/mach-omap2/omap_device.h | 4 ++-- arch/arm/plat-orion/include/plat/addr-map.h | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae Merge: 3c865f9 1a45c31 Author: Brad Spengler Date: Thu Mar 14 20:20:54 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/arm/include/asm/delay.h arch/arm/include/asm/pgtable.h arch/arm/lib/delay.c security/keys/compat.c commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 79b130c4b11c7940daf2b33d653a17666331c634 Merge: 6480ce9 3c865f9 Author: Brad Spengler Date: Sun Mar 10 20:04:03 2013 -0400 Merge branch 'pax-test' into grsec-test commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d Author: Brad Spengler Date: Sun Mar 10 20:03:12 2013 -0400 Update to pax-linux-3.8.2-test7.patch: - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) fs/binfmt_elf.c | 3 ++- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- init/main.c | 4 ++-- mm/mmap.c | 2 +- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 7 files changed, 18 insertions(+), 11 deletions(-) commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 Merge: 4a5305e 25b3569 Author: Brad Spengler Date: Sun Mar 10 10:41:16 2013 -0400 Merge branch 'pax-test' into grsec-test commit 25b356980568bed9958315bb5a551fdc610055ed Author: Brad Spengler Date: Sun Mar 10 10:40:48 2013 -0400 Update to pax-linux-3.8.2-test6.patch: - fixed a KERNEXEC false positive on arm reported by Gu1 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - added fix from spender for some namespace breakage reported by zakalwe - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot Documentation/kernel-parameters.txt | 5 +++++ arch/arm/kernel/patch.c | 2 ++ arch/x86/kernel/sys_i386_32.c | 5 +++-- drivers/acpi/blacklist.c | 2 +- drivers/video/aty/mach64_cursor.c | 1 + init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ net/ipv4/ip_fragment.c | 2 +- security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 10 files changed, 50 insertions(+), 10 deletions(-) commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause net/bridge/br_mdb.c | 4 ++++ net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 8 ++++++++ 3 files changed, 13 insertions(+), 0 deletions(-) commit 601dd446f896e3a362f706943df18a68d50420a1 Author: Brad Spengler Date: Sat Mar 9 09:35:25 2013 -0500 add open/close wrappers in __patch_text() as reported by Gu1 on IRC arch/arm/kernel/patch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ae39966fd85a493e9079b357e3faa62245a41222 Author: Peter Hurley Date: Fri Mar 8 12:43:27 2013 -0800 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 ipc: don't allocate a copy larger than max When MSG_COPY is set, a duplicate message must be allocated for the copy before locking the queue. However, the copy could not be larger than was sent which is limited to msg_ctlmax. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msg.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 61240e99650ea3e540a03a3e994349c5086f166b Author: Peter Hurley Date: Fri Mar 8 12:43:26 2013 -0800 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 ipc: fix potential oops when src msg > 4k w/ MSG_COPY If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msgutil.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 51727f602a267f34fb2e0dc9557f1714028d51a2 Author: Brad Spengler Date: Fri Mar 8 22:14:06 2013 -0500 add missing 'else' in recent constify fixups net/ipv4/ip_fragment.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a38c1a640729b3d8e584d1ab98e908c221bc12cf Merge: 1580bb3 47c3f47 Author: Brad Spengler Date: Fri Mar 8 18:18:37 2013 -0500 Merge branch 'pax-test' into grsec-test commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe Author: Brad Spengler Date: Fri Mar 8 18:17:22 2013 -0500 Update to pax-linux-3.8.2-test5.patch: - fixed some fallout after the last round of constification changes, reported by several people arch/arm/common/gic.c | 4 ++-- arch/arm/include/asm/hardware/gic.h | 3 ++- arch/x86/include/asm/nmi.h | 2 +- arch/x86/kernel/nmi.c | 2 +- arch/x86/pci/irq.c | 2 +- drivers/base/power/domain.c | 4 ++-- drivers/cpufreq/cpufreq_governor.c | 4 ++-- drivers/mfd/twl4030-irq.c | 1 + drivers/video/vesafb.c | 7 +++++-- include/linux/irq.h | 1 + include/linux/pm_domain.h | 2 +- kernel/sched/core.c | 4 ++++ lib/Kconfig.debug | 4 ++-- net/core/sysctl_net_core.c | 2 +- net/decnet/af_decnet.c | 1 + net/ipv4/devinet.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/route.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- scripts/sortextable.h | 6 +++--- 22 files changed, 36 insertions(+), 25 deletions(-) commit 1580bb38b4db0bf2a46316599815e8b234edad81 Author: Brad Spengler Date: Thu Mar 7 22:02:59 2013 -0500 add an additional open/close wrapper kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 21622672d28d58e0d93a805cd1f9650a894a752a Author: Brad Spengler Date: Thu Mar 7 21:58:24 2013 -0500 fix oops at shutdown with new constify code kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec Author: Brad Spengler Date: Thu Mar 7 21:18:44 2013 -0500 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally it currently conflicts with some lock debugging options, so made as an option to allow for debugging when necessary Makefile | 2 -- lib/Kconfig.debug | 6 +++--- security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) commit 0885b00b8373a1597b69c38032a0c9eee279303b Author: Brad Spengler Date: Thu Mar 7 20:55:19 2013 -0500 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8a2617165e7127a54f293cbf57d22d50dd83abd Author: Brad Spengler Date: Thu Mar 7 20:30:41 2013 -0500 Fix error: drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object with cast and proper kernexec accessors drivers/video/vesafb.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 Author: Brad Spengler Date: Thu Mar 7 20:20:28 2013 -0500 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 Author: Brad Spengler Date: Thu Mar 7 20:12:17 2013 -0500 fix compilation error -- no reason for task_pid_nr to not take a const task ptr include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ac6014ded57101e3e608941555ff507e20c1ece3 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 98a9a5f981f5deda4059a255c1196886f2f27e2f Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 4295a024e812f903fc580c81de5e81cc149503fa Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33edd486a9899a145a15586d7134636b0300aaee Merge: 4eeeaf3 a2a2094 Author: Brad Spengler Date: Thu Mar 7 17:53:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/include/asm/domain.h commit a2a20947f5e1332e474160a39af520738b3c8c19 Author: Brad Spengler Date: Thu Mar 7 17:51:04 2013 -0500 Update to pax-linux-3.8.2-test4.patch: fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) Documentation/dontdiff | 2 + arch/arm/include/asm/domain.h | 1 + arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/nmi.h | 4 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 10 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/base/bus.c | 4 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 ++- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 26 ++- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/iommu/iommu.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/mfd/twl4030-irq.c | 8 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/vxlan.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 6 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 4 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 ++- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- fs/exec.c | 6 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drmP.h | 12 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/iommu.h | 2 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/rculist.h | 16 ++ include/linux/sched.h | 2 +- include/linux/sock_diag.h | 2 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/xattr.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/pid_namespace.c | 2 +- kernel/rcutree_plugin.h | 2 +- kernel/sched/core.c | 39 ++-- kernel/smpboot.c | 4 +- kernel/softirq.c | 2 +- kernel/sysctl.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 2 +- lib/kobject.c | 4 +- lib/list_debug.c | 57 ++++- lib/swiotlb.c | 2 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/slab_common.c | 2 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 15 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 12 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 9 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipip.c | 4 +- net/ipv4/route.c | 14 +- net/ipv4/sysctl_net_ipv4.c | 43 ++-- net/ipv6/addrconf.c | 4 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 6 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/reassembly.c | 11 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/sysctl.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 ++- net/xfrm/xfrm_sysctl.c | 2 +- security/apparmor/lsm.c | 2 +- security/keys/key.c | 18 +- security/yama/yama_lsm.c | 22 +- tools/gcc/Makefile | 4 +- tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ tools/gcc/size_overflow_plugin.c | 7 +- 248 files changed, 994 insertions(+), 668 deletions(-) commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b Author: Brad Spengler Date: Wed Mar 6 12:58:21 2013 -0500 Make slab_state __read_only, it's only written to during init mm/slab_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a Author: Brad Spengler Date: Wed Mar 6 12:31:35 2013 -0500 Make two new helper functions: gr_is_global_root() and gr_is_global_nonroot() grsecurity/gracl.c | 10 +++++----- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_link.c | 4 ++-- grsecurity/grsec_sig.c | 10 +++++----- grsecurity/grsec_tpe.c | 6 +++--- include/linux/uidgid.h | 2 ++ 6 files changed, 18 insertions(+), 16 deletions(-) commit d45d88eddd4998b280b1e5b5384289ee11ca7088 Author: Brad Spengler Date: Wed Mar 6 12:14:41 2013 -0500 convert remaining task->pid to task_pid_nr(task) grsecurity/gracl.c | 22 +++++++++++----------- grsecurity/gracl_shm.c | 2 +- grsecurity/grsec_chroot.c | 4 ++-- grsecurity/grsec_sig.c | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) commit c877f2ece03ee2232dd281c1977ae59507297124 Author: Brad Spengler Date: Tue Mar 5 17:29:54 2013 -0500 compat-log is only used anymore by vm86-on-64bit and allows unlimited spamming of the kernel log buffer (and since it includes the changable process name, can avoid syslog log deduplication) Turn it off by default fs/compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c1964c4b7276889d7967bee70e46918cdca1b14 Author: Brad Spengler Date: Mon Mar 4 17:19:10 2013 -0500 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP is enabled, introduced with recent userns support init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 Author: Brad Spengler Date: Sun Mar 3 18:46:12 2013 -0500 Prevent TOMOYO from auto-loading modules by unprivileged users (Only reachable if TOMOYO is actually used) security/tomoyo/mount.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 79e142f9455b398759ff9d93d4963a21b98dddda Author: Brad Spengler Date: Sun Mar 3 18:28:45 2013 -0500 For now, don't permit any special access to /proc in a user namespace Later we can go back and allow a userns-uid0 special access to a /proc with a non-global pid namespace fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b91fb393049ce5f3c0a86f62247409853fd9700 Merge: d931eb8 603ef05 Author: Brad Spengler Date: Sun Mar 3 17:42:09 2013 -0500 Merge branch 'pax-test' into grsec-test commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b Author: Brad Spengler Date: Sun Mar 3 17:41:31 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/mach-omap2/wd_timer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b4c9ce81fdd7839a150c97873c710c479e788280 Author: Brad Spengler Date: Sun Mar 3 17:39:53 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d931eb81ab3da46896268fd61373a6aa7bbea930 Merge: bfa7f44 5948f93 Author: Brad Spengler Date: Sun Mar 3 17:34:36 2013 -0500 Merge branch 'pax-test' into grsec-test commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 Merge: ab30472 19b00d2 Author: Brad Spengler Date: Sun Mar 3 17:34:08 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. fs/exec.c | 6 +- fs/proc/base.c | 2 +- fs/proc/proc_net.c | 4 +- grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- grsecurity/gracl_cap.c | 4 +- grsecurity/gracl_ip.c | 16 +++--- grsecurity/gracl_segv.c | 12 +++- grsecurity/gracl_shm.c | 4 +- grsecurity/grsec_disabled.c | 10 ++-- grsecurity/grsec_fifo.c | 6 +- grsecurity/grsec_init.c | 24 ++++---- grsecurity/grsec_log.c | 3 - grsecurity/grsec_tpe.c | 6 +- include/linux/grinternal.h | 12 ++-- include/linux/grsecurity.h | 12 ++-- include/linux/uidgid.h | 3 + init/Kconfig | 2 - ipc/shm.c | 2 +- kernel/cred.c | 5 +- kernel/kallsyms.c | 2 +- kernel/kmod.c | 6 +- kernel/sys.c | 12 ++-- 22 files changed, 166 insertions(+), 115 deletions(-) commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit 5596211af754867ca825f58e6e0300a8439950fe Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7ca96db0817416fd40761e7437d1939fc0731380 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 idr: fix a subtle bug in idr_get_next() The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/idr.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 745362f28034f54242ba2e64eaa7374ab9869613 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit b53b3b14330920c6f7cfb74c8508a3026e1be620 Author: Brad Spengler Date: Thu Feb 28 18:29:26 2013 -0500 Fix bad git merge fs/namespace.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede Merge: 1cce1dd ab30472 Author: Brad Spengler Date: Thu Feb 28 17:45:14 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/core/sock_diag.c commit ab3047280e1dfb43f1b301a296123757b4ac4f6e Merge: 4b61d21 4c91a0e Author: Brad Spengler Date: Thu Feb 28 17:43:56 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 Author: Brad Spengler Date: Wed Feb 27 17:52:31 2013 -0500 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel kernel/printk.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 Author: Brad Spengler Date: Wed Feb 27 17:23:46 2013 -0500 Fix upstream vulnerability from addition of a /dev/kmsg device while neglecting to add the same set of existing permission checks from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. A temporary workaround without this patch would be to chmod 0600 /dev/kmsg (and is likely a good idea anyway). Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek Initially reported to Redhat bugzilla by Christian Kujau: https://bugzilla.redhat.com/show_bug.cgi?id=903192 kernel/printk.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 66c04806f5660988c3cb4855e60de294e77e3d0e Author: David Howells Date: Thu Feb 21 12:00:25 2013 +0000 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f KEYS: Revert one application of "Fix unreachable code" patch A patch to fix some unreachable code in search_my_process_keyrings() got applied twice by two different routes upstream as commits e67eab39bee2 and b010520ab3d2 (both "fix unreachable code"). Unfortunately, the second application removed something it shouldn't have and this wasn't detected by GIT. This is due to the patch not having sufficient lines of context to distinguish the two places of application. The effect of this is relatively minor: inside the kernel, the keyring search routines may search multiple keyrings and then prioritise the errors if no keys or negative keys are found in any of them. With the extra deletion, the presence of a negative key in the thread keyring (causing ENOKEY) is incorrectly overridden by an error searching the process keyring. So revert the second application of the patch. Signed-off-by: David Howells Cc: Jiri Kosina Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds security/keys/process_keys.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 954b0c8a95b08c09c3d15ec38106ce403bf714da Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 Author: Nicolas Pitre Date: Sun Feb 24 20:06:09 2013 -0500 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 tty vt: fix character insertion overflow Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") broke insert_char() in multiple ways. Then commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") partially fixed it. However, the buffer being moved is still too large and overflowing beyond the end of the current line, corrupting existing characters on the next line. Example test case: echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" Expected result: ab c de Current result: ab c e Needless to say that this is very annoying when inserting words in the middle of paragraphs with certain text editors. Signed-off-by: Nicolas Pitre Cc: Jean-François Moine Cc: Greg Kroah-Hartman Cc: Signed-off-by: Linus Torvalds drivers/tty/vt/vt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6cda35071669b4aabde081bd039e0ffea36f997a Author: Robin Holt Date: Fri Feb 22 16:35:34 2013 -0800 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. Additionally, the list traversal in __mmu_notifier_release() is not protected by the by the mmu_notifier_mm->hlist_lock which can result in callouts to the ->release() notifier from both mmu_notifier_unregister() and __mmu_notifier_release(). -stable suggestions: The stable trees prior to 3.7.y need commits 21a92735f660 and 70400303ce0c cherry-picked in that order prior to cherry-picking this commit. The 3.7.y tree already has those two commits. Signed-off-by: Robin Holt Cc: Andrea Arcangeli Cc: Wanpeng Li Cc: Xiao Guangrong Cc: Avi Kivity Cc: Hugh Dickins Cc: Marcelo Tosatti Cc: Sagi Grimberg Cc: Haggai Eran Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- 1 files changed, 42 insertions(+), 40 deletions(-) commit bf5167ed78ba6131c6874887f714bda50c2cab83 Author: Mike Galbraith Date: Mon Jan 28 12:19:25 2013 +0100 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 sched: Fix select_idle_sibling() bouncing cow syndrome If the previous CPU is cache affine and idle, select it. The current implementation simply traverses the sd_llc domain, taking the first idle CPU encountered, which walks buddy pairs hand in hand over the package, inflicting excruciating pain. 1 tbench pair (worst case) in a 10 core + SMT package: pre 15.22 MB/sec 1 procs post 252.01 MB/sec 1 procs Signed-off-by: Mike Galbraith Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 21 +++++++-------------- 1 files changed, 7 insertions(+), 14 deletions(-) commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c Author: Eric W. Biederman Date: Fri Dec 28 18:58:39 2012 -0800 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f userns: Avoid recursion in put_user_ns When freeing a deeply nested user namespace free_user_ns calls put_user_ns on it's parent which may in turn call free_user_ns again. When -fno-optimize-sibling-calls is passed to gcc one stack frame per user namespace is left on the stack, potentially overflowing the kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls so we can't count on gcc to optimize this code. Remove struct kref and use a plain atomic_t. Making the code more flexible and easier to comprehend. Make the loop in free_user_ns explict to guarantee that the stack does not overflow with CONFIG_FRAME_POINTER enabled. I have tested this fix with a simple program that uses unshare to create a deeply nested user namespace structure and then calls exit. With 1000 nesteuser namespaces before this change running my test program causes the kernel to die a horrible death. With 10,000,000 nested user namespaces after this change my test program runs to completion and causes no harm. Acked-by: Serge Hallyn Pointed-out-by: Vasily Kulikov Signed-off-by: "Eric W. Biederman" include/linux/user_namespace.h | 10 +++++----- kernel/user.c | 4 +--- kernel/user_namespace.c | 17 +++++++++-------- 3 files changed, 15 insertions(+), 16 deletions(-) commit 81501c7106ccc186c94806f4db954626295b5ebe Author: Brad Spengler Date: Tue Feb 26 17:12:30 2013 -0500 Pass the same flags to kern_path_create as the original function fs/namei.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a677c8eee35afe48868f92c7d6745bfe809cd481 Author: Al Viro Date: Fri Feb 22 22:45:42 2013 -0500 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 get rid of unprotected dereferencing of mnt->mnt_ns It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namespace.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 89298124d0c96dc34a60377e7a1308f8f532ff75 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 Author: Brad Spengler Date: Sat Feb 23 11:08:05 2013 -0500 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause net/core/sock_diag.c | 27 ++++++++++----------------- 1 files changed, 10 insertions(+), 17 deletions(-) commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 Author: Brad Spengler Date: Sat Feb 23 10:58:52 2013 -0500 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined arch/arm/include/asm/domain.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7b729586eb81f344fdedf0942fab0acc738a6725 Author: Brad Spengler Date: Fri Feb 22 19:02:51 2013 -0500 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. kernel/fork.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit fadc560d0c486af88da83177735f5515e88acdcc Author: Brad Spengler Date: Thu Feb 21 23:06:48 2013 -0500 put is_hugetlbfs_mnt inside ifdefs grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8252176922d405484f986eb2cc350b7cd3ae586e Author: Brad Spengler Date: Thu Feb 21 23:02:07 2013 -0500 remove unused label kernel/module.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dad4a980f0b625059e215d13da728aa7fd02a374 Author: Brad Spengler Date: Thu Feb 21 23:00:52 2013 -0500 compile fix fs/open.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 Author: Brad Spengler Date: Thu Feb 21 22:57:49 2013 -0500 remove kmalloc_array_error for the same reasons as kcalloc_error include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a Author: Brad Spengler Date: Thu Feb 21 22:49:35 2013 -0500 Initial port of grsecurity for Linux 3.8 Documentation/kernel-parameters.txt | 4 + Makefile | 10 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 14 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 27 +- arch/arm/mm/mmap.c | 6 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 3 +- arch/ia64/mm/hugetlbpage.c | 3 +- arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 3 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 19 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 6 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 3 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 3 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- crypto/ablkcipher.c | 12 +- crypto/aead.c | 9 +- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +- crypto/crypto_user.c | 38 +- crypto/pcompress.c | 3 +- crypto/rng.c | 2 +- crypto/shash.c | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 155 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 5 + fs/fs_struct.c | 26 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 269 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1021 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4017 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 384 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 357 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 174 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 329 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 ++ include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 257 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 66 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/vermagic.h | 9 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 5 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 109 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 80 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 38 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 62 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev.c | 9 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 19 + security/Kconfig | 320 ++- security/apparmor/lsm.c | 2 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/yama/Kconfig | 2 +- tools/gcc/Makefile | 2 +- 286 files changed, 15083 insertions(+), 2067 deletions(-) commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 Author: Brad Spengler Date: Wed Feb 20 21:00:42 2013 -0500 Initial import of pax-linux-3.8-test3.patch Documentation/dontdiff | 43 +- Documentation/kernel-parameters.txt | 7 + Makefile | 97 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 +++- arch/arm/include/asm/cache.h | 3 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/delay.h | 8 +- arch/arm/include/asm/domain.h | 32 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 10 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 20 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 14 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/fault.c | 78 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 186 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 28 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/uaccess.h | 142 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 +++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 12 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 ++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 65 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/io.h | 13 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 6 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 29 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 512 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/head_32.S | 237 ++- arch/x86/kernel/head_64.S | 158 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes-opt.c | 12 +- arch/x86/kernel/kprobes.c | 30 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 247 ++ arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 47 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 68 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 ++- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 555 +++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 92 +- arch/x86/mm/init_32.c | 122 +- arch/x86/mm/init_64.c | 48 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 12 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 18 +- drivers/block/loop.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 8 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_generic.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 6 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 9 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/ramster/tmem.c | 54 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 39 +- drivers/video/vesafb.c | 51 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 604 ++++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/relocation.c | 2 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 356 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 ++ include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 72 +- include/linux/cpu.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 3 + include/linux/mm.h | 91 +- include/linux/mm_types.h | 22 +- include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 55 +- include/linux/moduleloader.h | 18 +- include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/random.h | 5 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 64 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysrq.h | 2 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/gro_cells.h | 6 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 6 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/structs.h | 4 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 4 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 24 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/module.c | 333 ++- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 72 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 2 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/softirq.c | 16 +- kernel/srcu.c | 6 +- kernel/stop_machine.c | 2 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 +- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/list_debug.c | 89 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 54 + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 18 +- mm/memory.c | 404 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 573 +++- mm/mprotect.c | 138 +- mm/mremap.c | 44 +- mm/nommu.c | 11 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 104 +- mm/slab.h | 5 +- mm/slab_common.c | 9 +- mm/slob.c | 200 +- mm/slub.c | 98 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/sctp/socket.c | 2 + net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 4 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 654 ++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 43 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 359 +++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 +++ tools/gcc/latent_entropy_plugin.c | 321 ++ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 32 +- 1311 files changed, 26668 insertions(+), 6394 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 4c61dba17c53d0a775c77aed0c0ddb15a12daa3c Merge: c3ccfb2 777e08c Author: Brad Spengler Date: Sun Sep 8 19:49:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 777e08c6a87ef43439f4431d8d458732ca5e17c6 Author: Brad Spengler Date: Sun Sep 8 19:47:32 2013 -0400 Update to pax-linux-3.10.11-test26.patch: - reworked __SC_LONG to care about only int and smaller types, this eliminates size overflow false positives reported by hunger - fixed an uninitialized read in splice, reported by hunger fs/splice.c | 1 + include/linux/syscalls.h | 14 +- tools/gcc/size_overflow_hash.data | 426 +++++++++++++++++++++---------------- 3 files changed, 247 insertions(+), 194 deletions(-) commit 5c3161364270c842d901789faac731f79a9f9cd6 Merge: cf9c476 85cdabb Author: Brad Spengler Date: Sun Sep 8 19:24:25 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c3ccfb29794a03413095422100ce90d40ef7df0f Author: Jakob Bornecrantz Date: Thu Aug 29 02:32:53 2013 +0200 Upstream commit: 6e4dcff3adbf25acb87e74500a58e3c07bdec40f drm/vmwgfx: Split GMR2_REMAP commands if they are to large This fixes the piglit test texturing/max-texture-size causing the VM to die due to a too large SVGA command. Signed-off-by: Jakob Bornecrantz Reviewed-by: Biran Paul Reviewed-by: Zack Rusin Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 58 +++++++++++++++++++++++----------- 1 files changed, 39 insertions(+), 19 deletions(-) commit d260badf708d6aa16c44f56f54727532dcae826e Author: Daniel Borkmann Date: Tue Sep 3 19:29:12 2013 +0200 Upstream commit: 3a1c756590633c0e86df606e5c618c190926a0df net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv In tcp_v6_do_rcv() code, when processing pkt options, we soley work on our skb clone opt_skb that we've created earlier before entering tcp_rcv_established() on our way. However, only in condition ... if (np->rxopt.bits.rxtclass) np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb)); ... we work on skb itself. As we extract every other information out of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can already be released by tcp_rcv_established() earlier on. When we try to access it in ipv6_hdr(), we will dereference freed skb. [ Bug added by commit 4c507d2897bd9b ("net: implement IP_RECVTOS for IP_PKTOPTIONS") ] Signed-off-by: Daniel Borkmann Cc: Eric Dumazet Acked-by: Eric Dumazet Acked-by: Jiri Benc Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ee3db7a4fb3619d70b8e0c1a8de07402a67e8d31 Author: Dan Carpenter Date: Thu Aug 29 11:47:00 2013 +0300 Upstream commit: 0d63c27d9e879a0b54eb405636d60ab12040ca46 mISDN: return -EINVAL on error in dsp_control_req() If skb->len is too short then we should return an error. Otherwise we read beyond the end of skb->data for several bytes. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/mISDN/dsp_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit af7c2bc789c8fe5ef7474f22dacf212be22fd0af Author: Brad Spengler Date: Thu Sep 5 19:36:23 2013 -0400 fix dependencies for GRKERNSEC_ROFS / GRKERNSEC_DENYUSB grsecurity/Kconfig | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit da68dbcd96c617923a0aedb177d36b2701f9c858 Author: Brad Spengler Date: Thu Sep 5 19:17:02 2013 -0400 Allow the deny_new_usb sysctl to be toggled off by a user with CAP_SYS_ADMIN. This allows for more inventive uses of the feature that would be impossible otherwise (like toggling it while the screen is locked, etc) grsecurity/grsec_sysctl.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit ce0e893adc830ee110f97071cc17e661fb35ae3d Author: Brad Spengler Date: Thu Sep 5 18:41:49 2013 -0400 Add a new GRKERNSEC_DENYUSB_FORCE option that achieves what GRKERNSEC_DENYUSB does without the need for a sysctl toggle, for users who know they want the functionality but don't want to bother with modifying init scripts Also eliminate reset_security_ops() as a ROP target when SECURITY_SELINUX_DISABLE is disabled as it's the only user grsecurity/Kconfig | 17 ++++++++++++++++- grsecurity/grsec_init.c | 3 +++ grsecurity/grsec_sysctl.c | 2 +- security/security.c | 4 ++++ 4 files changed, 24 insertions(+), 2 deletions(-) commit 0d5ca3a057ae48b5fdccb2f0a7a841a5cc76d3dd Merge: 7ee3899 cf9c476 Author: Brad Spengler Date: Sun Sep 1 13:56:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit cf9c47690fa0f3da590de766ea8c6a543984ee3c Author: Brad Spengler Date: Sun Sep 1 13:56:16 2013 -0400 Update to pax-linux-3.10.10-test25.patch: - fixed a few more REFCOUNT false positives, by Mathias Krause - got inet_getid and ipv6_select_ident rid of the cmpxchg loop block/blk-cgroup.c | 4 ++-- drivers/video/hyperv_fb.c | 4 ++-- fs/namespace.c | 4 ++-- include/net/inetpeer.h | 13 +++++-------- kernel/trace/trace_clock.c | 4 ++-- net/ipv6/output_core.c | 15 ++++++--------- net/sunrpc/auth_gss/svcauth_gss.c | 4 ++-- 7 files changed, 21 insertions(+), 27 deletions(-) commit 7ee3899312d611b85cadd3eda173f7a3952bb8aa Merge: fd0338c 2bdeae7 Author: Brad Spengler Date: Sat Aug 31 22:07:38 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2bdeae76eab5c34e4b88c7090a435b969037a3c1 Author: Brad Spengler Date: Sat Aug 31 22:06:55 2013 -0400 Update to pax-linux-3.10.10-test24.patch: - fixed a REFCOUNT false positive, by Mathias Krause - fixed a bunch more after a quick audit of atomic_inc_return users drivers/acpi/apei/ghes.c | 4 ++-- drivers/ata/libata-core.c | 4 ++-- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/block/drbd/drbd_nl.c | 4 ++-- drivers/crypto/hifn_795x.c | 4 ++-- drivers/edac/edac_device.c | 4 ++-- drivers/edac/edac_pci.c | 4 ++-- drivers/firewire/core-card.c | 4 ++-- drivers/hv/hv_balloon.c | 18 +++++++++--------- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/input/misc/ims-pcu.c | 4 ++-- drivers/input/serio/serio_raw.c | 4 ++-- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/rc/rc-main.c | 4 ++-- drivers/media/v4l2-core/v4l2-device.c | 4 ++-- drivers/net/usb/sierra_net.c | 4 ++-- drivers/pci/hotplug/pciehp_hpc.c | 4 +--- drivers/regulator/core.c | 4 ++-- drivers/scsi/fcoe/fcoe_sysfs.c | 12 ++++++------ drivers/staging/android/timed_output.c | 6 +++--- drivers/staging/media/solo6x10/solo6x10-p2m.c | 2 +- drivers/staging/media/solo6x10/solo6x10.h | 2 +- drivers/target/sbp/sbp_target.c | 4 ++-- drivers/tty/hvc/hvsi.c | 12 ++++++------ drivers/tty/hvc/hvsi_lib.c | 6 +++--- drivers/tty/serial/ioc4_serial.c | 6 +++--- drivers/tty/serial/msm_serial.c | 4 ++-- drivers/usb/misc/appledisplay.c | 4 ++-- fs/afs/inode.c | 4 ++-- fs/btrfs/delayed-inode.c | 6 +++--- fs/btrfs/delayed-inode.h | 4 ++-- fs/fscache/cookie.c | 4 ++-- include/media/v4l2-device.h | 2 +- net/ceph/messenger.c | 4 ++-- net/core/netpoll.c | 4 ++-- net/xfrm/xfrm_state.c | 4 ++-- security/selinux/avc.c | 6 +++--- 43 files changed, 93 insertions(+), 95 deletions(-) commit fd0338c8877c47789a9cc61f3a26c83e68aa3d37 Merge: 1bdf7ec 85099d2 Author: Brad Spengler Date: Sat Aug 31 21:07:29 2013 -0400 Merge branch 'pax-test' into grsec-test commit 85099d220fb014b6e4c6ffe18a55b20c61f6daed Author: Brad Spengler Date: Sat Aug 31 21:06:55 2013 -0400 Update to pax-linux-3.10.10-test23.patch: - added the necessary atomic_unchecked_t conversion for mips - audited and fixed arm and sparc for proper atomic_unchecked_t usage arch/arm/kvm/arm.c | 8 ++++---- arch/arm/mm/context.c | 10 +++++----- arch/mips/kernel/irq.c | 6 +++--- arch/mips/kernel/sync-r4k.c | 24 ++++++++++++------------ arch/mips/sgi-ip27/ip27-nmi.c | 6 +++--- arch/sparc/kernel/smp_64.c | 12 ++++++------ arch/sparc/kernel/traps_64.c | 14 +++++++------- arch/sparc/mm/init_64.c | 10 +++++----- 8 files changed, 45 insertions(+), 45 deletions(-) commit 1bdf7ec39027ffd7c3099b78ff20c39295448b34 Merge: 995a168 38ee86c Author: Brad Spengler Date: Fri Aug 30 19:23:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 38ee86c05df0f8db582df8776b9f23f317d42bbb Author: Brad Spengler Date: Fri Aug 30 19:23:11 2013 -0400 Update to pax-linux-3.10.10-test22.patch: - fixed !REFCOUNT/mips compilation, by Corey Minyard - fixed a few more format strings arch/mips/include/asm/atomic.h | 20 ++++++++++++++++---- drivers/md/bcache/super.c | 2 +- drivers/net/wireless/iwlwifi/dvm/main.c | 3 +-- drivers/pci/hotplug/pciehp_hpc.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/scsi/sd.c | 2 +- drivers/vfio/vfio.c | 4 ++-- fs/ntfs/super.c | 6 +++--- include/linux/workqueue.h | 6 +++--- net/mac80211/main.c | 2 +- sound/pci/hda/hda_codec.c | 8 ++------ 11 files changed, 32 insertions(+), 25 deletions(-) commit 995a16841e2097c3a9dfc652e856469679c4a0ba Author: Brad Spengler Date: Fri Aug 30 17:11:11 2013 -0400 fix compilation with GRKERNSEC_DENYUSB as reported by slashbeast grsecurity/grsec_sysctl.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) commit 8ba1cc35ec5216383369ddf3ef2cde5e4aaacb57 Merge: be2497c 1052971 Author: Brad Spengler Date: Thu Aug 29 20:44:29 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: include/linux/sched.h commit 10529710192fe7f7d42ad7bb1dfef2143cca8ad2 Merge: e902dad 8bf3379 Author: Brad Spengler Date: Thu Aug 29 20:39:50 2013 -0400 Update to pax-linux-3.10.10-test21.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit be2497c1b629a5ad604a8b0ec265ef5d801c7de8 Merge: 081c22b e902dad Author: Brad Spengler Date: Wed Aug 28 20:52:44 2013 -0400 Merge branch 'pax-test' into grsec-test commit e902dad6b609a176f58c1b9393b3a98f14bd4b74 Author: Brad Spengler Date: Wed Aug 28 20:51:21 2013 -0400 Update to pax-linux-3.10.9-test21.patch: - removed unnecessary type cast in do_PrefetchAbort, noticed by spender - since pax_report_refcount_overflow disables preemption inside, no need to do it explicitly in do_ov - fixed a REFCOUNT false positive in UHID - inspired by Dan Carpenter's recent fix (http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=909bd5926d474e275599094acad986af79671ac9) Emese Revfy wrote a gcc plugin to find other instances of the same error, here's the fallout (come to the 10th H2HC if you want to learn about the magic behind this and other plugins): - icmpv6_filter: no memory corruption, probably just some logical error in the caller - dccp_new/dccp_packet/dccp_error: probably remote kernel stack overflow (12 byte network data overwriting a local ptr variable) - gigaset_brkchars: causes DMA on the kernel stack, some archs don't like it (more of this is to come) - isdn_ioctl/IIOCDBGVAR: kernel heap address leak (by design), restricted to CAP_SYS_RAWIO now - __dwc3_gadget_ep_enable: probably forgotten memset, seems harmless - lowpan_header_create: leaks 3 bytes of a kernel heap address over the network arch/arm/mm/fault.c | 2 +- arch/mips/kernel/traps.c | 2 -- drivers/hid/uhid.c | 6 +++--- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/i4l/isdn_common.c | 2 ++ drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- drivers/usb/dwc3/gadget.c | 2 -- net/ieee802154/6lowpan.c | 2 +- net/ipv6/raw.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 6 +++--- 10 files changed, 14 insertions(+), 16 deletions(-) commit 081c22b436d4d4ac8c9ef7c3f3b9587cfb02d804 Author: Brad Spengler Date: Wed Aug 28 20:42:39 2013 -0400 add export of gr_handle_new_usb() grsecurity/grsec_usb.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 2e708ca9984ef74536d1d9b1d4e6e73d27561ed6 Author: Brad Spengler Date: Wed Aug 28 19:24:47 2013 -0400 Add new GRKERNSEC_DENYUSB feature that I've been sitting on for a bit Kees' recent findings are motivation enough to publish it drivers/usb/core/hub.c | 5 +++++ grsecurity/Kconfig | 20 ++++++++++++++++++++ grsecurity/Makefile | 3 ++- grsecurity/grsec_init.c | 1 + grsecurity/grsec_sysctl.c | 11 +++++++++++ grsecurity/grsec_usb.c | 13 +++++++++++++ include/linux/grinternal.h | 1 + include/linux/grsecurity.h | 2 ++ 8 files changed, 55 insertions(+), 1 deletions(-) commit 8044382257ec75a03f3d784ce048ef14e94b90ca Author: Kees Cook Date: Wed Aug 14 09:35:07 2013 -0700 HID: zeroplus: validate output report details The zeroplus HID driver was not checking the size of allocated values in fields it used. A HID device could send a malicious output report that would cause the driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 ... [ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2889 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-zpff.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 1ead832874dde8c45c3d4c8c704f2cd7ad6a328f Author: Kees Cook Date: Wed Aug 14 14:36:15 2013 -0700 HID: provide a helper for validating hid reports Many drivers need to validate the characteristics of their HID report during initialization to avoid misusing the reports. This adds a common helper to perform validation of the report, its field count, and the value count within the fields. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ include/linux/hid.h | 4 +++ 2 files changed, 54 insertions(+), 0 deletions(-) commit 270ba9096ddecdc3cf6c4d76e6892184820116be Author: Kees Cook Date: Wed Aug 14 09:14:34 2013 -0700 HID: steelseries: validate output report details A HID device could send a malicious output report that would cause the steelseries HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 ... [ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten CVE-2013-2891 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-steelseries.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 366e6cf394366e4bb2598e5d3763c6ca53fb7248 Author: Kees Cook Date: Wed Aug 14 08:49:21 2013 -0700 HID: pantherlord: validate output report details A HID device could send a malicious output report that would cause the pantherlord HID driver to write beyond the output report allocation during initialization, causing a heap overflow: [ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 ... [ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2892 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-pl.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 60115e8108e508060815bce5ef9504233c81898c Author: Kees Cook Date: Tue Aug 13 16:49:01 2013 -0700 HID: LG: validate HID output report details A HID device could send a malicious output report that would cause the lg, lg3, and lg4 HID drivers to write beyond the output report allocation during an event, causing a heap overflow: [ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 ... [ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten Additionally, while lg2 did correctly validate the report details, it was cleaned up and shortened. CVE-2013-2893 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lg2ff.c | 19 +++---------------- drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- drivers/hid/hid-lg4ff.c | 20 +------------------- drivers/hid/hid-lgff.c | 17 ++--------------- 4 files changed, 12 insertions(+), 73 deletions(-) commit 1814f6ffbd0d5feccce1f03e8cc17882528e8a9f Author: Kees Cook Date: Thu Aug 15 23:21:23 2013 -0700 HID: lenovo-tpkbd: validate output report details A HID device could send a malicious output report that would cause the lenovo-tpkbd HID driver to write just beyond the output report allocation during initialization, causing a heap overflow: [ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 ... [ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2894 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 38627769bb2b9a550e251b2caf1babda7566fb4a Author: Kees Cook Date: Thu Aug 15 23:45:03 2013 -0700 HID: logitech-dj: validate output report details A HID device could send a malicious output report that would cause the logitech-dj HID driver to leak kernel memory contents to the device, or trigger a NULL dereference during initialization: [ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b ... [ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 [ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 CVE-2013-2895 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit db334388c9d3f95aeb6aacdcec72169b6edd6f07 Author: Kees Cook Date: Fri Aug 16 00:18:15 2013 -0700 HID: ntrig: validate feature report details A HID device could send a malicious feature report that would cause the ntrig HID driver to trigger a NULL dereference during initialization: [57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 ... [57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 [57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] CVE-2013-2896 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-ntrig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 86adcfe96ceefd7d64593a493abe07c155bb8f88 Author: Kees Cook Date: Fri Aug 16 00:11:32 2013 -0700 HID: multitouch: validate feature report details When working on report indexes, always validate that they are in bounds. Without this, a HID device could report a malicious feature report that could trick the driver into a heap overflow: [ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 ... [ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten CVE-2013-2897 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) commit 813f51e0881e4ea6d221da828b1cced02ad9694d Author: Kees Cook Date: Fri Aug 16 08:12:45 2013 -0700 HID: sensor-hub: validate feature report details A HID device could send a malicious feature report that would cause the sensor-hub HID driver to read past the end of heap allocation, leaking kernel memory contents to the caller. CVE-2013-2898 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-sensor-hub.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 6ed7d602e322c67adcfa3ebe79ca2c4a3376330c Author: Kees Cook Date: Fri Aug 16 08:05:10 2013 -0700 HID: picolcd_core: validate output report details A HID device could send a malicious output report that would cause the picolcd HID driver to trigger a NULL dereference during attr file writing. CVE-2013-2899 Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-picolcd_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 95e3cfb5a995dabe45b98cafb77e59d074de151f Author: Kees Cook Date: Fri Aug 16 08:09:54 2013 -0700 HID: check for NULL field when setting values Defensively check that the field to be worked on is not NULL. Signed-off-by: Kees Cook Cc: stable@kernel.org drivers/hid/hid-core.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 96a55ce1b2f3af376c400a02059174e79ce4399c Author: Brad Spengler Date: Wed Aug 28 18:09:18 2013 -0400 http://marc.info/?l=linux-input&m=137772180514608&q=raw From: Kees Cook The "Report ID" field of a HID report is used to build indexes of reports. The kernel's index of these is limited to 256 entries, so any malicious device that sets a Report ID greater than 255 will trigger memory corruption on the host: [ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 [ 1347.156261] IP: [] hid_register_report+0x2a/0x8b CVE-2013-2888 Signed-off-by: Kees Cook Cc: stable@kernel.org --- drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) drivers/hid/hid-core.c | 10 +++++++--- include/linux/hid.h | 4 +++- 2 files changed, 10 insertions(+), 4 deletions(-) commit eb1106eef5f17bfda833ca3cf89e315919173257 Author: Dan Carpenter Date: Fri Aug 9 12:52:31 2013 +0300 Upstream commit: 909bd5926d474e275599094acad986af79671ac9 Hostap: copying wrong data prism2_ioctl_giwaplist() We want the data stored in "addr" and "qual", but the extra ampersands mean we are copying stack data instead. Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/hostap/hostap_ioctl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b12fdddbc01b0d855dd56fa6fea6b4100aae7af4 Author: Brad Spengler Date: Wed Aug 28 17:01:21 2013 -0400 fix typo in ipv6 backport net/ipv6/addrconf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b42367d45ce67de82c38c5c7cb6f4cf521cca2f4 Author: Andy Lutomirski Date: Thu Aug 22 11:39:15 2013 -0700 Upstream commit: d661684cf6820331feae71146c35da83d794467e net: Check the correct namespace when spoofing pid over SCM_RIGHTS This is a security bug. The follow-up will fix nsproxy to discourage this type of issue from happening again. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/core/scm.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 10b2e7e1f75d1da2e0bbe0bff04233ea2ec1bed9 Author: Hannes Frederic Sowa Date: Fri Aug 16 13:02:27 2013 +0200 Upstream commit: 4b08a8f1bd8cb4541c93ec170027b4d0782dab52 ipv6: remove max_addresses check from ipv6_create_tempaddr Because of the max_addresses check attackers were able to disable privacy extensions on an interface by creating enough autoconfigured addresses: But the check is not actually needed: max_addresses protects the kernel to install too many ipv6 addresses on an interface and guards addrconf_prefix_rcv to install further addresses as soon as this limit is reached. We only generate temporary addresses in direct response of a new address showing up. As soon as we filled up the maximum number of addresses of an interface, we stop installing more addresses and thus also stop generating more temp addresses. Even if the attacker tries to generate a lot of temporary addresses by announcing a prefix and removing it again (lifetime == 0) we won't install more temp addresses, because the temporary addresses do count to the maximum number of addresses, thus we would stop installing new autoconfigured addresses when the limit is reached. This patch fixes CVE-2013-0343 (but other layer-2 attacks are still possible). Thanks to Ding Tianhong to bring this topic up again. Cc: Ding Tianhong Cc: George Kargiotakis Cc: P J P Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Acked-by: Ding Tianhong Signed-off-by: David S. Miller Conflicts: net/ipv6/addrconf.c net/ipv6/addrconf.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit 8333e0981469a226a47d0142ff31090a48db95a4 Author: David Vrabel Date: Thu Aug 15 13:21:06 2013 +0100 Upstream commit: 84ca7a8e45dafb49cd5ca90a343ba033e2885c17 xen/events: initialize local per-cpu mask for all possible events The sizeof() argument in init_evtchn_cpu_bindings() is incorrect resulting in only the first 64 (or 32 in 32-bit guests) ports having their bindings being initialized to VCPU 0. In most cases this does not cause a problem as request_irq() will set the irq affinity which will set the correct local per-cpu mask. However, if the request_irq() is called on a VCPU other than 0, there is a window between the unmasking of the event and the affinity being set were an event may be lost because it is not locally unmasked on any VCPU. If request_irq() is called on VCPU 0 then local irqs are disabled during the window and the race does not occur. Fix this by initializing all NR_EVENT_CHANNEL bits in the local per-cpu masks. Signed-off-by: David Vrabel Signed-off-by: Konrad Rzeszutek Wilk CC: stable@vger.kernel.org drivers/xen/events.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2a9a83768433937a2b7a97001ba1627156c0efed Author: Roland Dreier Date: Mon Aug 5 17:55:01 2013 -0700 Upstream commit: 35dc248383bbab0a7203fca4d722875bc81ef091 [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal There is a nasty bug in the SCSI SG_IO ioctl that in some circumstances leads to one process writing data into the address space of some other random unrelated process if the ioctl is interrupted by a signal. What happens is the following: - A process issues an SG_IO ioctl with direction DXFER_FROM_DEV (ie the underlying SCSI command will transfer data from the SCSI device to the buffer provided in the ioctl) - Before the command finishes, a signal is sent to the process waiting in the ioctl. This will end up waking up the sg_ioctl() code: result = wait_event_interruptible(sfp->read_wait, (srp_done(sfp, srp) || sdp->detached)); but neither srp_done() nor sdp->detached is true, so we end up just setting srp->orphan and returning to userspace: srp->orphan = 1; write_unlock_irq(&sfp->rq_list_lock); return result; /* -ERESTARTSYS because signal hit process */ At this point the original process is done with the ioctl and blithely goes ahead handling the signal, reissuing the ioctl, etc. - Eventually, the SCSI command issued by the first ioctl finishes and ends up in sg_rq_end_io(). At the end of that function, we run through: write_lock_irqsave(&sfp->rq_list_lock, iflags); if (unlikely(srp->orphan)) { if (sfp->keep_orphan) srp->sg_io_owned = 0; else done = 0; } srp->done = done; write_unlock_irqrestore(&sfp->rq_list_lock, iflags); if (likely(done)) { /* Now wake up any sg_read() that is waiting for this * packet. */ wake_up_interruptible(&sfp->read_wait); kill_fasync(&sfp->async_qp, SIGPOLL, POLL_IN); kref_put(&sfp->f_ref, sg_remove_sfp); } else { INIT_WORK(&srp->ew.work, sg_rq_end_io_usercontext); schedule_work(&srp->ew.work); } Since srp->orphan *is* set, we set done to 0 (assuming the userspace app has not set keep_orphan via an SG_SET_KEEP_ORPHAN ioctl), and therefore we end up scheduling sg_rq_end_io_usercontext() to run in a workqueue. - In workqueue context we go through sg_rq_end_io_usercontext() -> sg_finish_rem_req() -> blk_rq_unmap_user() -> ... -> bio_uncopy_user() -> __bio_copy_iov() -> copy_to_user(). The key point here is that we are doing copy_to_user() on a workqueue -- that is, we're on a kernel thread with current->mm equal to whatever random previous user process was scheduled before this kernel thread. So we end up copying whatever data the SCSI command returned to the virtual address of the buffer passed into the original ioctl, but it's quite likely we do this copying into a different address space! As suggested by James Bottomley , add a check for current->mm (which is NULL if we're on a kernel thread without a real userspace address space) in bio_uncopy_user(), and skip the copy if we're on a kernel thread. There's no reason that I can think of for any caller of bio_uncopy_user() to want to do copying on a kernel thread with a random active userspace address space. Huge thanks to Costa Sapuntzakis for the original pointer to this bug in the sg code. Signed-off-by: Roland Dreier Tested-by: David Milburn Cc: Jens Axboe Cc: Signed-off-by: James Bottomley fs/bio.c | 20 +++++++++++++++----- 1 files changed, 15 insertions(+), 5 deletions(-) commit e6fe57dee152671afd618d6bc8cbf23155be6c34 Merge: cdc8f7d f2095a4 Author: Brad Spengler Date: Tue Aug 27 18:13:35 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c security/Kconfig commit f2095a4787f7d332e5919f0bd00f8de6021ad612 Author: Brad Spengler Date: Tue Aug 27 18:08:23 2013 -0400 Update to pax-linux-3.10.9-test20.patch: - removed unnecessary mark_sym_for_renaming calls from the gcc plugins, reported by Emese Revfy - made some KERNEXEC/UDEREF induced fault handling on arm more robust (IFAR isn't always set on v7), by Corey Minyard - converted some mips atomic accessor macros to functions in preparation of REFCOUNT support, by Corey Minyard - __copy_from_user_inatomic on amd64 will now return unsigned long like other userland accessors do - added REFCOUNT support for mips, by Corey Minyard - fixed arm compilation with UDEREF disabled, reported by fabled (http://forums.grsecurity.net/viewtopic.php?f=1&t=3720) - fixed early boot panic due to a INVCPID/PCID mismatch, reported by Patrick McLean (https://bugs.gentoo.org/show_bug.cgi?id=482010) arch/arm/mm/fault.c | 11 +- arch/mips/include/asm/atomic.h | 722 +++++++++++++++++++++++++++++++++++-- arch/mips/kernel/traps.c | 14 +- arch/x86/include/asm/tlbflush.h | 4 + arch/x86/include/asm/uaccess_64.h | 2 +- fs/ntfs/file.c | 2 +- kernel/events/internal.h | 4 +- kernel/events/uprobes.c | 2 +- kernel/futex.c | 2 +- mm/filemap.c | 8 +- security/Kconfig | 2 +- tools/gcc/kernexec_plugin.c | 18 +- tools/gcc/latent_entropy_plugin.c | 26 +- tools/gcc/size_overflow_plugin.c | 3 +- 14 files changed, 750 insertions(+), 70 deletions(-) commit cdc8f7d7a0d09f5ccec1717d1378ac284b5bb4e9 Merge: 5a9ae57 745975e Author: Brad Spengler Date: Mon Aug 26 20:27:33 2013 -0400 Merge branch 'pax-test' into grsec-test commit 745975e3b3b74b64e00e85778f9a22714d1274f2 Author: Brad Spengler Date: Mon Aug 26 20:26:33 2013 -0400 Fix compilation when UDEREF is enabled and KERNEXEC is disabled, as reported by fabled on the forums: http://forums.grsecurity.net/viewtopic.php?f=1&t=3720 arch/arm/include/asm/pgtable.h | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit 5a9ae577def10802fc8ad6957f05ce2a180dfa36 Merge: 486ec00 f68df21 Author: Brad Spengler Date: Tue Aug 20 20:15:20 2013 -0400 Merge branch 'pax-test' into grsec-test commit f68df215c8bf7fada2710c14b3f3a0ea53fd9e43 Author: Brad Spengler Date: Tue Aug 20 20:14:50 2013 -0400 Update to pax-linux-3.10.9-test18.patch: - fixed missing export of cpu_pgd, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481786) - fixed UDEREF regression on !PCID processors, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=481790) - forward port to 3.10.9 arch/x86/kernel/entry_64.S | 18 +++++++++--------- arch/x86/kernel/i386_ksyms_32.c | 4 ++++ arch/x86/kernel/x8664_ksyms_64.c | 4 ++++ 3 files changed, 17 insertions(+), 9 deletions(-) commit 486ec00945b5dd8826f625e4af8995c5c8cb2a6f Merge: f47a293 d8fed0e Author: Brad Spengler Date: Tue Aug 20 20:12:47 2013 -0400 Merge branch 'pax-test' into grsec-test commit d8fed0eba89a7607afe296c0caf17bc72311d6e9 Merge: f6ace8e 0a4b6d4 Author: Brad Spengler Date: Tue Aug 20 20:12:33 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit f47a293a1440da2a3e2c239d43d636e37ca74f10 Merge: f1e8ec7 f6ace8e Author: Brad Spengler Date: Tue Aug 20 18:20:05 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/kernel/perf_event.c include/linux/sched.h commit f6ace8e1804aadc296bec38b4c4a2d711b9e7c72 Merge: b4fa847 6f54059 Author: Brad Spengler Date: Tue Aug 20 18:18:02 2013 -0400 Update to pax-linux-3.10.8-test18.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/sys_x86_64.c arch/x86/mm/mmap.c include/linux/sched.h commit f1e8ec79b6019ca0aa6a6cdde5668c1bbd9f51ca Merge: 6f88011 b4fa847 Author: Brad Spengler Date: Tue Aug 20 18:05:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit b4fa84790ec760430818ab9b74a8b5acc6b40e63 Author: Brad Spengler Date: Tue Aug 20 18:04:14 2013 -0400 Update to pax-linux-3.10.7-test18.patch: - reverted constification of zcache, problem reported by Marcin MirosÅ‚aw (https://bugs.gentoo.org/show_bug.cgi?id=481752) - fixed a UDEREF resume regression due to the constification of clone_pgd_mask - fixed suspend/resume regression due to the recent constification of mmu_cr4_features, reported by Mathias Krause arch/arm/kernel/process.c | 2 +- arch/x86/include/asm/processor.h | 25 ++----------------------- arch/x86/kernel/cpu/common.c | 4 ++++ arch/x86/kernel/setup.c | 36 ++++++++++++++++++++++++++++++++++++ drivers/staging/zcache/tmem.c | 4 ++-- drivers/staging/zcache/tmem.h | 6 ++---- 6 files changed, 47 insertions(+), 30 deletions(-) commit 6f88011297cb3b1b79ff4d96f8a9b8e2ed5a025f Author: Brad Spengler Date: Mon Aug 19 22:10:04 2013 -0400 fix bad git merge (call to __cpu_disable_lazy_restore was duplicated) as reported by pipacs arch/x86/kernel/smpboot.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 07f718e061bc4696b64a98ac1cf56e9ca1275dc3 Merge: 6eba999 5de93c8 Author: Brad Spengler Date: Sun Aug 18 22:03:19 2013 -0400 Merge branch 'pax-test' into grsec-test commit 5de93c8e2a86865f7a2d62dbcf8702dbf12494db Author: Brad Spengler Date: Sun Aug 18 22:02:47 2013 -0400 Update to pax-linux-3.10.7-test15.patch: - fixed more PCID fallout, reported by spender, Negres and GBit (http://forums.grsecurity.net/viewtopic.php?f=3&t=3705) - fixed some new REFCOUNT false positives, caught by inspection arch/x86/kernel/cpu/common.c | 5 +++-- arch/x86/kernel/entry_64.S | 11 +++++++---- fs/ceph/super.c | 4 ++-- mm/backing-dev.c | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) commit 94c119587c76723c1072237b98fff9886ccb7689 Author: Brad Spengler Date: Sun Aug 18 20:49:39 2013 -0400 fix pipacs' DEMORGAN typo arch/x86/include/asm/tlbflush.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6eba999a3263c2ed3f7e87222a5c9c55315c7f00 Merge: df347f6 64a293e Author: Brad Spengler Date: Sun Aug 18 18:13:04 2013 -0400 Merge branch 'pax-test' into grsec-test commit 64a293ebd17bf4a7ce6bd921ed879673e79fe128 Author: Brad Spengler Date: Sun Aug 18 18:12:37 2013 -0400 Update to pax-linux-3.10.7-test14.patch: - fixed compile error introduced by the previous PCID change - fixed timer_create kernel stack leak, reported by Roman Žilka (https://bugs.gentoo.org/show_bug.cgi?id=470214) arch/x86/include/asm/tlbflush.h | 2 +- kernel/posix-timers.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit df347f6db6cc0aaa40406d8a8b7284b7c15bc685 Merge: d8efbc5 e11b314 Author: Brad Spengler Date: Sun Aug 18 08:15:00 2013 -0400 Merge branch 'pax-test' into grsec-test commit e11b314734c5b7317f5468be75305ad812e78c2b Author: Brad Spengler Date: Sun Aug 18 08:14:26 2013 -0400 Update to pax-linux-3.10.7-test13.patch: - always enable the use of PCID and INVPCID when available in the CPU - kvm guest kernels can use these features even if the host kernel lacks UDEREF arch/x86/include/asm/tlbflush.h | 69 ++++++++++++++++++++++---------------- arch/x86/kernel/cpu/common.c | 48 +++++++++++++++++---------- 2 files changed, 70 insertions(+), 47 deletions(-) commit d8efbc54f5c8aba589d4d12eed9257a754a67de8 Author: Brad Spengler Date: Sat Aug 17 12:00:20 2013 -0400 make kallsyms_lookup_size_offset available to approved source files include/linux/kallsyms.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 6c8feffa95ce2db280160015027b52bb41a344c8 Merge: dbf6930 0bb1c2b Author: Brad Spengler Date: Sat Aug 17 11:57:50 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0bb1c2b2d9ba9a15fb504d47270499e8e2764106 Author: Brad Spengler Date: Sat Aug 17 11:56:43 2013 -0400 Update to pax-linux-3.10.7-test12.patch: - fixed superfluous initializer in __native_flush_tlb_single, reported by Mathias Krause - fixed some arm compile problems arch/x86/include/asm/tlbflush.h | 2 +- drivers/clocksource/bcm_kona_timer.c | 2 +- kernel/signal.c | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) commit dbf69305ad4f8a037aae95af90f9201f556dcb48 Author: Brad Spengler Date: Sat Aug 17 11:18:09 2013 -0400 allow use of kallsyms_lookup_name to approved source files include/linux/kallsyms.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a566c5f4dec33f410678c257e95ab6726ce8e4f9 Merge: 68bd16f f562e3e Author: Brad Spengler Date: Sat Aug 17 10:35:02 2013 -0400 Merge branch 'pax-test' into grsec-test commit f562e3ef7737ea8d80431a722479b36a12504ace Author: Brad Spengler Date: Sat Aug 17 10:34:51 2013 -0400 add uderef_64.c arch/x86/mm/uderef_64.c | 37 +++++++++++++++++++++++++++++++++++++ 1 files changed, 37 insertions(+), 0 deletions(-) commit 68bd16fce3cf51c4c407e2ac6bc3db0629783622 Author: Asbjoern Sloth Toennesen Date: Mon Aug 12 16:30:09 2013 +0000 Upstream commit: 3e805ad288c524bb65aad3f1e004402223d3d504 rtnetlink: rtnl_bridge_getlink: Call nlmsg_find_attr() with ifinfomsg header Fix the iproute2 command `bridge vlan show`, after switching from rtgenmsg to ifinfomsg. Let's start with a little history: Feb 20: Vlad Yasevich got his VLAN-aware bridge patchset included in the 3.9 merge window. In the kernel commit 6cbdceeb, he added attribute support to bridge GETLINK requests sent with rtgenmsg. Mar 6th: Vlad got this iproute2 reference implementation of the bridge vlan netlink interface accepted (iproute2 9eff0e5c) Apr 25th: iproute2 switched from using rtgenmsg to ifinfomsg (63338dca) http://patchwork.ozlabs.org/patch/239602/ http://marc.info/?t=136680900700007 Apr 28th: Linus released 3.9 Apr 30th: Stephen released iproute2 3.9.0 The `bridge vlan show` command haven't been working since the switch to ifinfomsg, or in a released version of iproute2. Since the kernel side only supports rtgenmsg, which iproute2 switched away from just prior to the iproute2 3.9.0 release. I haven't been able to find any documentation, about neither rtgenmsg nor ifinfomsg, and in which situation to use which, but kernel commit 88c5b5ce seams to suggest that ifinfomsg should be used. Fixing this in kernel will break compatibility, but I doubt that anybody have been using it due to this bug in the user space reference implementation, at least not without noticing this bug. That said the functionality is still fully functional in 3.9, when reversing iproute2 commit 63338dca. This could also be fixed in iproute2, but thats an ugly patch that would reintroduce rtgenmsg in iproute2, and from searching in netdev it seams like rtgenmsg usage is discouraged. I'm assuming that the only reason that Vlad implemented the kernel side to use rtgenmsg, was because iproute2 was using it at the time. Signed-off-by: Asbjoern Sloth Toennesen Reviewed-by: Vlad Yasevich Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c7bc5bafddddff55ed4687203a977e96f72540a Author: Johannes Berg Date: Tue Aug 13 09:04:05 2013 +0200 Upstream commit: 58ad436fcf49810aa006016107f494c9ac9013db genetlink: fix family dump race When dumping generic netlink families, only the first dump call is locked with genl_lock(), which protects the list of families, and thus subsequent calls can access the data without locking, racing against family addition/removal. This can cause a crash. Fix it - the locking needs to be conditional because the first time around it's already locked. A similar bug was reported to me on an old kernel (3.4.47) but the exact scenario that happened there is no longer possible, on those kernels the first round wasn't locked either. Looking at the current code I found the race described above, which had also existed on the old kernel. Cc: stable@vger.kernel.org Reported-by: Andrei Otcheretianski Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/netlink/genetlink.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 0aef405c4f269d1e35abb5393cee4e7d452ed4bb Author: Daniel Borkmann Date: Fri Aug 9 16:25:21 2013 +0200 Upstream commit: 771085d6bf3c52de29fc213e5bad07a82e57c23e net: sctp: sctp_transport_destroy{, _rcu}: fix potential pointer corruption Probably this one is quite unlikely to be triggered, but it's more safe to do the call_rcu() at the end after we have dropped the reference on the asoc and freed sctp packet chunks. The reason why is because in sctp_transport_destroy_rcu() the transport is being kfree()'d, and if we're unlucky enough we could run into corrupted pointers. Probably that's more of theoretical nature, but it's safer to have this simple fix. Introduced by commit 8c98653f ("sctp: sctp_close: fix release of bindings for deferred call_rcu's"). I also did the 8c98653f regression test and it's fine that way. Signed-off-by: Daniel Borkmann Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/transport.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3925eab5483946fd746575a46f97bee9d566bb77 Author: Stephane Grosjean Date: Fri Aug 9 11:44:06 2013 +0200 Upstream commit: 3c322a56b01695df15c70bfdc2d02e0ccd80654e can: pcan_usb: fix wrong memcpy() bytes length Fix possibly wrong memcpy() bytes length since some CAN records received from PCAN-USB could define a DLC field in range [9..15]. In that case, the real DLC value MUST be used to move forward the record pointer but, only 8 bytes max. MUST be copied into the data field of the struct can_frame object of the skb given to the network core. Cc: linux-stable Signed-off-by: Stephane Grosjean Signed-off-by: Marc Kleine-Budde Signed-off-by: David S. Miller drivers/net/can/usb/peak_usb/pcan_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c1ac6642baae4a400d1f87115024d1bb1ef53598 Author: Linus Lüssing Date: Tue Aug 6 20:21:15 2013 +0200 Upstream commit: 9d2c9488cedb666bc8206fbdcdc1575e0fbc5929 batman-adv: fix potential kernel paging errors for unicast transmissions There are several functions which might reallocate skb data. Currently some places keep reusing their old ethhdr pointer regardless of whether they became invalid after such a reallocation or not. This potentially leads to kernel paging errors. This patch fixes these by refetching the ethdr pointer after the potential reallocations. Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli net/batman-adv/bridge_loop_avoidance.c | 2 ++ net/batman-adv/gateway_client.c | 13 ++++++++++++- net/batman-adv/gateway_client.h | 3 +-- net/batman-adv/soft-interface.c | 9 ++++++++- net/batman-adv/unicast.c | 13 ++++++++++--- 5 files changed, 33 insertions(+), 7 deletions(-) commit d11ebb55757d366b2e445dea5a96e3ef1b4d22eb Author: Yuchung Cheng Date: Fri Aug 9 17:21:27 2013 -0700 Upstream commit: 356d7d88e088687b6578ca64601b0a2c9d145296 netfilter: nf_conntrack: fix tcp_in_window for Fast Open Currently the conntrack checks if the ending sequence of a packet falls within the observed receive window. However it does so even if it has not observe any packet from the remote yet and uses an uninitialized receive window (td_maxwin). If a connection uses Fast Open to send a SYN-data packet which is dropped afterward in the network. The subsequent SYNs retransmits will all fail this check and be discarded, leading to a connection timeout. This is because the SYN retransmit does not contain data payload so end == initial sequence number (isn) + 1 sender->td_end == isn + syn_data_len receiver->td_maxwin == 0 The fix is to only apply this check after td_maxwin is initialized. Reported-by: Michael Chan Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_proto_tcp.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit 94462727d1f151aa2e3f7fbf0dedb19d8545d2ec Author: Dan Carpenter Date: Thu Aug 1 12:36:57 2013 +0300 Upstream commit: e4d091d7bf787cd303383725b8071d0bae76f981 netfilter: nfnetlink_{log,queue}: fix information leaks in netlink message These structs have a "_pad" member. Also the "phw" structs have an 8 byte "hw_addr[]" array but sometimes only the first 6 bytes are initialized. Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 6 +++++- net/netfilter/nfnetlink_queue_core.c | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) commit c5b469d0a0b480a8b2dcac9b4e6532c0ac17f81f Author: Pablo Neira Ayuso Date: Thu Jul 25 10:46:46 2013 +0200 Upstream commit: a206bcb3b02025b23137f3228109d72e0f835c05 netfilter: xt_TCPOPTSTRIP: fix possible off by one access Fix a possible off by one access since optlen() touches opt[offset+1] unsafely when i == tcp_hdrlen(skb) - 1. This patch replaces tcp_hdrlen() by the local variable tcp_hdrlen that stores the TCP header length, to save some cycles. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPOPTSTRIP.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) commit 4634def261cf5f635bc60afe8a6ad436b3ec151e Author: Pablo Neira Ayuso Date: Thu Jul 25 10:37:49 2013 +0200 Upstream commit: 71ffe9c77dd7a2b62207953091efa8dafec958dd netfilter: xt_TCPMSS: fix handling of malformed TCP header and options Make sure the packet has enough room for the TCP header and that it is not malformed. While at it, store tcph->doff*4 in a variable, as it is used several times. This patch also fixes a possible off by one in case of malformed TCP options. Reported-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TCPMSS.c | 28 ++++++++++++++++------------ 1 files changed, 16 insertions(+), 12 deletions(-) commit dc552b7b377b8b0cba23513ee09a2341d6714ae8 Author: Dave Jones Date: Fri Aug 9 11:16:34 2013 -0700 Upstream commit: d06f5187469eee1b2932c02fd093d113cfc60d5e 8139cp: Fix skb leak in rx_status_loop failure path. Introduced in cf3c4c03060b688cbc389ebc5065ebcce5653e96 ("8139cp: Add dma_mapping_error checking") Signed-off-by: Dave Jones Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 227b279491a0bbcc70ca3654f34903282c378600 Author: Timo Teräs Date: Tue Aug 6 13:45:43 2013 +0300 Upstream commit: 77a482bdb2e68d13fae87541b341905ba70d572b ip_gre: fix ipgre_header to return correct offset Fix ipgre_header() (header_ops->create) to return the correct amount of bytes pushed. Most callers of dev_hard_header() seem to care only if it was success, but af_packet.c uses it as offset to the skb to copy from userspace only once. In practice this fixes packet socket sendto()/sendmsg() to gre tunnels. Regression introduced in c54419321455631079c7d6e60bc732dd0c5914c5 ("GRE: Refactor GRE tunneling code.") Cc: Pravin B Shelar Signed-off-by: Timo Teräs Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b37d11c0ebb440d9335861ce8f1e690a34c10fb Author: Eric Dumazet Date: Mon Aug 5 11:18:49 2013 -0700 Upstream commit: aab515d7c32a34300312416c50314e755ea6f765 fib_trie: remove potential out of bound access AddressSanitizer [1] dynamic checker pointed a potential out of bound access in leaf_walk_rcu() We could allocate one more slot in tnode_new() to leave the prefetch() in-place but it looks not worth the pain. Bug added in commit 82cfbb008572b ("[IPV4] fib_trie: iterator recode") [1] : https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel Reported-by: Andrey Konovalov Signed-off-by: Eric Dumazet Cc: Dmitry Vyukov Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit 3928184d65fdaf3eef446f0e6c5f305352c1fd02 Author: Daniel Borkmann Date: Mon Aug 5 12:49:35 2013 +0200 Upstream commit: 7921895a5e852fc99de347bc0600659997de9298 net: esp{4,6}: fix potential MTU calculation overflows Commit 91657eafb ("xfrm: take net hdr len into account for esp payload size calculation") introduced a possible interger overflow in esp{4,6}_get_mtu() handlers in case of x->props.mode equals XFRM_MODE_TUNNEL. Thus, the following expression will overflow unsigned int net_adj; ... net_adj = 0; ... return ((mtu - x->props.header_len - crypto_aead_authsize(esp->aead) - net_adj) & ~(align - 1)) + (net_adj - 2); where (net_adj - 2) would be evaluated as + (0 - 2) in an unsigned context. Fix it by simply removing brackets as those operations here do not need to have special precedence. Signed-off-by: Daniel Borkmann Cc: Benjamin Poirier Cc: Steffen Klassert Acked-by: Benjamin Poirier Signed-off-by: David S. Miller net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit f02bce292d1c2fe610be509c96593e70b3de387b Author: Julia Lawall Date: Mon Aug 5 16:47:38 2013 +0200 Upstream commit: d9af2d67e490b48f0d36f448d34e7bab9425f142 net/vmw_vsock/af_vsock.c: drop unneeded semicolon Drop the semicolon at the end of the list_for_each_entry loop header. Signed-off-by: Julia Lawall Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4b62f0cbc3f949056e8bbe0af036acfc20e8e049 Author: Tiger Yang Date: Tue Aug 13 16:00:58 2013 -0700 Upstream commit: c7dd3392ad469e6ba125170ad29f881bed85b678 ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page Since ocfs2_cow_file_pos will invoke ocfs2_refcount_icow with a NULL as the struct file pointer, it finally result in a null pointer dereference in ocfs2_duplicate_clusters_by_page. This patch replace file pointer with inode pointer in cow_duplicate_clusters to fix this issue. [jeff.liu@oracle.com: rebased patch against linux-next tree] Signed-off-by: Tiger Yang Signed-off-by: Jie Liu Cc: Joel Becker Cc: Mark Fasheh Acked-by: Tao Ma Tested-by: David Weber Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 2 +- fs/ocfs2/file.c | 6 ++-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/refcounttree.c | 53 +++++++--------------------------------------- fs/ocfs2/refcounttree.h | 6 ++-- 5 files changed, 16 insertions(+), 53 deletions(-) commit 433bf493c7472435b328b2bc85b6e54f6dd3d0d3 Author: Dan Carpenter Date: Thu Aug 15 15:52:57 2013 +0300 Upstream commit: 15718ea0d844e4816dbd95d57a8a0e3e264ba90e tun: signedness bug in tun_get_user() The recent fix d9bf5f1309 "tun: compare with 0 instead of total_len" is not totally correct. Because "len" and "sizeof()" are size_t type, that means they are never less than zero. Signed-off-by: Dan Carpenter Acked-by: Michael S. Tsirkin Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 26ad267ddda451919357965a0cf271ca24d1bcf2 Author: Weiping Pan Date: Tue Aug 13 21:46:56 2013 +0800 Upstream commit: d9bf5f130946695063469749bfd190087b7fad39 tun: compare with 0 instead of total_len Since we set "len = total_len" in the beginning of tun_get_user(), so we should compare the new len with 0, instead of total_len, or the if statement always returns false. Signed-off-by: Weiping Pan Signed-off-by: David S. Miller drivers/net/tun.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 70023d3ea40fae8b6b6a142a7a5c3db0bcc283f9 Author: Guenter Roeck Date: Fri Aug 16 20:50:55 2013 -0700 Upstream commit: 215b28a5308f3d332df2ee09ef11fda45d7e4a92 s390: Fix broken build Fix this build error: In file included from fs/exec.c:61:0: arch/s390/include/asm/tlb.h:35:23: error: expected identifier or '(' before 'unsigned' arch/s390/include/asm/tlb.h:36:1: warning: no semicolon at end of struct or union [enabled by default] arch/s390/include/asm/tlb.h: In function 'tlb_gather_mmu': arch/s390/include/asm/tlb.h:57:5: error: 'struct mmu_gather' has no member named 'end' Broken due to commit 2b047252d0 ("Fix TLB gather virtual address range invalidation corner cases"). Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck [ Oh well. We had build testing for ppc amd um, but no s390 - Linus ] Signed-off-by: Linus Torvalds arch/s390/include/asm/tlb.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4e57312c2de2a25ddb181d129dafbc0251062c33 Author: Linus Torvalds Date: Thu Aug 15 11:42:25 2013 -0700 Upstream commit: 2b047252d087be7f2ba088b4933cd904f92e6fce Fix TLB gather virtual address range invalidation corner cases Ben Tebulin reported: "Since v3.7.2 on two independent machines a very specific Git repository fails in 9/10 cases on git-fsck due to an SHA1/memory failures. This only occurs on a very specific repository and can be reproduced stably on two independent laptops. Git mailing list ran out of ideas and for me this looks like some very exotic kernel issue" and bisected the failure to the backport of commit 53a59fc67f97 ("mm: limit mmu_gather batching to fix soft lockups on !CONFIG_PREEMPT"). That commit itself is not actually buggy, but what it does is to make it much more likely to hit the partial TLB invalidation case, since it introduces a new case in tlb_next_batch() that previously only ever happened when running out of memory. The real bug is that the TLB gather virtual memory range setup is subtly buggered. It was introduced in commit 597e1c3580b7 ("mm/mmu_gather: enable tlb flush range in generic mmu_gather"), and the range handling was already fixed at least once in commit e6c495a96ce0 ("mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots"), but that fix was not complete. The problem with the TLB gather virtual address range is that it isn't set up by the initial tlb_gather_mmu() initialization (which didn't get the TLB range information), but it is set up ad-hoc later by the functions that actually flush the TLB. And so any such case that forgot to update the TLB range entries would potentially miss TLB invalidates. Rather than try to figure out exactly which particular ad-hoc range setup was missing (I personally suspect it's the hugetlb case in zap_huge_pmd(), which didn't have the same logic as zap_pte_range() did), this patch just gets rid of the problem at the source: make the TLB range information available to tlb_gather_mmu(), and initialize it when initializing all the other tlb gather fields. This makes the patch larger, but conceptually much simpler. And the end result is much more understandable; even if you want to play games with partial ranges when invalidating the TLB contents in chunks, now the range information is always there, and anybody who doesn't want to bother with it won't introduce subtle bugs. Ben verified that this fixes his problem. Reported-bisected-and-tested-by: Ben Tebulin Build-testing-by: Stephen Rothwell Build-testing-by: Richard Weinberger Reviewed-by: Michal Hocko Acked-by: Peter Zijlstra Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/arm/include/asm/tlb.h | 7 +++++-- arch/arm64/include/asm/tlb.h | 7 +++++-- arch/ia64/include/asm/tlb.h | 9 ++++++--- arch/s390/include/asm/tlb.h | 8 ++++++-- arch/sh/include/asm/tlb.h | 6 ++++-- arch/um/include/asm/tlb.h | 6 ++++-- fs/exec.c | 4 ++-- include/asm-generic/tlb.h | 2 +- mm/hugetlb.c | 2 +- mm/memory.c | 36 +++++++++++++++++++++--------------- mm/mmap.c | 4 ++-- 11 files changed, 57 insertions(+), 34 deletions(-) commit 771ed01c6027772eca1a0df8de65043e7f0d94f8 Merge: 5568c80 ffceabf Author: Brad Spengler Date: Sat Aug 17 09:11:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit ffceabfcc65c60109ba5fca694d78d4dc7047809 Author: Brad Spengler Date: Sat Aug 17 09:10:44 2013 -0400 Update to pax-linux-3.10.7-test11.patch: - simplified some arm code - disabled preemption when calling show_regs, reported by Corey Minyard - added PCID based support for UDEREF on amd64 (blog will have more details) - requires Westmere/Sandy Bridge/Ivy Bridge/Haswell/etc - nopcid turns it off - by default a strong form of UDEREF is used under PCID - pax_weakuderef switches to the older, less secure UDEREF - fixed several bugs that would also have manifested under SMAP - INVPCID is used when available (Haswell) - added a few more return insn instrumentation in new amd64 crypto code Documentation/kernel-parameters.txt | 7 + arch/arm/include/asm/uaccess.h | 3 + arch/x86/crypto/blowfish-avx2-asm_64.S | 6 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 ++ arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 ++ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 + arch/x86/crypto/ghash-clmulni-intel_asm.S | 5 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 ++ arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx2-asm_64.S | 8 ++ arch/x86/ia32/ia32_signal.c | 2 +- arch/x86/ia32/ia32entry.S | 24 ++++- arch/x86/include/asm/cpufeature.h | 3 +- arch/x86/include/asm/fpu-internal.h | 2 + arch/x86/include/asm/futex.h | 4 + arch/x86/include/asm/mmu_context.h | 80 +++++++++++--- arch/x86/include/asm/pgtable.h | 10 +- arch/x86/include/asm/processor.h | 15 +++- arch/x86/include/asm/segment.h | 5 +- arch/x86/include/asm/smap.h | 64 +++++++++++- arch/x86/include/asm/tlbflush.h | 63 +++++++++-- arch/x86/include/asm/uaccess.h | 18 +++- arch/x86/include/asm/xsave.h | 4 + arch/x86/kernel/cpu/common.c | 38 +++++++ arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 152 +++++++++++++++++++++++--- arch/x86/kernel/head_32.S | 2 +- arch/x86/kernel/head_64.S | 8 +- arch/x86/kernel/process_64.c | 5 + arch/x86/kernel/setup.c | 8 +- arch/x86/kernel/signal.c | 4 +- arch/x86/kernel/smpboot.c | 15 ++- arch/x86/lib/copy_user_64.S | 50 +-------- arch/x86/lib/copy_user_nocache_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 11 ++- arch/x86/lib/memcpy_64.S | 4 +- arch/x86/lib/memmove_64.S | 2 +- arch/x86/lib/memset_64.S | 4 +- arch/x86/lib/usercopy_64.c | 5 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/fault.c | 29 ++++-- arch/x86/mm/init.c | 7 +- arch/x86/mm/init_64.c | 9 ++- arch/x86/mm/pageattr.c | 2 +- arch/x86/mm/pgtable.c | 3 + arch/x86/platform/efi/efi_32.c | 2 +- arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/realmode/rm/trampoline_64.S | 1 + fs/exec.c | 2 + include/asm-generic/uaccess.h | 8 ++ include/linux/compat.h | 1 + include/linux/preempt.h | 19 +++ include/linux/signal.h | 1 + include/linux/smp.h | 2 + init/main.c | 14 ++- kernel/signal.c | 16 +++ security/Kconfig | 5 + tools/lib/lk/Makefile | 2 +- tools/perf/Makefile | 2 +- 64 files changed, 673 insertions(+), 136 deletions(-) commit 5568c8059e78d6d002815409df4e90c83b3b08a8 Author: Brad Spengler Date: Sat Aug 17 08:58:34 2013 -0400 Fix two harmless compiler warnings arch/arm/kernel/process.c | 4 ++-- fs/exec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit e4a41a3eef8c6bdebdbe273cc0fbe372bcb62806 Author: Brad Spengler Date: Fri Aug 16 22:55:24 2013 -0400 Upstream commit: c95eb3184ea1a3a2551df57190c81da695e2144b arch/arm/kernel/perf_event.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 3637bc893b57a227b01852fe34685ab237285b10 Author: Stephen Boyd Date: Wed Aug 7 16:18:08 2013 -0700 Upstream commit: b88a2595b6d8aedbd275c07dfa784657b4f757eb perf/arm: Fix armpmu_map_hw_event() Fix constraint check in armpmu_map_hw_event(). Reported-and-tested-by: Vince Weaver Cc: Signed-off-by: Ingo Molnar Signed-off-by: Linus Torvalds arch/arm/kernel/perf_event.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 11802e1f961a088c39af58d1c1b14d861eedfb35 Author: Brad Spengler Date: Fri Aug 16 22:53:30 2013 -0400 More ARM backports arch/arm/kernel/entry-armv.S | 3 ++- arch/arm/kernel/fiq.c | 8 ++------ 2 files changed, 4 insertions(+), 7 deletions(-) commit bf89938c71ddbd6efb2c2e43bf4f3f99fef623ea Author: Brad Spengler Date: Fri Aug 16 22:46:01 2013 -0400 Fix HIDESYM compatibility with kprobes, as reported by feandil at: http://forums.grsecurity.net/viewtopic.php?t=3701&p=13376#p13376 include/linux/kallsyms.h | 2 +- kernel/kprobes.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletions(-) commit 3d1cf88bbdbe4c0e83dd7d731ecaf1741209d6b7 Author: yonghua zheng Date: Tue Aug 13 16:01:03 2013 -0700 fs/proc/task_mmu.c: fix buffer overflow in add_page_map() Recently we met quite a lot of random kernel panic issues after enabling CONFIG_PROC_PAGE_MONITOR. After debuggind we found this has something to do with following bug in pagemap: In struct pagemapread: struct pagemapread { int pos, len; pagemap_entry_t *buffer; bool v2; }; pos is number of PM_ENTRY_BYTES in buffer, but len is the size of buffer, it is a mistake to compare pos and len in add_page_map() for checking buffer is full or not, and this can lead to buffer overflow and random kernel panic issue. Correct len to be total number of PM_ENTRY_BYTES in buffer. [akpm@linux-foundation.org: document pagemapread.pos and .len units, fix PM_ENTRY_BYTES definition] Signed-off-by: Yonghua Zheng Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Conflicts: fs/proc/task_mmu.c fs/proc/task_mmu.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit 0a3dac834746de241c10d4978bf61b4f146ba89d Merge: dc19474 e12de30 Author: Brad Spengler Date: Fri Aug 16 17:39:01 2013 -0400 Merge branch 'pax-test' into grsec-test commit e12de30aa6b575fc3c9f5cd098dd03623598cb33 Author: Brad Spengler Date: Fri Aug 16 17:34:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch: - Emese fixed a size overflow false positive reported by Sven Vermeulen - fixed some arm compile problems reported by spender - added empty unchecked wrappers for local_t accessors on mips, by Corey Minyard eventually we'll have full REFCOUNT support on mips arch/arm/kernel/process.c | 5 ++- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 3 ++ arch/mips/include/asm/local.h | 57 +++++++++++++++++++++++++++++++++++++++++ mm/internal.h | 2 +- 5 files changed, 65 insertions(+), 4 deletions(-) commit dc19474d0ea6ea3c939544ae5f906067b1784a10 Merge: 51b78c0 82266f9 Author: Brad Spengler Date: Thu Aug 15 21:47:37 2013 -0400 Merge branch 'pax-test' into grsec-test commit 82266f90a3f87ab5017329fb539aebf94c42253a Author: Brad Spengler Date: Thu Aug 15 21:14:47 2013 -0400 Update to pax-linux-3.10.7-test9.patch arch/arm/kernel/process.c | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) commit 51b78c06d1f41614f593cd36456b4af559e9d7fa Merge: e32d904 cb77ead Author: Brad Spengler Date: Thu Aug 15 20:53:45 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit cb77ead0eccb5abb75f7e437a3725d0254558ccd Merge: 13675b8 519be45 Author: Brad Spengler Date: Thu Aug 15 20:50:47 2013 -0400 Update to pax-linux-3.10.7-test8.patch Merge branch 'linux-3.10.y' into pax-test commit e32d904b87292288e74e2637b900fd1115687b8e Author: Brad Spengler Date: Sat Aug 10 09:41:40 2013 -0400 propagate the threadstack offset through to the topdown/bottomup allocators on sparc64 hugepages arch/sparc/mm/hugetlbpage.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit cefa30759f6c977fff5cc1634ecfbfe0ee44391c Author: Oleg Nesterov Date: Thu Aug 8 18:55:32 2013 +0200 Upstream commit: 8742f229b635bf1c1c84a3dfe5e47c814c20b5c8 another local DoS found in reaction to the one I reported, we don't allow unpriv user ns use so this doesn't matter much to us userns: limit the maximum depth of user_namespace->parent chain Ensure that user_namespace->parent chain can't grow too much. Currently we use the hardroded 32 as limit. Reported-by: Andy Lutomirski Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds include/linux/user_namespace.h | 1 + kernel/user_namespace.c | 4 ++++ 2 files changed, 5 insertions(+), 0 deletions(-) commit 223ac007ef18bf3a5095ba0a56675c1f16200149 Merge: 1c92de4 13675b8 Author: Brad Spengler Date: Thu Aug 8 20:45:24 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 13675b848cf02bffd26924b2b84d927095bc253d Author: Brad Spengler Date: Thu Aug 8 20:43:52 2013 -0400 Update to pax-linux-3.10.5-test8.patch: - Emese fixed a size overflow false positive, reported by markusle (http://forums.grsecurity.net/viewtopic.php?f=3&t=3692) - fixed the use of PXN for 2-level pages tables on arm, by Corey Minyard - added PAGEEXEC/XI violation reporting on mips, by Corey Minyard arch/arm/include/asm/pgtable-2level.h | 4 +++- arch/arm/mm/proc-v7-2level.S | 3 --- arch/mips/mm/fault.c | 8 ++++++++ arch/x86/include/asm/processor.h | 3 ++- include/linux/math64.h | 2 +- security/Kconfig | 2 -- 6 files changed, 14 insertions(+), 8 deletions(-) commit 1c92de4b8811c330af033c31d83c9c45e3d064b2 Merge: e65aa3d 1660f49 Author: Brad Spengler Date: Mon Aug 5 18:50:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 1660f496848b8400d263f7920989dae15e72185a Merge: 7f91ba1 dc51cd2 Author: Brad Spengler Date: Mon Aug 5 18:50:12 2013 -0400 Update to pax-linux-3.10.5-test7.patch Merge branch 'linux-3.10.y' into pax-test Conflicts: arch/x86/kernel/head_64.S mm/mempolicy.c commit e65aa3dd447115cb79b4815bc1ceac7b3cacef15 Author: Brad Spengler Date: Mon Aug 5 17:58:42 2013 -0400 Disable RANDKSTACK for a VirtualBox host as mentioned on the gentoo-hardened bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=382793 security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 60d8cffd7740fd1d527790caf9a24a35d8c45858 Author: Dan Carpenter Date: Tue Jul 30 13:23:39 2013 +0300 Upstream commit: 8cb3b9c3642c0263d48f31d525bcee7170eedc20 net_sched: info leak in atm_tc_dump_class() The "pvc" struct has a hole after pvc.sap_family which is not cleared. Signed-off-by: Dan Carpenter Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/sched/sch_atm.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 50d20ebce56b6e0b9622685930e007e46c7c04bb Author: Daniel Borkmann Date: Fri Aug 2 11:32:43 2013 +0200 Upstream commit: 446266b0c742a2c9ee8f0dce759a0117bce58a86 net: rtm_to_ifaddr: free ifa if ifa_cacheinfo processing fails Commit 5c766d642 ("ipv4: introduce address lifetime") leaves the ifa resource that was allocated via inet_alloc_ifa() unfreed when returning the function with -EINVAL. Thus, free it first via inet_free_ifa(). Signed-off-by: Daniel Borkmann Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/devinet.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit 0acaba4eea12097cc59bc61a46ba1ef4a468b260 Author: Himanshu Madhani Date: Fri Aug 2 23:15:56 2013 -0400 Upstream commit: f91bbcb0b82186b4d5669021b142c263b66505e1 qlcnic: Free up memory in error path. Signed-off-by: Himanshu Madhani Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 3626ec32c8b24cb38b8db2a1b2f5430bd898408a Author: Shahed Shaikh Date: Fri Aug 2 23:15:54 2013 -0400 Upstream commit: 4a99ab56cea66f9f67b9d07ace5cd40a336c8e6f qlcnic: Fix MAC address filter issue on 82xx adapter Driver was passing the address of a pointer instead of the pointer itself. Signed-off-by: Shahed Shaikh Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5570df953d6c143e05f1d60d9c23210e60dbbe81 Author: Brad Spengler Date: Mon Aug 5 17:26:40 2013 -0400 Move user namespace capability check to shared create_user_ns code so we cover unshare() as well. Also kill a trivial 1-line, 22-character upstream kernel DoS, thanks to user namespaces! kernel/fork.c | 17 ----------------- kernel/user_namespace.c | 24 ++++++++++++++++++++++-- 2 files changed, 22 insertions(+), 19 deletions(-) commit 97112fe30de4ca84e79c82ebfa2353b9c9988ca1 Author: Brad Spengler Date: Mon Aug 5 16:05:41 2013 -0400 silence a warning on older gcc grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b8966a5d577e9220fbc63306eee978f819f24e2e Author: Brad Spengler Date: Sat Aug 3 08:31:08 2013 -0400 we only care about mmaps of the beginning of an ELF, filter out all others as suggested by pipacs mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8aea9fe5866dec3c847a34f743f343e18cf1cdcb Author: Brad Spengler Date: Fri Aug 2 23:54:51 2013 -0400 add include grsecurity/grsec_log.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit d48425ef8cb3761ab6130e52f1f8e401f5b5a295 Author: Brad Spengler Date: Fri Aug 2 23:49:13 2013 -0400 fix compilation include/linux/grinternal.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1704c23fdc55b68f512dc9927940e72237f3f43e Author: Brad Spengler Date: Fri Aug 2 23:34:35 2013 -0400 Improve PaX reporting (tells when anon mapping is stack or heap) Remove textrel logging option, combine into rwx logging option Enhance RWX logging option to display when PT_GNU_STACK-enabled library is loaded under an MPROTECTed binary Enhance RWX mprotect logging to display stack/heap instead of just anon mapping fs/binfmt_elf.c | 37 +++++++++++++++++++++++++++++++++++++ fs/exec.c | 4 ++++ grsecurity/Kconfig | 21 +++++---------------- grsecurity/grsec_init.c | 4 ---- grsecurity/grsec_log.c | 14 ++++++++++++++ grsecurity/grsec_pax.c | 19 ++++++++++++++----- grsecurity/grsec_sysctl.c | 9 --------- include/linux/binfmts.h | 1 + include/linux/grinternal.h | 2 +- include/linux/grmsg.h | 3 ++- include/linux/grsecurity.h | 3 ++- mm/mmap.c | 7 +++++++ mm/mprotect.c | 2 +- 13 files changed, 88 insertions(+), 38 deletions(-) commit faf81c100c8565524e21c9af780a0ad2ce3fd925 Author: Brad Spengler Date: Thu Aug 1 18:52:02 2013 -0400 add missing #define grsecurity/gracl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit e87232d1fcb4da72df971cbc623aac6c9b3871a0 Author: Brad Spengler Date: Thu Aug 1 18:43:53 2013 -0400 fix compilation for !COMPAT as reported on the forums grsecurity/gracl.c | 195 ++++++++++++++++++++++++++-------------------------- 1 files changed, 97 insertions(+), 98 deletions(-) commit 65c9b9c6c42939dc55be1b8842e7c2e05733056c Merge: 65019c9 7f91ba1 Author: Brad Spengler Date: Wed Jul 31 17:47:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 65019c9bd05f860437071cbf00e2027fd2d68615 Author: Brad Spengler Date: Wed Jul 31 17:47:20 2013 -0400 Revert "revert recent PaX change that causes boot failures with 32bit userland" This reverts commit 23278a1ee1c7738dd1e7005241394d32b82196e4. arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit 7f91ba11122fcaa96fc2dca42bddcd5f8db3b945 Author: Brad Spengler Date: Wed Jul 31 17:46:00 2013 -0400 Update to pax-linux-3.10.4-test7.patch: - added a few more missing format strings - added reporting of mismatched MPROTECT/EMUTRAMP flags between libraries and the main executable - reverted the recent amd64 kstack alignment fix, it'll be done the harder way another time - fixed a UDEREF/i386 regression, __get_user_8 would always fail arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/dumpstack.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/lib/getuser.S | 4 +- arch/x86/xen/smp.c | 2 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 8 ++-- drivers/video/backlight/backlight.c | 2 +- drivers/video/backlight/lcd.c | 2 +- fs/binfmt_elf.c | 51 +++++++++++++++++++++++++--- fs/exec.c | 50 +++++++++++++-------------- include/linux/sched.h | 2 + 14 files changed, 88 insertions(+), 47 deletions(-) commit 043130da54cb7cc8dc44e0ce889d426e889a0532 Author: Brad Spengler Date: Wed Jul 31 16:26:58 2013 -0400 compile fix for !COMPAT as mentioned on forums grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ed0a195abd4e41c2449a020a53a19c74dc866d78 Author: Brad Spengler Date: Tue Jul 30 22:33:14 2013 -0400 perform compat conversion of rlimit infinity grsecurity/gracl_compat.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit a99c1b9f31678c1c72a63bea65aed1b2d3205259 Author: Brad Spengler Date: Tue Jul 30 22:21:40 2013 -0400 remove debugging grsecurity/gracl_compat.c | 44 +++++++++++--------------------------------- 1 files changed, 11 insertions(+), 33 deletions(-) commit e75b3f504692b97960a7530ad0855d91441d79c0 Author: Brad Spengler Date: Tue Jul 30 22:20:32 2013 -0400 eliminate compat_dev_t include/linux/gracl_compat.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e5abbaf95313066a724e1a843d4fc902a9a6450e Author: Brad Spengler Date: Tue Jul 30 22:13:22 2013 -0400 fix compat rlimit size grsecurity/gracl_compat.c | 68 +++++++++++++++++++++++++++++------------- include/linux/gracl_compat.h | 4 +- 2 files changed, 49 insertions(+), 23 deletions(-) commit 877d6c2f8b3518ff39601084560bb33c58d35a1f Author: Brad Spengler Date: Tue Jul 30 21:20:18 2013 -0400 compile fix grsecurity/gracl.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a2062eae8d1dc48d338480e599fedee2dc5e2f98 Author: Brad Spengler Date: Tue Jul 30 21:14:29 2013 -0400 copy correct pointer size in new compat code grsecurity/gracl.c | 8 ++++---- grsecurity/gracl_compat.c | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) commit 23278a1ee1c7738dd1e7005241394d32b82196e4 Author: Brad Spengler Date: Tue Jul 30 19:48:58 2013 -0400 revert recent PaX change that causes boot failures with 32bit userland arch/x86/include/asm/processor.h | 4 ++-- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) commit ec27f71a813656fea8ab37faecb2b485fe99d08e Merge: 3a11bcf 05f0a61 Author: Brad Spengler Date: Tue Jul 30 19:42:21 2013 -0400 Merge branch 'pax-test' into grsec-test commit 05f0a610373fa95df838f97c3fcfb59a3d79c5b8 Author: Brad Spengler Date: Tue Jul 30 19:41:44 2013 -0400 Update to pax-linux-3.10.4-test6.patch: - fixed some size_overflow false positives on i386 caused by __SC_LONG, reported by spender include/linux/syscalls.h | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 3a11bcfcc738ed5dbf0d56713db872ed36351a26 Author: Brad Spengler Date: Tue Jul 30 19:15:50 2013 -0400 compile fix grsecurity/gracl_compat.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 1dbd99b5cb0b6757eadf22309501e7fdd84f5de7 Author: Brad Spengler Date: Tue Jul 30 19:12:46 2013 -0400 remove BUILD_BUG_ONs grsecurity/gracl_compat.c | 20 -------------------- 1 files changed, 0 insertions(+), 20 deletions(-) commit a283b21cbd77622383a1dcb1f7bf1080db3bae88 Author: Brad Spengler Date: Tue Jul 30 00:18:36 2013 -0400 compile fixes grsecurity/gracl_compat.c | 8 ++++---- include/linux/gracl_compat.h | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8b744005f8bae565e24c1fd88af77e6e619b9434 Author: Brad Spengler Date: Tue Jul 30 00:16:42 2013 -0400 compile fixes grsecurity/gracl.c | 4 ++-- grsecurity/gracl_compat.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 5cd86afa393bf9bf38c2e9063191709ac2beff2c Author: Brad Spengler Date: Tue Jul 30 00:13:51 2013 -0400 compile fixes grsecurity/gracl.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) commit b93b829afcc98b6108b18d99ff63c53642d0b951 Author: Brad Spengler Date: Tue Jul 30 00:11:03 2013 -0400 compile fixes grsecurity/gracl_compat.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 7da096415fa633c4ad2b1f74bd43d3a58a63b5c0 Author: Brad Spengler Date: Tue Jul 30 00:08:21 2013 -0400 more compile fixes grsecurity/gracl.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) commit 6c1fd80e19f1449b6895f1ed77f23f1245470b3b Author: Brad Spengler Date: Mon Jul 29 23:59:50 2013 -0400 more compile fixes grsecurity/gracl.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) commit 89dda536f276dd4bb55fa0f9ea8980ac8b750d29 Author: Brad Spengler Date: Mon Jul 29 23:56:47 2013 -0400 additional compile fixes grsecurity/gracl.c | 59 +++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 49 insertions(+), 10 deletions(-) commit ac695a081d1124fb28bec46814535d34c5e40611 Author: Brad Spengler Date: Mon Jul 29 23:47:15 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d95dd21a8d6d00c5cf34fee3f45dd914b6da6093 Author: Brad Spengler Date: Mon Jul 29 23:46:59 2013 -0400 compile fixes grsecurity/gracl.c | 53 ++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 39 insertions(+), 14 deletions(-) commit 82631f451cc7432b6c5578cf8d24155473feb25c Author: Brad Spengler Date: Mon Jul 29 23:22:44 2013 -0400 Initial commit of compat RBAC loading Permits 32bit gradm to load policy for a 64bit kernel Also removed code duplication for copying strings into the kernel Work performed as part of sponsorship grsecurity/Makefile | 4 + grsecurity/gracl.c | 315 +++++++++++++++++++++++------------------- grsecurity/gracl_compat.c | 270 ++++++++++++++++++++++++++++++++++++ include/linux/gracl_compat.h | 156 +++++++++++++++++++++ 4 files changed, 603 insertions(+), 142 deletions(-) commit 84c4a433dfb096e4a1162ee5e68025122c70b421 Merge: c9d3ed3 9fe5897 Author: Brad Spengler Date: Mon Jul 29 17:08:56 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9fe58978938e357642885866ca48090a7753d403 Merge: 8f693ad 6f7bb6b Author: Brad Spengler Date: Mon Jul 29 17:08:43 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit c9d3ed33c5370bbacfadf86f6a1566828a3d7775 Merge: d5e5bfd 8f693ad Author: Brad Spengler Date: Sun Jul 28 10:03:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8f693ade9b3e448f92706d34148b00a087637f70 Author: Brad Spengler Date: Sun Jul 28 10:02:16 2013 -0400 Update to pax-linux-3.10.3-test5.patch: - fixed amd64 kstack alignment (caught by some crazy codegen by clang/llvm) - fixed handling of faulting userland accesses for UDEREF/arm, from spender - updated the size overflow hash table, from Emese arch/arm/kernel/entry-armv.S | 3 +- arch/x86/include/asm/processor.h | 4 +- arch/x86/kernel/cpu/common.c | 2 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kernel/smpboot.c | 2 +- arch/x86/xen/smp.c | 2 +- tools/gcc/size_overflow_hash.data | 553 +++++++++++++++++++++++++++++++++---- 7 files changed, 513 insertions(+), 55 deletions(-) commit d5e5bfd6ecc1fc7e86d070df8eb0ce8d0643c558 Merge: 19e077b 8a8a0d0 Author: Brad Spengler Date: Thu Jul 25 21:05:18 2013 -0400 Merge branch 'pax-test' into grsec-test commit 8a8a0d0b22a86bf65302d03bb6732e42bc0a2e56 Author: Brad Spengler Date: Thu Jul 25 21:04:09 2013 -0400 Update to pax-linux-3.10.3-test4.patch: - introduced per-slab object sanitization, contributed by Mathias Krause and secunet. this is finer grained sanitization than the existing per-page based approach (which is still done) at a somewhat higher performance cost. the pax_sanitize_slab command line option can be used to enable/disable it on boot (it's enabled by default when CONFIG_PAX_MEMORY_SANITIZE is enabled). Documentation/kernel-parameters.txt | 4 ++++ fs/buffer.c | 2 +- fs/dcache.c | 3 ++- include/linux/slab.h | 7 +++++++ include/linux/slab_def.h | 4 ++++ kernel/fork.c | 2 +- mm/rmap.c | 6 ++++-- mm/slab.c | 27 +++++++++++++++++++++++++++ mm/slab.h | 12 +++++++++++- mm/slab_common.c | 14 ++++++++++++++ mm/slob.c | 5 +++++ mm/slub.c | 11 +++++++++++ net/core/skbuff.c | 6 ++++-- security/Kconfig | 23 +++++++++++++++++------ 14 files changed, 112 insertions(+), 14 deletions(-) commit 19e077bfff54ca211d0142c07cb6dd88069a390c Merge: 960ec51 c8f7f51 Author: Brad Spengler Date: Thu Jul 25 19:53:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit c8f7f51591207b82530214300e86277028919286 Merge: d5142e3 81a4648 Author: Brad Spengler Date: Thu Jul 25 19:52:29 2013 -0400 Update to pax-linux-3.10.3-test3.patch: - fixed some compile issues reported by Michael Tremer and spender - fixed an i386 regression with the lower address space gap on i386, reported by cnu Merge branch 'linux-3.10.y' into pax-test Conflicts: kernel/time/tick-broadcast.c commit 960ec51ab2142544fbae563d4fd5744775408965 Author: Al Viro Date: Sat Jul 20 03:13:55 2013 +0400 Upstream commit: acfec9a5a892f98461f52ed5770de99a3e571ae2 livelock avoidance in sget() Eric Sandeen has found a nasty livelock in sget() - take a mount(2) about to fail. The superblock is on ->fs_supers, ->s_umount is held exclusive, ->s_active is 1. Along comes two more processes, trying to mount the same thing; sget() in each is picking that superblock, bumping ->s_count and trying to grab ->s_umount. ->s_active is 3 now. Original mount(2) finally gets to deactivate_locked_super() on failure; ->s_active is 2, superblock is still ->fs_supers because shutdown will *not* happen until ->s_active hits 0. ->s_umount is dropped and now we have two processes chasing each other: s_active = 2, A acquired ->s_umount, B blocked A sees that the damn thing is stillborn, does deactivate_locked_super() s_active = 1, A drops ->s_umount, B gets it A restarts the search and finds the same superblock. And bumps it ->s_active. s_active = 2, B holds ->s_umount, A blocked on trying to get it ... and we are in the earlier situation with A and B switched places. The root cause, of course, is that ->s_active should not grow until we'd got MS_BORN. Then failing ->mount() will have deactivate_locked_super() shut the damn thing down. Fortunately, it's easy to do - the key point is that grab_super() is called only for superblocks currently on ->fs_supers, so it can bump ->s_count and grab ->s_umount first, then check MS_BORN and bump ->s_active; we must never increment ->s_count for superblocks past ->kill_sb(), but grab_super() is never called for those. The bug is pretty old; we would've caught it by now, if not for accidental exclusion between sget() for block filesystems; the things like cgroup or e.g. mtd-based filesystems don't have anything of that sort, so they get bitten. The right way to deal with that is obviously to fix sget()... Signed-off-by: Al Viro fs/super.c | 25 ++++++++++--------------- 1 files changed, 10 insertions(+), 15 deletions(-) commit 3540cebbbfa4aef94527ad3e0e49097848147fb9 Merge: ab95b58 d5142e3 Author: Brad Spengler Date: Sun Jul 21 22:47:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit d5142e31785f8c32c7338c51fcc27313bdd4a84e Merge: f36ae8c 0f4a56e Author: Brad Spengler Date: Sun Jul 21 22:47:34 2013 -0400 Merge branch 'linux-3.10.y' into pax-test commit ab95b5842899d61ff5c30f4582e72029b3155be8 Author: Brad Spengler Date: Sun Jul 21 22:28:40 2013 -0400 compile fix with constification reported by Michael Tremer drivers/gpu/host1x/drm/dc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 817cd2d1e7a55720326599dd8f542578eef30927 Author: Hannes Frederic Sowa Date: Fri Jul 12 23:46:33 2013 +0200 Upstream commit: 307f2fb95e9b96b3577916e73d92e104f8f26494 ipv6: only static routes qualify for equal cost multipathing Static routes in this case are non-expiring routes which did not get configured by autoconf or by icmpv6 redirects. To make sure we actually get an ecmp route while searching for the first one in this fib6_node's leafs, also make sure it matches the ecmp route assumptions. v2: a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF already ensures that this route, even if added again without RTF_EXPIRES (in case of a RA announcement with infinite timeout), does not cause the rt6i_nsiblings logic to go wrong if a later RA updates the expiration time later. v3: a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, because an pmtu event could update the RTF_EXPIRES flag and we would not count this route, if another route joins this set. We now filter only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that don't get changed after rt6_info construction. Cc: Nicolas Dichtel Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_fib.c | 15 +++++++++++---- 1 files changed, 11 insertions(+), 4 deletions(-) commit 77db8196d51b043e2e2d124094da101b0f01bccb Author: Dan Carpenter Date: Fri Jul 12 09:39:03 2013 +0300 Upstream commit: b2781e1021525649c0b33fffd005ef219da33926 svcrdma: underflow issue in decode_write_list() My static checker marks everything from ntohl() as untrusted and it complains we could have an underflow problem doing: return (u32 *)&ary->wc_array[nchunks]; Also on 32 bit systems the upper bound check could overflow. Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: J. Bruce Fields net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ 1 files changed, 14 insertions(+), 6 deletions(-) commit 926473317fd7953137ef97835edd36dabc584b01 Author: Brad Spengler Date: Wed Jul 17 21:29:02 2013 -0400 add missing asm/pgtable.h include, reported by Michael Tremer drivers/clk/socfpga/clk.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c592ae0001b31932ef1491784dfa374058797c66 Author: Brad Spengler Date: Tue Jul 16 20:40:24 2013 -0400 allow viewing of ecryptfs version under SYSFS_RESTRICT fs/sysfs/dir.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 36db325ef3b07ea8cdb47f549e706e5d71398e14 Merge: 9c96441 f36ae8c Author: Brad Spengler Date: Sun Jul 14 19:23:13 2013 -0400 Merge branch 'pax-test' into grsec-test commit f36ae8c741ae32b1caff10825be12c327792c925 Author: Brad Spengler Date: Sun Jul 14 19:22:15 2013 -0400 Update to pax-linux-3.10-test2.patch: - spender fixed a compile regression in a recent arm/UDEREF change, reported by Michael Tremer - spender fixed arm/KERNEXEC for v5 and older CPUs, reported by Michael Tremer - spender fixed a new CONSTIFY victim on arm, reported by Michael Tremer - spender fixed an madvise regression, reported by Peter Keel - spender fixed a SLAB regression, reported by Thorsten (http://forums.grsecurity.net/viewtopic.php?f=3&t=3614) and Jens (http://forums.grsecurity.net/viewtopic.php?f=1&t=3616) - fixed a headers_install regression, reported by Mathias Krause - fixed a SLOB compile regression, reported by Mathias Krause arch/arm/include/asm/uaccess.h | 4 ++-- arch/arm/mm/mmu.c | 15 +++++++++++++-- drivers/clk/socfpga/clk.c | 6 ++++-- mm/madvise.c | 4 ++-- mm/slab.c | 4 ++-- mm/slob.c | 4 ++-- scripts/headers_install.sh | 2 +- 7 files changed, 26 insertions(+), 13 deletions(-) commit 9c9644156a49637050741d9165df79174e59b0ef Author: Brad Spengler Date: Sun Jul 14 19:19:54 2013 -0400 Fix sparc64 compilation, reported by Blake Self arch/sparc/kernel/sys_sparc_64.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7bcd3db081454768542c3d741bcf32cd61a50cf5 Author: Brad Spengler Date: Sun Jul 14 11:49:17 2013 -0400 Update PaX fix, just return the error mm/madvise.c | 15 +++++++-------- 1 files changed, 7 insertions(+), 8 deletions(-) commit a10e377d0eddd37e8a3665b135e546ab03d9d171 Author: Brad Spengler Date: Sun Jul 14 11:36:00 2013 -0400 Fix madvise oops reported by Peter Keel mm/madvise.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) commit 08c5adca34d408772255b313f90d82c250c1d967 Author: Brad Spengler Date: Sun Jul 14 11:26:34 2013 -0400 don't make high vector mapping non-present on old ARM architectures, no point in emulating some vector entries when the processor doesn't even support XN arch/arm/mm/mmu.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 2b40781d4197a89a003616af584884e36361c5b2 Author: Brad Spengler Date: Sun Jul 14 09:51:58 2013 -0400 Temporary compile fix for code incorrectly modifying const data Wrap a cast version of the code with open/close Thanks to Michael Tremer for the report drivers/clk/socfpga/clk.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit a8258c1b4098c396cd4ea719e20858182feac1c1 Author: Brad Spengler Date: Sun Jul 14 09:41:16 2013 -0400 Fix missing right parens in pipacs' "improvement" of my ARM code ;) Thanks to Michael Tremer for reporting arch/arm/include/asm/uaccess.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 8542e1e973be7cc9a009d2ada8033576b2890e6f Merge: 86f446e 2577f8e Author: Brad Spengler Date: Sat Jul 13 20:46:58 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: mm/memcontrol.c commit 2577f8e4ec41efb347706a59c6838de20f0c90da Merge: 75a36f0 cb5d8be Author: Brad Spengler Date: Sat Jul 13 20:43:42 2013 -0400 Merge branch 'linux-3.10.y' into pax-test Conflicts: crypto/algapi.c drivers/block/nbd.c commit 86f446e9d5c6b475d2e9360cc04f4361ad1b19b8 Author: Brad Spengler Date: Fri Jul 12 23:02:11 2013 -0400 we always want the vector page to be noaccess for userland therefore, when kernexec is disabled, instead of L_PTE_USER | L_PTE_RDONLY which turns into supervisor rwx, userland rx, we instead omit that entirely, leaving it as supervisor rwx only Fixes booting on ARMv5 and earlier, which need to write directly to the high vector mapping via set_tls when context switching Thanks to Michael Tremer for the bugreport arch/arm/mm/mmu.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) commit 90cd0827eef656ec884f19c977873fefe2f2e47d Author: Cong Wang Date: Sat Jun 29 12:02:59 2013 +0800 Upstream commit: 6c734fb8592f6768170e48e7102cb2f0a1bb9759 gre: fix a regression in ioctl When testing GRE tunnel, I got: # ip tunnel show get tunnel gre0 failed: Invalid argument get tunnel gre1 failed: Invalid argument This is a regression introduced by commit c54419321455631079c7d ("GRE: Refactor GRE tunneling code.") because previously we only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the check is moved for all commands. So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. After this patch I got: # ip tunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit Cc: Pravin B Shelar Cc: "David S. Miller" Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/ip_gre.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) commit 50d4e90ec8da630eac8840da9c53b8738a2f98b5 Author: Cong Wang Date: Sat Jun 29 13:00:57 2013 +0800 Upstream commit: ab6c7a0a43c2eaafa57583822b619b22637b49c7 vti: remove duplicated code to fix a memory leak vti module allocates dev->tstats twice: in vti_fb_tunnel_init() and in vti_tunnel_init(), this lead to a memory leak of dev->tstats. Just remove the duplicated operations in vti_fb_tunnel_init(). (candidate for -stable) Cc: Stephen Hemminger Cc: Saurabh Mohan Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit af9e57897a8fab9bbeceb984bd0aeaedb36aefcd Author: Michal Schmidt Date: Mon Jul 1 17:23:05 2013 +0200 Upstream commit: 058eec4116935c5640299913e1e0715e87ec622a bnx2x: remove zeroing of dump data buffer There is no need to initialize the dump data with zeros. data is allocated with vzalloc, so it's already zero-filled. More importantly, the memset is harmful, because dump->len (the length requested by userspace) can be bigger than the allocated buffer (whose size is determined by asking the driver's .get_dump_flag method). Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit c771072b72c261f9bddd6734dca6979c1b96e7df Author: Michal Schmidt Date: Mon Jul 1 17:23:06 2013 +0200 Upstream commit: 5bb680d6cbe36de9d7ba12b05f845c91a8692318 bnx2x: fix dump flag handling bnx2x interprets the dump flag as an index of a register preset. It is important to validate the index to avoid out of bounds memory accesses. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller .../net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 3 +++ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 ++ 2 files changed, 5 insertions(+), 0 deletions(-) commit aed315c8fad9b2044143b46b239574b1b72135ce Author: Michal Schmidt Date: Mon Jul 1 17:23:30 2013 +0200 Upstream commit: c590b5e2f05b5e98e614382582b7ae4cddb37599 ethtool: make .get_dump_data() harder to misuse by drivers As the patch "bnx2x: remove zeroing of dump data buffer" showed, it is too easy implement .get_dump_data incorrectly in a driver. Let's make sure drivers cannot get confused by userspace requesting a too big dump. Also WARN if the driver sets dump->len to something weird and make sure the length reported to userspace is the actual length of data copied to userspace. Signed-off-by: Michal Schmidt Reviewed-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 21 ++++++++++++++++++++- 1 files changed, 20 insertions(+), 1 deletions(-) commit 5c57991e66216e386dcc875d34c33f0edd038569 Author: Wei Yongjun Date: Tue Jul 2 09:02:07 2013 +0800 Upstream commit: e1558a93b61962710733dc8c11a2bc765607f1cd l2tp: add missing .owner to struct pppox_proto Add missing .owner of struct pppox_proto. This prevents the module from being removed from underneath its users. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 4613b8adae32cc774bb727d2ec71f3d0bd7ff1c4 Author: Benjamin Herrenschmidt Date: Sun Jun 30 14:37:11 2013 +1000 Upstream commit: 7cc47d139f9a815a91bd9e7377063238c69a0423 cxgb3: Missing rtnl lock in error recovery When exercising error injection on IBM pseries machine, I hit the following warning: [ 251.450043] RTAS: event: 89, Type: Platform Error, Severity: 2 [ 253.549822] cxgb3 0006:01:00.0: enabling device (0140 -> 0142) [ 253.713560] cxgb3 0006:01:00.0: adapter recovering, PEX ERR 0x100 [ 254.895437] RTNL: assertion failed at net/core/dev.c (2031) [ 254.895467] CPU: 6 PID: 5449 Comm: eehd Tainted: G W 3.10.0-rc7-00157-gea461ab #19 [ 254.895474] Call Trace: [ 254.895483] [c000000fac56f7d0] [c000000000014dcc] .show_stack+0x7c/0x1f0 (unreliable) [ 254.895493] [c000000fac56f8a0] [c0000000007ba318] .dump_stack+0x28/0x3c [ 254.895500] [c000000fac56f910] [c0000000006c0384] .netif_set_real_num_tx_queues+0x224/0x230 [ 254.895515] [c000000fac56f9b0] [d00000000ef35510] .cxgb_open+0x80/0x3f0 [cxgb3] [ 254.895525] [c000000fac56fa50] [d00000000ef35914] .t3_resume_ports+0x94/0x100 [cxgb3] [ 254.895533] [c000000fac56fae0] [c00000000005fc8c] .eeh_report_resume+0x8c/0xd0 [ 254.895539] [c000000fac56fb60] [c00000000005e9fc] .eeh_pe_dev_traverse+0x9c/0x190 [ 254.895545] [c000000fac56fc10] [c000000000060000] .eeh_handle_event+0x110/0x330 [ 254.895551] [c000000fac56fca0] [c000000000060350] .eeh_event_handler+0x130/0x1a0 [ 254.895558] [c000000fac56fd30] [c0000000000ad758] .kthread+0xe8/0xf0 [ 254.895566] [c000000fac56fe30] [c00000000000a05c] .ret_from_kernel_thread+0x5c/0x80 It appears that t3_resume_ports() is called with the rtnl_lock held from the fatal error task but not from the PCI error callbacks. This fixes it. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ea8f4222cddf3250dbcfc7db0437ebf74c352370 Author: Hannes Frederic Sowa Date: Mon Jul 1 20:21:30 2013 +0200 Upstream commit: 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data We accidentally call down to ip6_push_pending_frames when uncorking pending AF_INET data on a ipv6 socket. This results in the following splat (from Dave Jones): skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:126! invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth +netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 RIP: 0010:[] [] skb_panic+0x63/0x65 RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Stack: ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 Call Trace: [] skb_push+0x3a/0x40 [] ip6_push_pending_frames+0x1f6/0x4d0 [] ? mark_held_locks+0xbb/0x140 [] udp_v6_push_pending_frames+0x2b9/0x3d0 [] ? udplite_getfrag+0x20/0x20 [] udp_lib_setsockopt+0x1aa/0x1f0 [] ? fget_light+0x387/0x4f0 [] udpv6_setsockopt+0x34/0x40 [] sock_common_setsockopt+0x14/0x20 [] SyS_setsockopt+0x71/0xd0 [] tracesys+0xdd/0xe2 Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 RIP [] skb_panic+0x63/0x65 RSP This patch adds a check if the pending data is of address family AF_INET and directly calls udp_push_ending_frames from udp_v6_push_pending_frames if that is the case. This bug was found by Dave Jones with trinity. (Also move the initialization of fl6 below the AF_INET check, even if not strictly necessary.) Cc: Dave Jones Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/udp.h | 1 + net/ipv4/udp.c | 3 ++- net/ipv6/udp.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) commit cd83094a85d9bbd5a67332156407d53cf8835432 Author: Hannes Frederic Sowa Date: Tue Jul 2 08:04:05 2013 +0200 Upstream commit: 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track of this when appending the second frame on a corked socket. This results in the following splat: [37598.993962] ------------[ cut here ]------------ [37598.994008] kernel BUG at net/core/skbuff.c:2064! [37598.994008] invalid opcode: 0000 [#1] SMP [37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi +scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm [37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc +dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video [37598.994008] CPU 0 [37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG [37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 [37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 [37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 [37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 [37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 [37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 [37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 [37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 [37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) [37598.994008] Stack: [37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 [37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 [37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 [37598.994008] Call Trace: [37598.994008] [] ip6_append_data+0xccf/0xfe0 [37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 [37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 [37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 [37598.994008] [] ? sock_has_perm+0x75/0x90 [37598.994008] [] inet_sendmsg+0x63/0xb0 [37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 [37598.994008] [] sock_sendmsg+0xb0/0xe0 [37598.994008] [] ? __switch_to+0x181/0x4a0 [37598.994008] [] sys_sendto+0x12d/0x180 [37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 [37598.994008] [] ? syscall_trace_enter+0x231/0x240 [37598.994008] [] tracesys+0xdd/0xe2 [37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 [37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 [37598.994008] RSP [37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- While there, also check if path mtu discovery is activated for this socket. The logic was adapted from ip6_append_data when first writing on the corked socket. This bug was introduced with commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec fragment"). v2: a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao feng, thanks!). c) Change mtu to unsigned int, else we get a warning about non-matching types because of the min()-macro type-check. Acked-by: Gao feng Cc: YOSHIFUJI Hideaki Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 16 ++++++++++------ 1 files changed, 10 insertions(+), 6 deletions(-) commit 23151ca7ca80e58d2616dac7be9fd62943c9a72c Author: Michael S. Tsirkin Date: Sun Jul 7 14:26:53 2013 +0300 Upstream commit: dd7633ecd553a5e304d349aa6f8eb8a0417098c5 vhost-net: fix use-after-free in vhost_net_flush vhost_net_ubuf_put_and_wait has a confusing name: it will actually also free it's argument. Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 "vhost-net: flush outstanding DMAs on memory change" vhost_net_flush tries to use the argument after passing it to vhost_net_ubuf_put_and_wait, this results in use after free. To fix, don't free the argument in vhost_net_ubuf_put_and_wait, add an new API for callers that want to free ubufs. Acked-by: Asias He Acked-by: Jason Wang Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller drivers/vhost/net.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 088806db74ac2f08c106202bc5498585a9ee529f Author: Michal Hocko Date: Mon Jul 8 16:00:29 2013 -0700 Upstream commit: f37a96914d1aea10fed8d9af10251f0b9caea31b memcg, kmem: fix reference count handling on the error path mem_cgroup_css_online calls mem_cgroup_put if memcg_init_kmem fails. This is not correct because only memcg_propagate_kmem takes an additional reference while mem_cgroup_sockets_init is allowed to fail as well (although no current implementation fails) but it doesn't take any reference. This all suggests that it should be memcg_propagate_kmem that should clean up after itself so this patch moves mem_cgroup_put over there. Unfortunately this is not that easy (as pointed out by Li Zefan) because memcg_kmem_mark_dead marks the group dead (KMEM_ACCOUNTED_DEAD) if it is marked active (KMEM_ACCOUNTED_ACTIVE) which is the case even if memcg_propagate_kmem fails so the additional reference is dropped in that case in kmem_cgroup_destroy which means that the reference would be dropped two times. The easiest way then would be to simply remove mem_cgrroup_put from mem_cgroup_css_online and rely on kmem_cgroup_destroy doing the right thing. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.8] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 08bfb6e700d13886ed722c2236e1ec10f03a95df Author: Michal Hocko Date: Mon Jul 8 16:00:27 2013 -0700 Upstream commit: fa460c2d37870e0a6f94c70e8b76d05ca11b6db0 Revert "memcg: avoid dangling reference count in creation failure" This reverts commit e4715f01be697a. mem_cgroup_put is hierarchy aware so mem_cgroup_put(memcg) already drops an additional reference from all parents so the additional mem_cgrroup_put(parent) potentially causes use-after-free. Signed-off-by: Michal Hocko Signed-off-by: Li Zefan Acked-by: KAMEZAWA Hiroyuki Cc: Hugh Dickins Cc: Tejun Heo Cc: Glauber Costa Cc: Johannes Weiner Cc: [3.9+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-) commit 3267ec559f48327a1836eccecd53215afc5810d0 Author: Tyler Hicks Date: Thu Jun 20 13:13:59 2013 -0700 Upstream commit: 2cb33cac622afde897aa02d3dcd9fbba8bae839e libceph: Fix NULL pointer dereference in auth client code A malicious monitor can craft an auth reply message that could cause a NULL function pointer dereference in the client's kernel. To prevent this, the auth_none protocol handler needs an empty ceph_auth_client_ops->build_request() function. CVE-2013-1059 Signed-off-by: Tyler Hicks Reported-by: Chanam Park Reviewed-by: Seth Arnold Reviewed-by: Sage Weil Cc: stable@vger.kernel.org net/ceph/auth_none.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit cdfeb4049e7cb38702215b2c356ce0407974ac79 Author: Eric Paris Date: Wed Jul 3 15:08:29 2013 -0700 Upstream commit: b57922b6c76c3ee401bb32fd3f298409dd6e6a53 fork: reorder permissions when violating number of processes limits When a task is attempting to violate the RLIMIT_NPROC limit we have a check to see if the task is sufficiently priviledged. The check first looks at CAP_SYS_ADMIN, then CAP_SYS_RESOURCE, then if the task is uid=0. A result is that tasks which are allowed by the uid=0 check are first checked against the security subsystem. This results in the security subsystem auditting a denial for sys_admin and sys_resource and then the task passing the uid=0 check. This patch rearranges the code to first check uid=0, since if we pass that we shouldn't hit the security system at all. We then check sys_resource, since it is the smallest capability which will solve the problem. Lastly we check the fallback everything cap_sysadmin. We don't want to give this capability many places since it is so powerful. This will eliminate many of the false positive/needless denial messages we get when a root task tries to violate the nproc limit. (note that kthreads count against root, so on a sufficiently large machine we can actually get past the default limits before any userspace tasks are launched.) Signed-off-by: Eric Paris Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08c87e049c8a50707908785d950fd48c334f4c09 Author: Chen Gang Date: Sat Jun 22 13:26:09 2013 +0800 Upstream commit: f118e9abddfae94d7ef88858159d7556e1c2f7f6 arch: sparc: kernel: check the memory length before use strcpy(). For the related next strcpy(), the destination length is less than 512, but the source maximize length may be 'OPROMMAXPARAM' (4096) which is more than 512. One work flow may: openprom_sunos_ioctl() -> if (cmd == OPROMSETOPT) getstrings() -> will alloc buffer with size 'OPROMMAXPARAM'. opromsetopt() -> devide the buffer into 'var' and 'value' of_set_property() -> pass prom_setprop() -> pass ldom_set_var() And do not mind the additional 4 alignment buffer increasing, since 'sizeof(pkt) - sizeof(pkt.header)' is 4 alignment at least. Signed-off-by: Chen Gang Signed-off-by: David S. Miller arch/sparc/kernel/ds.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) commit 0f5d7e1171c65a8d4e9186b3656e1206121efb13 Author: Brad Spengler Date: Fri Jul 12 20:38:45 2013 -0400 Fix SLAB boot errors due to PAX_USERCOPY reported on the forums Unlike slub, slab can initally create two of the kmalloc_caches which will be used later for generic kmallocs of their particular aligned size (since the later loop in the unified allocator code skips any already-existing kmalloc_caches) mm/slab.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 7afc9d07a4c0a676aa5c4ac2b30882f60be6bae3 Author: Brad Spengler Date: Tue Jul 9 22:04:59 2013 -0400 compile fixes fs/exec.c | 2 +- mm/mmap.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit e2d027c7e0f106be683c0c72482b8285daefcbe6 Author: Brad Spengler Date: Tue Jul 9 20:58:40 2013 -0400 commit successful merges Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 3 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 4 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 1 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 129 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/block/cpqarray.c | 1 + drivers/cdrom/cdrom.c | 4 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/mwave/tp3780i.c | 1 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++++------------ drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 9 +- fs/debugfs/inode.c | 4 + fs/exec.c | 184 ++- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/resize.c | 17 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 234 ++- fs/namespace.c | 16 + fs/notify/fanotify/fanotify_user.c | 1 + fs/open.c | 38 + fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 ++- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/perf_event.h | 13 +- include/linux/printk.h | 3 +- include/linux/sched.h | 24 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 64 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 2 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 7 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 70 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 1 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 63 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev_ioctl.c | 4 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 4 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netrom/af_netrom.c | 1 - net/phonet/af_phonet.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 31 +- security/Kconfig | 343 +++- security/apparmor/Kconfig | 9 + security/apparmor/apparmorfs.c | 231 ++ security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 242 files changed, 4385 insertions(+), 2042 deletions(-) commit 043a378c0f72ed92cc30182c48abce39867ac93f Author: Brad Spengler Date: Tue Jul 9 20:57:40 2013 -0400 Commit merge of new files and rejected patches arch/arm/include/asm/thread_info.h | 6 +- arch/arm/kernel/process.c | 4 +- arch/powerpc/include/asm/thread_info.h | 7 +- arch/powerpc/mm/slice.c | 2 +- arch/sparc/kernel/process_64.c | 4 +- arch/x86/kernel/vm86_32.c | 15 + fs/coredump.c | 1 + fs/ext4/balloc.c | 4 +- fs/namei.c | 7 + fs/namespace.c | 8 + fs/pipe.c | 2 +- fs/proc/inode.c | 13 + fs/proc/internal.h | 3 + grsecurity/Kconfig | 1054 +++++++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 ++++ grsecurity/gracl_ip.c | 387 +++ grsecurity/gracl_learn.c | 207 ++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 +++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 +++ grsecurity/grsec_disabled.c | 434 ++++ grsecurity/grsec_exec.c | 187 ++ grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 +++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 +++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 246 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 ++++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/gracl.h | 319 +++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 ++ include/linux/grinternal.h | 227 ++ include/linux/grmsg.h | 112 + include/linux/grsecurity.h | 241 ++ include/linux/grsock.h | 19 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/proc_fs.h | 13 + include/linux/sched.h | 48 +- include/trace/events/fs.h | 53 + kernel/kmod.c | 7 +- kernel/panic.c | 2 +- kernel/posix-timers.c | 1 + kernel/time/timekeeping.c | 2 + lib/Kconfig.debug | 2 +- lib/vsprintf.c | 31 + localversion-grsec | 1 + mm/mmap.c | 13 +- mm/shmem.c | 2 +- net/core/net-procfs.c | 5 + net/ipv6/udp.c | 3 + net/netfilter/xt_gradm.c | 51 + 66 files changed, 11184 insertions(+), 21 deletions(-) commit 75a36f058b5abbc82f9b94ba5576eef4b40cd5d6 Author: Brad Spengler Date: Tue Jul 9 17:35:47 2013 -0400 Initial import of pax-linux-3.10-test1.patch Documentation/dontdiff | 46 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 444 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 14 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-ux500/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 22 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 4 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_64.h | 4 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 122 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 33 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 28 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 61 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 +- arch/x86/kernel/entry_64.S | 548 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 13 +- arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 143 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 55 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 2 + arch/x86/kernel/setup.c | 21 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 4 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 61 +- arch/x86/kvm/x86.c | 8 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 363 +- arch/x86/lib/usercopy_64.c | 13 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 98 +- arch/x86/mm/init_32.c | 113 +- arch/x86/mm/init_64.c | 38 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 10 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 94 +- arch/x86/um/tls_32.c | 2 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/genhd.c | 11 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/algapi.c | 2 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/nbd.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 45 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 6 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_ondemand.c | 8 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 69 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 6 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 57 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 12 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +- drivers/media/v4l2-core/v4l2-ioctl.c | 11 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/chromeos_laptop.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/media/solo6x10/solo6x10-core.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vhost/vringh.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/output.c | 2 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_addr.c | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 12 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 607 ++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 4 +- fs/fhandle.c | 3 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/lockd/svc.c | 2 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 10 +- fs/nfs/callback.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 9 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 61 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 12 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 40 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 4 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 4 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 116 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-ohci-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 65 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 42 +- include/linux/slab_def.h | 28 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 8 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 10 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/netns/ipv6.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 42 +- init/main.c | 83 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditfilter.c | 2 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 30 +- kernel/events/internal.h | 10 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 11 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 22 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 76 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 18 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 2 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 6 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 15 +- mm/mmap.c | 606 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/page_io.c | 2 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 79 +- mm/slab.h | 5 +- mm/slab_common.c | 46 +- mm/slob.c | 201 +- mm/slub.c | 79 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 77 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_core.c | 8 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 12 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 16 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 4 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 6 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.sh | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 676 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/internal.h | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/fsl/fsl_ssi.c | 2 +- sound/sound_core.c | 2 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 172 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 560 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5893 ++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 +++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 277 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1607 files changed, 30734 insertions(+), 7318 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit d92091aac493a547d85ddf1b98bd9aaa8c7112a5 Author: Brad Spengler Date: Thu Jul 4 23:05:14 2013 -0400 always enforce a non-zero gap for RAND_THREADSTACK mm/mmap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 40d67e38a42d4e94b43b3d7400addc662b9857dc Author: Brad Spengler Date: Thu Jul 4 16:09:28 2013 -0400 fix up file comparisons grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_sig.c | 4 ++-- include/linux/grinternal.h | 12 ++++++++++++ 3 files changed, 15 insertions(+), 3 deletions(-) commit a1fff2c95162314626dd96bec71d951a8c1c4708 Author: Brad Spengler Date: Thu Jul 4 15:33:18 2013 -0400 fix suid binary matching grsecurity/grsec_sig.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 00131c458eea5200971c8fc326e90fdb6c2d0baa Merge: 37b97a9 47beb61 Author: Brad Spengler Date: Thu Jul 4 15:02:31 2013 -0400 Merge branch 'pax-test' into grsec-test commit 47beb61be9d430ab3fdb79a3b1e2099b4cfcf798 Author: Brad Spengler Date: Thu Jul 4 15:01:37 2013 -0400 Update to pax-linux-3.9.9-test13.patch: - hopefully fixed the EFI boot regression (https://bugs.gentoo.org/show_bug.cgi?id=471626) - fixed some arm compilation issues (http://forums.grsecurity.net/viewtopic.php?f=1&t=3586 and http://forums.grsecurity.net/viewtopic.php?f=1&t=3587) arch/arm/include/asm/uaccess.h | 20 ++++++++++---------- arch/arm/kernel/armksyms.c | 2 +- arch/arm/kernel/entry-armv.S | 4 ++-- arch/arm/mm/Kconfig | 2 +- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/page.h | 1 + arch/x86/kernel/entry_32.S | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- arch/x86/kernel/head64.c | 12 ++++++------ arch/x86/kernel/head_64.S | 16 ++++++++++++---- arch/x86/mm/init.c | 8 ++++++++ arch/x86/mm/init_32.c | 6 ------ arch/x86/mm/init_64.c | 6 ------ arch/x86/platform/efi/efi_32.c | 5 +++++ arch/x86/platform/efi/efi_64.c | 10 ++++++++++ 15 files changed, 64 insertions(+), 44 deletions(-) commit 89085d2d0643813a62f23d1199a335dc1e129bc0 Merge: 963af7f 0adf2e7 Author: Brad Spengler Date: Thu Jul 4 14:55:44 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 37b97a95e97badc79cc8b6e092f0f94ac24e4ae4 Author: Brad Spengler Date: Thu Jul 4 13:46:02 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 32538dba4959a290a1de81a7f8eeaba99f952aa6 Author: Brad Spengler Date: Thu Jul 4 13:29:51 2013 -0400 update log arguments grsecurity/grsec_sig.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 5c7ee197d6ecb3ec9b3b9588d2b0cb8541d9fa71 Author: Brad Spengler Date: Thu Jul 4 13:20:23 2013 -0400 Update logging of suid exec ban Conflicts: grsecurity/grsec_sig.c grsecurity/grsec_sig.c | 3 +-- include/linux/grmsg.h | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) commit ef808866c070aa1901bd2224521baaf5d145a3a7 Author: Brad Spengler Date: Thu Jul 4 12:58:33 2013 -0400 Additional improvements to the user banning code: Separate the kernel-bruteforcing case from the suid bruteforcing case In the suid bruteforcing case, only kill existing copies of the bruteforced binary. Instead of preventing all future execs by this user, prevent them from executing any suid/sgid binaries for the next 15 minutes. Kernel case is mostly unchanged from before, except the task trying to change real uid to the banned user will be terminated instead of failing the setuid call. Configuration help has been updated to reflect the new changes. fs/exec.c | 13 +++++--- grsecurity/Kconfig | 5 ++- grsecurity/gracl.c | 6 ++-- grsecurity/grsec_sig.c | 76 ++++++++++++++++++++++++++------------------ include/linux/grsecurity.h | 1 - include/linux/sched.h | 9 +++-- 6 files changed, 65 insertions(+), 45 deletions(-) commit 0f0b6c9d67d429364621b8784ef4a048b7e40736 Author: Brad Spengler Date: Wed Jul 3 16:14:09 2013 -0400 fix renamed export of csum_partial_copy_from_user, as reported by fabled on the forums arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 318235973c2a548c3d25562645d6b69f66e85934 Author: Brad Spengler Date: Wed Jul 3 16:09:16 2013 -0400 make CPU_USE_DOMAINS depend on !PAX_MEMORY_UDEREF, fixes compile error reported on the forums by fabled arch/arm/mm/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b569a7f60fab7a522d8c142765c8b847bbce8a1e Author: Brad Spengler Date: Wed Jul 3 15:53:12 2013 -0400 Revise the user ban code to kill the process issuing a banned set*id instead of returning an error. For the sake of keeping unified user banning between the suid and kernel bruteforce case, we will apply this killing to the suid bruteforce case, despite a check just at exec time (that already existed) being sufficient. Returning an error could enable exploitation of the "failure to check setuid return value" case which was recently effectively closed upstream, albeit in a rare situation with a suitable binary and two colluding users. Many thanks to stealth for reviewing the user ban code. grsecurity/gracl.c | 4 ++-- grsecurity/grsec_sig.c | 16 +++++++++++++--- 2 files changed, 15 insertions(+), 5 deletions(-) commit 4a0808a0aa34bf3692f9ade0f11f6fbe30418c4f Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 Upstream commit: 605c912bb843c024b1ed173dc427cd5c08e5d54d UBIFS: fix a horrid bug Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Cc: stable@vger.kernel.org Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro fs/ubifs/dir.c | 30 +++++++++++++++++++++++++++--- 1 files changed, 27 insertions(+), 3 deletions(-) commit c22280b85088978bd8b45bd23096879459b48008 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 Upstream commit: 2976b10f05bd7f6dab9f9e7524451ddfed656a89 perf: Disable monitoring on setuid processes for regular users There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Signed-off-by: Ingo Molnar fs/exec.c | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) commit 16e6a61c34ae5ed0fbfa9151b24dc6a751cca7c0 Author: Brad Spengler Date: Sat Jun 29 13:10:02 2013 -0400 on context switch, make sure we switch DACR when domain support and KERNEXEC is disabled but UDEREF is enabled arch/arm/kernel/entry-armv.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 08d017fa51370921694ce087b28c96fec92993d4 Author: Michael S. Tsirkin Date: Sun Jun 23 17:26:58 2013 +0300 Upstream commit: 4c7ab054ab4f5d63625508ed6f8a607184cae7c2 macvtap: fix recovery from gup errors get user pages might fail partially in macvtap zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Signed-off-by: David S. Miller drivers/net/macvtap.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 8118c60e6478b9d0687c2aa7779e45ac7859b1be Author: Michael S. Tsirkin Date: Sun Jun 23 17:19:03 2013 +0300 Upstream commit: 7e24bfbe43b545b1689a5f134ed83645b9e34b86 tun: fix recovery from gup errors get user pages might fail partially in tun zero copy mode. To recover we need to put all pages that we got, but code used a wrong index resulting in double-free errors. Reported-by: Brad Hubbard Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Neil Horman Signed-off-by: David S. Miller drivers/net/tun.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit c71e53d3b87fba6f7ba29a440d4c835f03aadf28 Author: Balazs Peter Odor Date: Sat Jun 22 19:24:43 2013 +0200 Upstream commit: 5aed93875cd88502f04a0d4517b8a2d89a849773 netfilter: nf_nat_sip: fix mangling In (b20ab9c netfilter: nf_ct_helper: better logging for dropped packets) there were some missing brackets around the logging information, thus always returning drop. Closes https://bugzilla.kernel.org/show_bug.cgi?id=60061 Signed-off-by: Balazs Peter Odor Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_sip.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 87c18924aecb841586b8972fabb20c5b75ca2fc9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Upstream commit: 300b962e5244a1ea010df7e88595faa0085b461d Bluetooth: Fix crash in l2cap_build_cmd() with small MTU If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b0471b6c1160858fc646d8e94628fd1299f61692 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Upstream commit: 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 Bluetooth: Fix invalid length check in l2cap_information_rsp() The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Cc: stable@vger.kernel.org Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan net/bluetooth/l2cap_core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4184af98c360d825e638b268b1a9847232e8d299 Author: Eric Dumazet Date: Wed Jun 26 04:15:07 2013 -0700 Upstream commit: a963a37d384d71ad43b3e9e79d68d42fbe0901f3 ipv6: ip6_sk_dst_check() must not assume ipv6 dst It's possible to use AF_INET6 sockets and to connect to an IPv4 destination. After this, socket dst cache is a pointer to a rtable, not rt6_info. ip6_sk_dst_check() should check the socket dst cache is IPv6, or else various corruptions/crashes can happen. Dave Jones can reproduce immediate crash with trinity -q -l off -n -c sendmsg -c connect With help from Hannes Frederic Sowa Reported-by: Dave Jones Reported-by: Hannes Frederic Sowa Signed-off-by: Eric Dumazet Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) commit a9909c4993e8547ebeeafc4a4f5ff8570a941eb2 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 Upstream commit: 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 dlci: acquire rtnl_lock before calling __dev_get_by_name() Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 14 +++++++++----- 1 files changed, 9 insertions(+), 5 deletions(-) commit 1fe6f23c9acd14d832d056909ff326bde418e645 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 Upstream commit: 578a1310f2592ba90c5674bca21c1dbd1adf3f0a dlci: validate the net device in dlci_del() We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Cc: stable@vger.kernel.org Signed-off-by: David S. Miller drivers/net/wan/dlci.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 4d4464407611527ef6b6b5475cfcab6121b3da66 Merge: 59571a9 963af7f Author: Brad Spengler Date: Thu Jun 27 18:54:52 2013 -0400 Merge branch 'pax-test' into grsec-test commit 963af7f7f591759b731ce6325ceb583a72fcf423 Merge: c51e25a 55db48a Author: Brad Spengler Date: Thu Jun 27 18:54:42 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 59571a9db7485f530a1e865a13cacc4c991ec41f Author: Brad Spengler Date: Wed Jun 26 18:39:08 2013 -0400 From: Mathias Krause To: Steffen Klassert , "David S. Miller" Cc: Mathias Krause , netdev@vger.kernel.org, Herbert Xu Subject: [PATCH] af_key: fix info leaks in notify messages key_notify_sa_flush() and key_notify_policy_flush() miss to initialize the sadb_msg_reserved member of the broadcasted message and thereby leak 2 bytes of heap memory to listeners. Fix that. Signed-off-by: Mathias Krause Cc: Steffen Klassert Cc: "David S. Miller" Cc: Herbert Xu net/key/af_key.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit e1dd9fb168b3597f15fd5bd4bc88a7dd4cce5fd9 Author: Brad Spengler Date: Wed Jun 26 18:33:06 2013 -0400 update rand_threadstack code to continue the search for a gap if the first choice doesn't have enough space, instead of returning ENOMEM mm/mmap.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) commit 87020d4a4d83038d65ff1fd519938840f6888b9e Merge: 2682346 c51e25a Author: Brad Spengler Date: Wed Jun 26 18:25:32 2013 -0400 Merge branch 'pax-test' into grsec-test commit c51e25a23f30a1198076bd085f19b2073caf164d Author: Brad Spengler Date: Wed Jun 26 18:24:54 2013 -0400 Update to pax-linux-3.9.7-test12.patch: - fixed a regression on PARAVIRT/amd64 kernels - simplified the recent vm_unmapped_area_info based change arch/x86/kernel/entry_64.S | 8 ++++---- mm/mmap.c | 22 ++++++++++++---------- 2 files changed, 16 insertions(+), 14 deletions(-) commit 26823469a08e59cb67bea18d448d9e8c65f82e08 Author: Brad Spengler Date: Tue Jun 25 21:26:51 2013 -0400 re-enable GRKERNSEC_RAND_THREADSTACK now that the generic PaX vm_unmapped_area code is complete arch/x86/kernel/sys_i386_32.c | 5 +++++ grsecurity/Kconfig | 2 +- mm/mmap.c | 11 ++++++++++- 3 files changed, 16 insertions(+), 2 deletions(-) commit bcd93cc348a8faba1716f5cc137a48f25d6a67e7 Merge: e58fe8c c4e0704 Author: Brad Spengler Date: Tue Jun 25 19:08:52 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/sys_i386_32.c commit c4e07040c2c32c9eb2b093e5ae6e5bb050cb7511 Author: Brad Spengler Date: Tue Jun 25 19:05:39 2013 -0400 Update to pax-linux-3.9.7-test11.patch: - fixed some fallout from the recent executable vmalloc changes (http://forums.grsecurity.net/viewtopic.php?t=3562#p13111) - moved the PaX specific heap-stack gap check code over to the vm_unmapped_area_info based infrastructure - fixed the recent nested nmi related fixes some more - fixed a regression in kernel memory initialization on relocatable i386 kernels - empty_zero_page can be read-only on amd64 as well arch/arm/mm/mmap.c | 6 -- arch/x86/kernel/entry_64.S | 8 +-- arch/x86/kernel/head_64.S | 1 - arch/x86/kernel/setup.c | 2 +- arch/x86/kernel/sys_i386_32.c | 160 ++++++++++++---------------------------- drivers/lguest/core.c | 2 +- include/linux/mm.h | 6 +- include/linux/vmalloc.h | 2 +- mm/mmap.c | 30 +++++++- 9 files changed, 83 insertions(+), 134 deletions(-) commit e58fe8c43f6ee7047ac830ebfa9a70626b7ed11d Author: Brad Spengler Date: Sun Jun 23 14:37:14 2013 -0400 second compile fix, reported by forsaken on forums include/linux/vmalloc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ee10d89b09b56b46bc242ce760a1d9598276e2f Author: Brad Spengler Date: Sun Jun 23 14:36:35 2013 -0400 compile fix, reported by KDE on forums kernel/printk.c | 7 ------- 1 files changed, 0 insertions(+), 7 deletions(-) commit 1fc9a5e2e267205d28302e1e86ca0da434561111 Author: Ben Hutchings Date: Sun Jun 16 21:27:12 2013 +0100 Upstream commit: b8cb62f82103083a6e8fa5470bfe634a2c06514d x86/efi: Fix dummy variable buffer allocation 1. Check for allocation failure 2. Clear the buffer contents, as they may actually be written to flash 3. Don't leak the buffer Compile-tested only. [ Tested successfully on my buggy ASUS machine - Matt ] Signed-off-by: Ben Hutchings Cc: stable@vger.kernel.org Signed-off-by: Matt Fleming arch/x86/platform/efi/efi.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 83e15c8baaa620d8c777e84aa037b4302f0487c5 Author: Dave Kleikamp Date: Tue Jun 18 09:05:36 2013 -0500 Upstream commit: 23a01138efe216f8084cfaa74b0b90dd4b097441 sparc: tsb must be flushed before tlb This fixes a race where a cpu may re-load a tlb from a stale tsb right after it has been flushed by a remote function call. I still see some instability when stressing the system with parallel kernel builds while creating memory pressure by writing to /proc/sys/vm/nr_hugepages, but this patch improves the stability significantly. Signed-off-by: Dave Kleikamp Acked-by: Bob Picco Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d93b62f6485db9aadda34322a6867868db07f56f Merge: 4ef62f5 71d83e9 Author: Brad Spengler Date: Fri Jun 21 16:52:55 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 71d83e97c936563913bcfb5a25c45b2021a331eb Author: Brad Spengler Date: Fri Jun 21 16:48:42 2013 -0400 Update to pax-linux-3.9.7-test10.patch: - fixed a few format string problems uncovered by -Wformat-nonliteral - another attempt at fixing the nested nmi/cr0.wp problem - fixed vmalloc when used for allocating executable memory on non-modular kernels, reported by Lorand Kelemen (https://bugs.gentoo.org/show_bug.cgi?id=473866) - worked around an intentional gcc overflow in nfscache that tripped up the size overflow plugin (https://bugs.gentoo.org/show_bug.cgi?id=472274) - fixed a locking issue with track_exec_limit reported by spender - hunger reported a size overflow event in kobj_map that turned out to be a real bug, fix by Tejun Heo (https://patchwork.kernel.org/patch/2676631/) Documentation/dontdiff | 1 + arch/x86/boot/compressed/efi_stub_32.S | 16 ++----- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/entry_64.S | 74 ++++++++++++++++++------------ arch/x86/kernel/vmlinux.lds.S | 2 +- block/genhd.c | 11 +++-- crypto/algapi.c | 2 +- crypto/pcrypt.c | 6 +- drivers/base/attribute_container.c | 2 +- drivers/base/power/sysfs.c | 2 +- drivers/block/nbd.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/hw_random/intel-rng.c | 2 +- drivers/char/mem.c | 2 +- drivers/devfreq/devfreq.c | 2 +- drivers/gpu/drm/drm_encoder_slave.c | 6 +-- drivers/gpu/drm/drm_sysfs.c | 2 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/iommu/irq_remapping.c | 2 +- drivers/video/output.c | 2 +- fs/ext4/mmp.c | 2 +- fs/ext4/super.c | 2 +- fs/lockd/svc.c | 2 +- fs/nfs/callback.c | 4 +- fs/nfs/nfs4state.c | 2 +- fs/nfsd/nfscache.c | 3 +- init/initramfs.c | 2 +- kernel/rcutree.c | 2 +- lib/kobject.c | 2 +- mm/backing-dev.c | 4 +- mm/mmap.c | 4 +- mm/slub.c | 2 +- mm/vmalloc.c | 15 +++---- net/bluetooth/hci_core.c | 8 ++-- net/netfilter/nf_conntrack_proto_dccp.c | 4 +- net/sunrpc/svc.c | 2 +- security/Kconfig | 15 +++--- sound/core/sound.c | 2 +- sound/sound_core.c | 2 +- 40 files changed, 116 insertions(+), 111 deletions(-) commit 4ef62f52ab23ed87aaf0106be3eddf2019bc7d2c Merge: 39efd8f 256eff7 Author: Brad Spengler Date: Fri Jun 21 16:45:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: kernel/printk.c commit 256eff7a817d5faa18cd56fb97cc8c25112ec0a6 Merge: e6e3059 485f25f Author: Brad Spengler Date: Thu Jun 20 22:14:24 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 39efd8f4b9573d1ce31f47cdbea00b6c12054d4d Author: Brad Spengler Date: Tue Jun 18 17:20:18 2013 -0400 add apparmor compat patch security/apparmor/Kconfig | 9 ++ security/apparmor/apparmorfs.c | 231 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+), 0 deletions(-) commit 49bee3c5341687504669bf62becf4a419a226ba0 Author: Brad Spengler Date: Mon Jun 17 18:48:04 2013 -0400 Revert "Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db" This reverts commit 066d9226bc6c569d5f420c978b758e0bddd23444. kernel/sys.c | 29 +++-------------------------- 1 files changed, 3 insertions(+), 26 deletions(-) commit bece88b4276babb2039a3e4f3e3b0cdeb8cd8328 Author: Al Viro Date: Sun Jun 16 18:06:06 2013 +0100 Upstream commit: 8177a9d79c0e942dcac3312f15585d0344d505a5 lseek(fd, n, SEEK_END) does *not* go to eof - n When you copy some code, you are supposed to read it. If nothing else, there's a chance to spot and fix an obvious bug instead of sharing it... X-Song: "I Got It From Agnes", by Tom Lehrer Signed-off-by: Al Viro [ Tom Lehrer? You're dating yourself, Al ] Signed-off-by: Linus Torvalds drivers/net/ethernet/brocade/bna/bnad_debugfs.c | 2 +- drivers/scsi/bfa/bfad_debugfs.c | 2 +- drivers/scsi/fnic/fnic_debugfs.c | 2 +- drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) commit 5a450f1c46f0c84379518aee878993d3f4a331b6 Author: Theodore Ts'o Date: Thu Jun 6 11:14:31 2013 -0400 Upstream commit: 40c87e7a5404861cef33f6ced9809525a5ee2c50 ext4: verify group number in verify_group_input() before using it Check the group number for sanity earilier, before calling routines such as ext4_bg_has_super() or ext4_group_overhead_blocks(). Reported-by: Jonathan Salwan Signed-off-by: "Theodore Ts'o" fs/ext4/resize.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) commit e2700ce1305cc746d2d9000392f00d96fdf28fb8 Author: Neil Horman Date: Wed Jun 12 14:26:44 2013 -0400 Upstream commit: c5c7774d7eb4397891edca9ebdf750ba90977a69 sctp: fully initialize sctp_outq in sctp_outq_init In commit 2f94aabd9f6c925d77aecb3ff020f1cc12ed8f86 (refactor sctp_outq_teardown to insure proper re-initalization) we modified sctp_outq_teardown to use sctp_outq_init to fully re-initalize the outq structure. Steve West recently asked me why I removed the q->error = 0 initalization from sctp_outq_teardown. I did so because I was operating under the impression that sctp_outq_init would properly initalize that value for us, but it doesn't. sctp_outq_init operates under the assumption that the outq struct is all 0's (as it is when called from sctp_association_init), but using it in __sctp_outq_teardown violates that assumption. We should do a memset in sctp_outq_init to ensure that the entire structure is in a known state there instead. Signed-off-by: Neil Horman Reported-by: "West, Steve (NSN - US/Fort Worth)" CC: Vlad Yasevich CC: netdev@vger.kernel.org CC: davem@davemloft.net Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Conflicts: net/sctp/outqueue.c net/sctp/outqueue.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit e13515ad7a9c7634599a105b2527752e527a905d Author: Saurabh Mohan Date: Mon Jun 10 17:45:10 2013 -0700 Upstream commit: baafc77b32f647daa7c45825f7af8cdd55d00817 net/ipv4: ip_vti clear skb cb before tunneling. If users apply shaper to vti tunnel then it will cause a kernel crash. The problem seems to be due to the vti_tunnel_xmit function not clearing skb->opt field before passing the packet to xfrm tunneling code. Signed-off-by: Saurabh Mohan Acked-by: Stephen Hemminger Signed-off-by: David S. Miller net/ipv4/ip_vti.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit e63056a252ed6fc0f16ab158d7c34cb57bd762e4 Author: Guillaume Nault Date: Wed Jun 12 16:07:36 2013 +0200 Upstream commit: a6f79d0f26704214b5b702bbac525cb72997f984 l2tp: Fix sendmsg() return value PPPoL2TP sockets should comply with the standard send*() return values (i.e. return number of bytes sent instead of 0 upon success). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit af361b412e816e894fb42ddff7a0545b7def64c0 Author: Guillaume Nault Date: Wed Jun 12 16:07:23 2013 +0200 Upstream commit: 55b92b7a11690bc377b5d373872a6b650ae88e64 l2tp: Fix PPP header erasure and memory leak Copy user data after PPP framing header. This prevents erasure of the added PPP header and avoids leaking two bytes of uninitialised memory at the end of skb's data buffer. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1f43aca088c35dda35abf76e08544e534c71fed4 Author: Daniel Borkmann Date: Wed Jun 12 16:02:27 2013 +0200 Upstream commit: 2dc85bf323515e59e15dfa858d1472bb25cad0fe packet: packet_getname_spkt: make sure string is always 0-terminated uaddr->sa_data is exactly of size 14, which is hard-coded here and passed as a size argument to strncpy(). A device name can be of size IFNAMSIZ (== 16), meaning we might leave the destination string unterminated. Thus, use strlcpy() and also sizeof() while we're at it. We need to memset the data area beforehand, since strlcpy does not padd the remaining buffer with zeroes for user space, so that we do not possibly leak anything. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/packet/af_packet.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit d0ae62fae5528bf2a393377f50b8dd9888d1e49f Author: Andy Lutomirski Date: Wed Jun 5 19:38:26 2013 +0000 Upstream commit: a7526eb5d06b0084ef12d7b168d008fcf516caab net: Unbreak compat_sys_{send,recv}msg I broke them in this commit: commit 1be374a0518a288147c6a7398792583200a67261 Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg This patch adds __sys_sendmsg and __sys_sendmsg as common helpers that accept MSG_CMSG_COMPAT and blocks MSG_CMSG_COMPAT at the syscall entrypoints. It also reverts some unnecessary checks in sys_socketcall. Apparently I was suffering from underscore blindness the first time around. Signed-off-by: Andy Lutomirski Tested-by: Eric Dumazet Signed-off-by: David S. Miller include/linux/socket.h | 3 ++ net/compat.c | 13 +++++++- net/socket.c | 72 ++++++++++++++++++++++-------------------------- 3 files changed, 47 insertions(+), 41 deletions(-) commit b481a366021e5db07a9ea138bc0c1fe598a5ba2f Author: Andy Lutomirski Date: Wed May 22 14:07:44 2013 -0700 Upstream commit: 1be374a0518a288147c6a7398792583200a67261 net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, trinity@vger.kernel.org, Andy Lutomirski , netdev@vger.kernel.org, "David S. Miller" Subject: [PATCH 5/5] net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg MSG_CMSG_COMPAT is (AFAIK) not intended to be part of the API -- it's a hack that steals a bit to indicate to other networking code that a compat entry was used. So don't allow it from a non-compat syscall. This prevents an oops when running this code: int main() { int s; struct sockaddr_in addr; struct msghdr *hdr; char *highpage = mmap((void*)(TASK_SIZE_MAX - 4096), 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); if (highpage == MAP_FAILED) err(1, "mmap"); s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if (s == -1) err(1, "socket"); addr.sin_family = AF_INET; addr.sin_port = htons(1); addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) != 0) err(1, "connect"); void *evil = highpage + 4096 - COMPAT_MSGHDR_SIZE; printf("Evil address is %p\n", evil); if (syscall(__NR_sendmmsg, s, evil, 1, MSG_CMSG_COMPAT) < 0) err(1, "sendmmsg"); return 0; } Cc: David S. Miller Signed-off-by: Andy Lutomirski Signed-off-by: David S. Miller net/socket.c | 33 +++++++++++++++++++++++++++++++-- 1 files changed, 31 insertions(+), 2 deletions(-) commit 6ccb09f408cc4ff23adbf68c7d2307f5fffcf88e Author: Kees Cook Date: Fri May 10 14:48:21 2013 -0700 Upstream commit: e0e29b683d6784ef59bbc914eac85a04b650e63c b43: stop format string leaking into error msgs The module parameter "fwpostfix" is userspace controllable, unfiltered, and is used to define the firmware filename. b43_do_request_fw() populates ctx->errors[] on error, containing the firmware filename. b43err() parses its arguments as a format string. For systems with b43 hardware, this could lead to a uid-0 to ring-0 escalation. CVE-2013-2852 Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: John W. Linville drivers/net/wireless/b43/main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit dfb67a67049ace7b94ad7e2febfac69816d50d85 Author: Mark A. Greer Date: Wed May 29 12:25:34 2013 -0700 Upstream commit: f873ded213d6d8c36354c0fc903af44da4fd6ac5 mwifiex: debugfs: Fix out of bounds array access When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [] lr : [] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [] (strnlen+0xc/0x4c) from [] (string+0x3c/0xf8) [] (string+0x3c/0xf8) from [] (vsnprintf+0x1e8/0x3e8) [] (vsnprintf+0x1e8/0x3e8) from [] (sprintf+0x18/0x24) [] (sprintf+0x18/0x24) from [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [] (vfs_read+0xb0/0x144) [] (vfs_read+0xb0/0x144) from [] (SyS_read+0x44/0x70) [] (SyS_read+0x44/0x70) from [] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer Acked-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/debugfs.c | 22 +++++++++++++++++----- 1 files changed, 17 insertions(+), 5 deletions(-) commit 04152dec6e99ca4c0fc52219f7cf2152dafe6b52 Author: Johan Hedberg Date: Tue May 28 13:46:30 2013 +0300 Upstream commit: cb3b3152b2f5939d67005cff841a1ca748b19888 Bluetooth: Fix missing length checks for L2CAP signalling PDUs There has been code in place to check that the L2CAP length header matches the amount of data received, but many PDU handlers have not been checking that the data received actually matches that expected by the specific PDU. This patch adds passing the length header to the specific handler functions and ensures that those functions fail cleanly in the case of an incorrect amount of data. Signed-off-by: Johan Hedberg Cc: stable@vger.kernel.org Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville net/bluetooth/l2cap_core.c | 70 ++++++++++++++++++++++++++++++++----------- 1 files changed, 52 insertions(+), 18 deletions(-) commit 628be2427afb241b5a1aa24bc5907d05287e1f25 Author: Dan Carpenter Date: Mon Jun 3 12:00:49 2013 +0300 Upstream commit: a8241c63517ec0b900695daa9003cddc41c536a1 ipvs: info leak in __ip_vs_get_dest_entries() The entry struct has a 2 byte hole after ->port and another 4 byte hole after ->stats.outpkts. You must have CAP_NET_ADMIN in your namespace to hit this information leak. Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso net/netfilter/ipvs/ip_vs_ctl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 066d9226bc6c569d5f420c978b758e0bddd23444 Author: Robin Holt Date: Wed Jun 12 14:04:37 2013 -0700 Upstream commit: cf7df378aa4ff7da3a44769b7ff6e9eef1a9f3db reboot: rigrate shutdown/reboot to boot cpu We recently noticed that reboot of a 1024 cpu machine takes approx 16 minutes of just stopping the cpus. The slowdown was tracked to commit f96972f2dc63 ("kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()"). The current implementation does all the work of hot removing the cpus before halting the system. We are switching to just migrating to the boot cpu and then continuing with shutdown/reboot. This also has the effect of not breaking x86's command line parameter for specifying the reboot cpu. Note, this code was shamelessly copied from arch/x86/kernel/reboot.c with bits removed pertaining to the reboot_cpu command line parameter. Signed-off-by: Robin Holt Tested-by: Shawn Guo Cc: "Srivatsa S. Bhat" Cc: H. Peter Anvin Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Russ Anderson Cc: Robin Holt Cc: Russell King Cc: Guan Xuetao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sys.c | 29 ++++++++++++++++++++++++++--- 1 files changed, 26 insertions(+), 3 deletions(-) commit 94e2a91600b07d39825e7059195f35eb611a39a2 Merge: 20cc761 e6e3059 Author: Brad Spengler Date: Thu Jun 13 16:23:46 2013 -0400 Merge branch 'pax-test' into grsec-test commit e6e3059de5525ebcd55af43b20c9cdbf43b9d30a Merge: c6aadb1 4b73feb Author: Brad Spengler Date: Thu Jun 13 16:23:39 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 20cc7613e38cde07adc73179a91d6c15292e8d43 Author: Daniel Borkmann Date: Thu Jun 6 15:53:47 2013 +0200 Upstream commit: 1abd165ed757db1afdefaac0a4bc8a70f97d258c net: sctp: fix NULL pointer dereference in socket destruction While stress testing sctp sockets, I hit the following panic: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] sctp_endpoint_free+0xe/0x40 [sctp] PGD 7cead067 PUD 7ce76067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: sctp(F) libcrc32c(F) [...] CPU: 7 PID: 2950 Comm: acc Tainted: GF 3.10.0-rc2+ #1 Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 task: ffff88007ce0e0c0 ti: ffff88007b568000 task.ti: ffff88007b568000 RIP: 0010:[] [] sctp_endpoint_free+0xe/0x40 [sctp] RSP: 0018:ffff88007b569e08 EFLAGS: 00010292 RAX: 0000000000000000 RBX: ffff88007db78a00 RCX: dead000000200200 RDX: ffffffffa049fdb0 RSI: ffff8800379baf38 RDI: 0000000000000000 RBP: ffff88007b569e18 R08: ffff88007c230da0 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff880077990d00 R14: 0000000000000084 R15: ffff88007db78a00 FS: 00007fc18ab61700(0000) GS:ffff88007fc60000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000020 CR3: 000000007cf9d000 CR4: 00000000000007e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Stack: ffff88007b569e38 ffff88007db78a00 ffff88007b569e38 ffffffffa049fded ffffffff81abf0c0 ffff88007db78a00 ffff88007b569e58 ffffffff8145b60e 0000000000000000 0000000000000000 ffff88007b569eb8 ffffffff814df36e Call Trace: [] sctp_destroy_sock+0x3d/0x80 [sctp] [] sk_common_release+0x1e/0xf0 [] inet_create+0x2ae/0x350 [] __sock_create+0x11f/0x240 [] sock_create+0x30/0x40 [] SyS_socket+0x4c/0xc0 [] ? do_page_fault+0xe/0x10 [] ? page_fault+0x22/0x30 [] system_call_fastpath+0x16/0x1b Code: 0c c9 c3 66 2e 0f 1f 84 00 00 00 00 00 e8 fb fe ff ff c9 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 66 66 66 66 90 <48> 8b 47 20 48 89 fb c6 47 1c 01 c6 40 12 07 e8 9e 68 01 00 48 RIP [] sctp_endpoint_free+0xe/0x40 [sctp] RSP CR2: 0000000000000020 ---[ end trace e0d71ec1108c1dd9 ]--- I did not hit this with the lksctp-tools functional tests, but with a small, multi-threaded test program, that heavily allocates, binds, listens and waits in accept on sctp sockets, and then randomly kills some of them (no need for an actual client in this case to hit this). Then, again, allocating, binding, etc, and then killing child processes. This panic then only occurs when ``echo 1 > /proc/sys/net/sctp/auth_enable'' is set. The cause for that is actually very simple: in sctp_endpoint_init() we enter the path of sctp_auth_init_hmacs(). There, we try to allocate our crypto transforms through crypto_alloc_hash(). In our scenario, it then can happen that crypto_alloc_hash() fails with -EINTR from crypto_larval_wait(), thus we bail out and release the socket via sk_common_release(), sctp_destroy_sock() and hit the NULL pointer dereference as soon as we try to access members in the endpoint during sctp_endpoint_free(), since endpoint at that time is still NULL. Now, if we have that case, we do not need to do any cleanup work and just leave the destruction handler. Signed-off-by: Daniel Borkmann Acked-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) commit 386ba837978cc8a1111440bdcd8600f2df4634a4 Author: Brad Spengler Date: Wed Jun 12 20:37:48 2013 -0400 fix deadlock when booting i386 kernel without NX mm/mmap.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit fe96e11acb36fcda9a9e6f6439557db4aa4e8da0 Author: Brad Spengler Date: Tue Jun 11 22:18:07 2013 -0400 fix elif / elif defined() typo in recent change kernel/events/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bc43377e1e757cd37a06be0187884a42af718aab Merge: 3cdea63 c6aadb1 Author: Brad Spengler Date: Tue Jun 11 18:50:39 2013 -0400 Merge branch 'pax-test' into grsec-test commit c6aadb12ae8dd3d12c2d6b8fbe80d29e514d60c0 Author: Brad Spengler Date: Tue Jun 11 18:49:36 2013 -0400 Update to pax-linux-3.9.4-test9.patch: - fixed a KERNEXEC regression resulting in unusable RAM regions (http://forums.grsecurity.net/viewtopic.php?f=3&t=3506) - removed a user-triggerable BUG_ON, fixing it properly wasn't worth the effort arch/x86/kernel/setup.c | 2 +- mm/mlock.c | 1 - 2 files changed, 1 insertions(+), 2 deletions(-) commit 3cdea63e90607d8d55820b101854091623feedb8 Author: Brad Spengler Date: Mon Jun 10 21:21:44 2013 -0400 Fix fanotify infoleak reported by Dan Carpenter at: https://lkml.org/lkml/2013/6/3/128 Requires CAP_SYS_ADMIN, so this is about as low priority as it gets fs/notify/fanotify/fanotify_user.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 373a2b5df78f82b9d3db72bd6577e29a71591323 Author: Brad Spengler Date: Mon Jun 10 21:16:46 2013 -0400 Backport infoleak fix by Dan Carpenter in cpqarray: https://lkml.org/lkml/2013/6/3/131 drivers/block/cpqarray.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 251e84b9b05e063981b20be154c9389862f94759 Author: Brad Spengler Date: Mon Jun 10 21:04:17 2013 -0400 Backport 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 drivers/cdrom/cdrom.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 383d89bf95818b05a485a6e8b118963b5bcbc83e Author: Brad Spengler Date: Mon Jun 10 18:34:32 2013 -0400 change const to __read_only kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 8f08f803f605649e63f0857a1b9a9805b629eaa4 Author: Brad Spengler Date: Mon Jun 10 17:34:13 2013 -0400 compile fix, make const values const kernel/sysctl.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 6b90c228f6d4a3c2cc9c2b9a6a7ac14534ebd42d Author: Brad Spengler Date: Mon Jun 10 17:37:13 2013 -0400 Backport upstream commit: af733960ca59f7d59ea337e1f633771c9e67101a drivers/char/mwave/tp3780i.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1c590aa70c95ebd76ba9672aa23d800b81780615 Author: Brad Spengler Date: Sun Jun 9 19:50:35 2013 -0400 allow -1 perf_event_paranoid kernel/sysctl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit defdc4a2bd3efda4af2bb6f3aa8f495fa8078584 Merge: 4e85539 117c3fa Author: Brad Spengler Date: Sun Jun 9 17:30:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit 117c3fa8d26c3806103123560f807d99071b60b6 Merge: ed9b427 5dd2e98 Author: Brad Spengler Date: Sun Jun 9 17:30:00 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 4e8553989b0406f15be4a2dccdbc7599cc2b4f42 Author: Eric Dumazet Date: Mon May 13 21:25:52 2013 +0000 Upstream commit: 54d27fcb338bd9c42d1dfc5a39e18f6f9d373c2e tcp: fix tcp_md5_hash_skb_data() TCP md5 communications fail [1] for some devices, because sg/crypto code assume page offsets are below PAGE_SIZE. This was discovered using mlx4 driver [2], but I suspect loopback might trigger the same bug now we use order-3 pages in tcp_sendmsg() [1] Failure is giving following messages. huh, entered softirq 3 NET_RX ffffffff806ad230 preempt_count 00000100, exited with 00000101? [2] mlx4 driver uses order-2 pages to allocate RX frags Reported-by: Matt Schnall Signed-off-by: Eric Dumazet Cc: Bernhard Beck Signed-off-by: David S. Miller net/ipv4/tcp.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 4f1ed254c28a1b3e03c0b0b744c5042661c295eb Author: Eric Dumazet Date: Fri May 17 04:53:13 2013 +0000 Upstream commit: 284041ef21fdf2e0d216ab6b787bc9072b4eb58a ipv6: fix possible crashes in ip6_cork_release() commit 0178b695fd6b4 ("ipv6: Copy cork options in ip6_append_data") added some code duplication and bad error recovery, leading to potential crash in ip6_cork_release() as kfree() could be called with garbage. use kzalloc() to make sure this wont happen. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Cc: Herbert Xu Cc: Hideaki YOSHIFUJI Cc: Neal Cardwell net/ipv6/ip6_output.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5771263fe368cd384127dd17d7596a7e1a4e2eec Author: Chen Gang Date: Thu May 16 23:13:04 2013 +0000 Upstream commit: ff0102ee104847023c36357e2b9f133f3f40d211 net: irda: using kzalloc() instead of kmalloc() to avoid strncpy() issue. 'discovery->data.info' length is 22, NICKNAME_MAX_LEN is 21, so the strncpy() will always left the last byte of 'discovery->data.info' uninitialized. When 'text' length is longer than 21 (NICKNAME_MAX_LEN), if still left the last byte of 'discovery->data.info' uninitialized, the next strlen() will cause issue. Also 'discovery->data' is 'struct irda_device_info' which defined in "include/uapi/...", it may copy to user mode, so need whole initialized. All together, need use kzalloc() instead of kmalloc() to initialize all members firstly. Signed-off-by: Chen Gang Signed-off-by: David S. Miller net/irda/irlap_frame.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c01c9af268cb066f240aec53454b8b74d8d01688 Author: Dan Carpenter Date: Sun May 19 08:36:36 2013 +0000 Upstream commit: 25dff94ff9df40d4d663bb6ea3193a7758cc50e5 isdn/kcapi: fix a small underflow In get_capi_ctr_by_nr() and get_capi_appl_by_nr() the parameter comes from skb->data. The current code can underflow to one space before the start of the array. The sanity check isn't needed in __get_capi_appl_by_nr() but I changed it to match the others. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/isdn/capi/kcapi.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 4a3f12a9df775147b0c4b0277de1aa99eddc5c66 Author: Timo Teräs Date: Wed May 22 01:40:47 2013 +0000 Upstream commit: 497574c72c9922cf20c12aed15313c389f722fa0 xfrm: properly handle invalid states as an error The error exit path needs err explicitly set. Otherwise it returns success and the only caller, xfrm_output_resume(), would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is NULL. Bug introduced in commit bb65a9cb (xfrm: removes a superfluous check and add a statistic). Signed-off-by: Timo Teräs Cc: Li RongQing Cc: Steffen Klassert Signed-off-by: David S. Miller net/xfrm/xfrm_output.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 61d8e1e848afa93cd971f6d1da875ad98b6ddfbd Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 Upstream commit: 0bdc7acba56a7ca4232f15f37b16f7ec079385ab reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/dir.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ca0746bf380eec77d75d1741ac4742ded0e55ec7 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 Upstream commit: a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc reiserfs: fix deadlock with nfs racing on create/lookup Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/inode.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit cd21c0eb4950498be46a07257426c0cea4aa2bf1 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 Upstream commit: 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b reiserfs: fix problems with chowning setuid file w/ xattrs reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 14 +++++++++++++- fs/reiserfs/xattr_acl.c | 3 +++ 2 files changed, 16 insertions(+), 1 deletions(-) commit c18cef940310c06bdf86d64d8cb227e56e165300 Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 Upstream commit: 2962f5a5dcc56f69cbf62121a7be67cc15d6940b xfs: kill suid/sgid through the truncate path. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. cc: stable kernel Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers (cherry picked from commit 56c19e89b38618390addfc743d822f99519055c6) fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 files changed, 32 insertions(+), 15 deletions(-) commit 8e62c6a0946a4b11a55540094a0ee5d3a222dbcc Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 Upstream commit: f448badd34700ae728a32ba024249626d49c10e1 NFSv4: Fix a thinko in nfs4_try_open_cached We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c47de62893a9f269be0a272c2840aac1e2a35c68 Author: Chen Gang Date: Thu May 30 01:18:43 2013 +0000 Upstream commit: ea99b1adf22abd62bdcf14b1c9a0a4d3664eefd8 parisc: kernel: using strlcpy() instead of strcpy() 'boot_args' is an input args, and 'boot_command_line' has a fix length. So use strlcpy() instead of strcpy() to avoid memory overflow. Signed-off-by: Chen Gang Acked-by: Kyle McMartin Signed-off-by: Helge Deller arch/parisc/kernel/setup.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ce869e6f799f95fcac340420ba3612503df80dbf Author: Chen Gang Date: Mon May 27 04:57:09 2013 +0000 Upstream commit: 3f108de96ba449a8df3d7e3c053bf890fee2cb95 parisc: memory overflow, 'name' length is too short for using 'path.bc[i]' can be asigned by PCI_SLOT() which can '> 10', so sizeof(6 * "%u:" + "%u" + '\0') may be 21. Since 'name' length is 20, it may be memory overflow. And 'path.bc[i]' is 'unsigned char' for printing, we can be sure the max length of 'name' must be less than 28. So simplify thinking, we can use 28 instead of 20 directly, and do not think of whether 'patchc.bc[i]' can '> 100'. Signed-off-by: Chen Gang Signed-off-by: Helge Deller arch/parisc/kernel/drivers.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5dc65cd34d442783118a17c518e2daedb90a31d0 Author: Brad Spengler Date: Tue Jun 4 17:52:23 2013 -0400 add PERF_HARDEN recommendation grsecurity/Kconfig | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 45b0f6e97666ca330b9a69e7fd2d2d9345d9618c Author: Brad Spengler Date: Tue Jun 4 17:22:44 2013 -0400 Introduce new feature: CONFIG_GRKERNSEC_PERF_HARDEN grsecurity/Kconfig | 19 +++++++++++++++++++ include/linux/perf_event.h | 5 +++++ kernel/events/core.c | 10 +++++++++- kernel/sysctl.c | 9 ++++++++- 4 files changed, 41 insertions(+), 2 deletions(-) commit 84619a3501fd38285a72d9e963f58d1827beedd6 Author: Brad Spengler Date: Sat Jun 1 14:23:31 2013 -0400 remove user-triggerable BUG_ON in do_munlockall() mm/mlock.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit f4bcf6087bd7b9a5b9c9021790396865c5362da0 Author: Brad Spengler Date: Sat Jun 1 13:44:05 2013 -0400 Upstream commit: cea4dcfdad926a27a18e188720efe0f2c9403456 From: Kees Cook Date: Thu, 23 May 2013 17:32:17 +0000 Subject: iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Embargo-screwup-by: Kees Cook Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- 2 files changed, 6 insertions(+), 6 deletions(-) commit 2fdc3e0a0ecd44f22d49ea2230638ed650dd5e7e Author: Brad Spengler Date: Sat Jun 1 13:43:26 2013 -0400 Revert "Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters" Applying upstream fix instead This reverts commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291. drivers/target/iscsi/iscsi_target_parameters.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8ad50b7b6bbaaec7f07f894c15d76abe801f0769 Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 Upstream commit: e75b61897276c5100e61c9c74fd55ded28f31431 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings drivers/usb/atm/cxacru.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 8c237f4a53a038ab0f1c4fdc3656bdb3d77b7291 Author: Brad Spengler Date: Sat Jun 1 11:30:17 2013 -0400 Fix distro-embargoed bug CVE-2013-2850, bad strncpy parameters drivers/target/iscsi/iscsi_target_parameters.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) commit 8578566969d91678a3d7d5251b4eafc6d7775314 Author: Brad Spengler Date: Thu May 30 17:44:15 2013 -0400 Apply compatibility fix to previous RLIMIT_NPROC change don't enforce the rlimit check at exec time if the user is root Prevents problems with sudo if root is listed as part of a group in limits.conf with process limits enforced kernel/sys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0ed0c927ce3db94e2d0c0f328e24a28fe4f143e7 Merge: 643b294 ed9b427 Author: Brad Spengler Date: Wed May 29 19:19:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit ed9b4276488528d0c3803df1dc0df804238241e0 Author: Brad Spengler Date: Wed May 29 19:18:45 2013 -0400 Updated to pax-linux-3.9.4-test8.patch: - fixed some fallout detected by the checker plugin arch/x86/kernel/crash_dump_64.c | 2 +- drivers/base/devtmpfs.c | 6 +++--- drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 2 +- drivers/char/mem.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 ++-- drivers/i2c/i2c-dev.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 6 +++--- drivers/media/v4l2-core/v4l2-ioctl.c | 20 ++++++++++++-------- fs/9p/vfs_addr.c | 2 +- fs/binfmt_elf.c | 4 ++-- fs/compat_ioctl.c | 4 ++-- fs/exec.c | 2 +- fs/namespace.c | 8 ++++---- fs/proc/vmcore.c | 12 ++++++++---- fs/read_write.c | 2 +- include/linux/syscalls.h | 8 ++++---- init/do_mounts_initrd.c | 8 ++++---- init/main.c | 4 ++-- kernel/events/core.c | 2 +- kernel/events/internal.h | 10 +++++----- mm/page_io.c | 2 +- security/keys/internal.h | 2 +- tools/gcc/checker_plugin.c | 1 + 24 files changed, 63 insertions(+), 54 deletions(-) commit 643b294b41c6adcad1cf107efe4ae52a834e6f15 Author: Brad Spengler Date: Wed May 29 18:51:31 2013 -0400 eliminate gcc warning fs/exec.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit cf6f73059387ffeddb7b1de3e97a3cf588bcef86 Author: Brad Spengler Date: Wed May 29 18:30:20 2013 -0400 use BUILD_BUG() instead of BUILD_BUG_ON(1) arch/x86/net/bpf_jit_comp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 5343410354267368e5809f3ad8d9a264f141be18 Author: Brad Spengler Date: Wed May 29 17:57:41 2013 -0400 defensively handle additions to the BPF JIT by introducing a BUILD_BUG_ON for unknown opcodes arch/x86/net/bpf_jit_comp.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 01f78a604b47c93fb26e8aeb68ef619bb3b8579d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 Upstream commit: d34883d4e35c0a994e91dd847a82b4c9e0c31d83 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 79 ++++++++++++++++++++++++++--------------------------- 1 files changed, 39 insertions(+), 40 deletions(-) commit 163a5539b36247865d39b2bcfa8efc03a62124a6 Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 Upstream commit: 7c3425123ddfdc5f48e7913ff59d908789712b18 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) commit 3e54faf888d324d5f362dcba16173ea7bba61e8a Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 Upstream commit: 7b92d03c3239f43e5b86c9cc9630f026d36ee995 fat: fix possible overflow for fat_clusters Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/fat/inode.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit 2d9fc67d9d63641e6bbf389edba8d8514c68655d Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 Upstream commit: 1e7e2e05c179a68aaf8830fe91547a87f4589e53 drivers/char/random.c: fix priming of last_data Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-) commit 2d74639040ba6ce47f57ec010714ec06529c4b42 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 Upstream commit: 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 random: fix accounting race condition with lockless irq entropy_count update Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/random.c | 26 +++++++++++++++++--------- 1 files changed, 17 insertions(+), 9 deletions(-) commit 65d05c7ea468c23c175105526dd4f163302a92cf Merge: 1a98d0a 6ce3a135 Author: Brad Spengler Date: Sat May 25 07:48:15 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/vm86_32.c commit 6ce3a13567ec17c1e72a88871ddf46da61ad5166 Merge: 79bdd65 0bfd8ff Author: Brad Spengler Date: Sat May 25 07:46:55 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 1a98d0a10ede55ae99fabfb2d67eb536d3de9444 Author: Brad Spengler Date: Thu May 23 18:42:23 2013 -0400 use existing local variable fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b2b80ef8586061e32e986b31608717c25d1e7c54 Merge: cb45fbd 79bdd65 Author: Brad Spengler Date: Thu May 23 17:58:53 2013 -0400 Merge branch 'pax-test' into grsec-test commit 79bdd65dac68267bc1b201c6b4a99966a373c305 Author: Brad Spengler Date: Thu May 23 17:57:46 2013 -0400 Update to pax-linux-3.9.3-test7.patch: - fixed some size overflow related warnings (hash table, attributes) - fixed a gcc bug/feature exposed by constification, the investigation was prompted by http://rikiji.it/2013/05/10/CVE-2013-2094-x86.html arch/x86/include/asm/page_64.h | 2 +- arch/x86/kernel/head64.c | 2 +- tools/gcc/constify_plugin.c | 48 ++- tools/gcc/size_overflow_hash.data | 1191 +++++++++++++++++++------------------ 4 files changed, 651 insertions(+), 592 deletions(-) commit cb45fbda4967b1b544a754fbdc92d73283379522 Merge: 62588fa 57c11b8 Author: Brad Spengler Date: Mon May 20 17:32:17 2013 -0400 Merge branch 'pax-test' into grsec-test commit 57c11b85acd841a088aa4df8e60be337880df8cd Merge: 0598b37 4bb0869 Author: Brad Spengler Date: Mon May 20 17:32:08 2013 -0400 Merge branch 'linux-3.9.y' into pax-test commit 62588fa72b82a8ff7027f52dc2a05729f41e0f53 Merge: e261c7b 0598b37 Author: Brad Spengler Date: Fri May 17 22:57:36 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0598b3778624dbc6c3887af025c040dbd6e92ba5 Author: Brad Spengler Date: Fri May 17 22:57:07 2013 -0400 Update to pax-linux-3.9.2-test6.patch: - fixed a gcc assert in the structleak plugin, reported by Emese Revfy - fixed pfn extraction from pud/pgd entries, reported by ousado arch/x86/include/asm/pgtable.h | 9 +++++++-- tools/gcc/structleak_plugin.c | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit e261c7bc611e9127bbb7bd95cddd51524bf255ae Author: Brad Spengler Date: Thu May 16 22:54:12 2013 -0400 add offset to topdown check, fixes compilation arch/x86/kernel/sys_x86_64.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 455c5ed5279cf546f5d5c3844fb16f17300b2219 Author: Brad Spengler Date: Thu May 16 20:57:41 2013 -0400 CONFIG_GRKERNSEC depends on the recently-introduced CONFIG_TTY, reported by lulzh3ad on irc security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0d4593e84707cdf6deb6b925c18c676a476b1613 Merge: 43cd0c0 39a877f Author: Brad Spengler Date: Thu May 16 20:39:11 2013 -0400 Merge branch 'pax-test' into grsec-test commit 39a877f192ed305d88edac10a14a9e8e1e161f3f Author: Brad Spengler Date: Thu May 16 20:37:35 2013 -0400 Update to pax-linux-3.9.2-test105.patch: - fixed !EFI boot problem, reported by spender - fixed a few compile warnings - fixed some more compile errors due to constification - fixed some arm fallout, reported by Michael Tremer arch/arm/include/asm/psci.h | 2 +- arch/arm/kernel/psci.c | 2 +- arch/x86/kernel/sys_x86_64.c | 3 +-- arch/x86/realmode/init.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +++++----- drivers/irqchip/irq-gic.c | 2 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +++- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +++++++++--- drivers/platform/x86/chromeos_laptop.c | 2 +- fs/jfs/super.c | 4 ++-- include/linux/irqchip/arm-gic.h | 2 ++ include/sound/compress_driver.h | 2 +- net/mac80211/cfg.c | 4 ++-- sound/soc/fsl/fsl_ssi.c | 2 +- 14 files changed, 31 insertions(+), 22 deletions(-) commit 43cd0c0c7bf3f3331689f88130a8e8ce58fc8540 Author: Brad Spengler Date: Thu May 16 20:35:22 2013 -0400 Fix usercopy false positive under gcc 4.1 arch/x86/kernel/signal.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) commit 56a166129d817f6634c8c230e6ec497669bdfaca Author: Amerigo Wang Date: Thu May 9 21:56:37 2013 +0000 Upstream commit: 5dbd5068430b8bd1c19387d46d6c1a88b261257f ipv6,gre: do not leak info to user-space There is a hole in struct ip6_tnl_parm2, so we have to zero the struct on stack before copying it to user-space. Cc: David S. Miller Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit d6f50dae2653ad912952da40417a8ccbd59c7699 Author: Brad Spengler Date: Tue May 14 16:52:35 2013 -0400 disable unprivileged kernel profiling under HIDESYM, rename the variable to something more appropriate include/linux/perf_event.h | 8 ++++---- kernel/events/core.c | 6 +++++- kernel/sysctl.c | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) commit 01322c6951bed4eedefbd2178dbd99292b365d99 Author: Brad Spengler Date: Mon May 13 17:19:57 2013 -0400 mark GRKERNSEC_RAND_THREADSTACK broken until PaX fixes its existing stack-heap gap code for the new unified vm_unmapped_area grsecurity/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8e576ddc2196770ba2b86ba8f7b9e76c141d1083 Author: Brad Spengler Date: Mon May 13 15:40:32 2013 -0400 fix NX fault on early boot arch/x86/realmode/init.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 85ce9b6f668f9b02f21d23ae61a1bacc8804f615 Author: Brad Spengler Date: Mon May 13 10:48:13 2013 -0400 compile fix, we weren't using %pa anyway and it's now being used by upstream for physical address printing lib/vsprintf.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 4eeaeea04d4776b8263f0e9b018edcdbe66c929d Author: Brad Spengler Date: Mon May 13 10:39:52 2013 -0400 compile fix grsecurity/grsec_chroot.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 155fe84d0b966e41b077781e6b3bc6f6ed5b294b Author: Brad Spengler Date: Mon May 13 10:35:36 2013 -0400 compile fixes grsecurity/grsec_chroot.c | 2 +- include/linux/grinternal.h | 8 ++++---- include/linux/grsecurity.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) commit f92047409f0a843ec0b44033ca4c37e539f9a1d5 Author: Brad Spengler Date: Mon May 13 10:27:18 2013 -0400 compile fix fs/exec.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 0e4123608755ab6af3f448cca6f6a8a57dbdcff1 Author: Brad Spengler Date: Mon May 13 10:23:17 2013 -0400 Initial port of grsecurity for 3.9.2 Documentation/kernel-parameters.txt | 4 + Makefile | 8 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 29 +- arch/arm/mm/mmap.c | 8 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 17 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/defconfig | 1 - arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 6 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 9 + drivers/net/bonding/bond_main.c | 2 +- drivers/net/phy/mdio-bitbang.c | 1 + drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 8 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 20 +- fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 181 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 13 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 241 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1031 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4073 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 387 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 305 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 370 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 187 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 326 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 + include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 242 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/mm.h | 1 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 68 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/uidgid.h | 5 + include/linux/vermagic.h | 9 +- include/net/secure_seq.h | 1 + include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 110 +- kernel/exit.c | 10 +- kernel/fork.c | 41 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 81 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 13 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 45 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 64 +- mm/mprotect.c | 8 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/8021q/vlan.c | 7 + net/core/dev_ioctl.c | 4 + net/core/net-procfs.c | 5 + net/core/secure_seq.c | 4 +- net/core/sock_diag.c | 7 + net/ipv4/af_inet.c | 5 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 2 +- net/sctp/probe.c | 2 +- net/sctp/proc.c | 3 +- net/socket.c | 66 +- net/sysctl_net.c | 2 +- net/tipc/link.c | 11 +- net/unix/af_unix.c | 31 +- security/Kconfig | 342 ++- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/tomoyo/mount.c | 4 + security/yama/Kconfig | 2 +- 291 files changed, 15221 insertions(+), 2052 deletions(-) commit 88854c350c899bceca4a94598c42bed44d0dc91b Author: Brad Spengler Date: Mon May 13 07:37:47 2013 -0400 Initial import of pax-linux-3.9.2-test2.patch Documentation/dontdiff | 45 +- Documentation/kernel-parameters.txt | 12 + Makefile | 100 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 ++- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 2 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 6 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 15 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 15 +- arch/arm/kernel/vmlinux.lds.S | 22 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/gpmc.c | 22 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 91 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 187 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 26 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 9 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/uaccess.h | 140 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/kernel/us3_cpufreq.c | 69 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 ++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 8 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 21 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 7 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 6 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 +- arch/x86/include/asm/bitops.h | 4 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 67 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 21 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 6 +- arch/x86/include/asm/page_64.h | 2 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 113 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 530 ++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head64.c | 1 - arch/x86/kernel/head_32.S | 237 +- arch/x86/kernel/head_64.S | 120 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes/core.c | 30 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 19 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 19 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 248 + arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 57 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 70 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 +- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 556 ++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 90 +- arch/x86/mm/init_32.c | 119 +- arch/x86/mm/init_64.c | 44 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 15 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/physaddr.c | 4 +- arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 2 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 4 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 22 +- drivers/block/loop.c | 2 +- drivers/block/pktcdvd.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 10 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_arch_timer.c | 2 +- drivers/clocksource/metag_generic.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 +- drivers/cpufreq/cpufreq.c | 9 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_mc_sysfs.c | 12 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 4 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 6 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 4 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 37 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/irq_remapping.c | 10 +- drivers/irqchip/irq-gic.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/mfd/twl4030-irq.c | 9 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 18 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 2 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 5 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 +- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 36 +- drivers/video/uvesafb.c | 53 +- drivers/video/vesafb.c | 58 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 4 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 605 +++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 2 +- fs/exec.c | 362 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/super.c | 2 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 6 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nfsd/nfscache.c | 8 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 18 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/bin.c | 6 +- fs/sysfs/dir.c | 2 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 + include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 17 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/binfmts.h | 3 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compat.h | 6 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 65 +- include/linux/completion.h | 6 +- include/linux/configfs.h | 2 +- include/linux/cpu.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 12 +- include/linux/crypto.h | 6 +- include/linux/ctype.h | 2 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 5 +- include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/irq.h | 3 +- include/linux/irqchip/arm-gic.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 15 + include/linux/math64.h | 6 +- include/linux/mm.h | 110 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 6 +- include/linux/module.h | 60 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 3 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/pci_hotplug.h | 3 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pm_domain.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/proc_fs.h | 2 +- include/linux/random.h | 5 + include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 67 +- include/linux/sched/sysctl.h | 1 + include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 2 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 3 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 4 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 12 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 8 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 77 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/irq_work.c | 7 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 4 +- kernel/kprobes.c | 8 +- kernel/ksysfs.c | 2 +- kernel/lockdep.c | 7 +- kernel/module.c | 337 +- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcupdate.c | 4 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 68 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 20 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 51 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 18 +- kernel/srcu.c | 4 +- kernel/sys.c | 10 +- kernel/sysctl.c | 39 +- kernel/time.c | 2 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 6 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 8 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 6 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 26 +- mm/memory.c | 424 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 576 ++- mm/mprotect.c | 139 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 4 +- mm/page_alloc.c | 41 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 105 +- mm/slab.h | 5 +- mm/slab_common.c | 11 +- mm/slob.c | 201 +- mm/slub.c | 99 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 13 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 18 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/af_inet.c | 8 +- net/ipv4/ah4.c | 2 +- net/ipv4/devinet.c | 14 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 18 +- net/ipv4/sysctl_net_ipv4.c | 45 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 14 +- net/ipv6/addrconf.c | 6 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/raw.c | 19 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 8 +- net/ipv6/xfrm6_policy.c | 13 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/netlink/genetlink.c | 16 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 4 +- net/socket.c | 18 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 27 +- net/xfrm/xfrm_state.c | 29 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/headers_install.pl | 1 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- security/Kconfig | 675 +++- security/apparmor/lsm.c | 2 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/key.c | 18 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- security/yama/yama_lsm.c | 22 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 45 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 518 ++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 ++ tools/gcc/latent_entropy_plugin.c | 327 ++ tools/gcc/size_overflow_hash.data | 5876 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 2114 ++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/gcc/structleak_plugin.c | 276 + tools/perf/util/include/asm/alternative-asm.h | 3 + tools/perf/util/include/linux/compiler.h | 8 + virt/kvm/kvm_main.c | 32 +- 1555 files changed, 30474 insertions(+), 7126 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit c982acca364cbd7677bad7e53b9c7ecfaa6dfeb7 Merge: 814820a 3a59a59 Author: Brad Spengler Date: Sun May 12 21:51:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 3a59a59cf5e1bf88f96b05c64f7969e97f7f051f Author: Brad Spengler Date: Sun May 12 21:50:07 2013 -0400 Update to pax-linux-3.8.13-test24.patch: - fixed sparc/constification compile error, reported by blake - UDEREF/amd64 should be a bit more efficient when disabled at boot time - fixed some unnecessary integer truncations that could trip up the size overflow plugin arch/arm/kernel/vmlinux.lds.S | 4 ++-- arch/sparc/kernel/us3_cpufreq.c | 4 ++-- arch/x86/ia32/ia32entry.S | 4 ++-- arch/x86/include/asm/pgtable.h | 6 ++++-- arch/x86/include/asm/uaccess.h | 6 +++--- arch/x86/kernel/kprobes-opt.c | 4 ++++ arch/x86/lib/copy_user_nocache_64.S | 2 +- arch/x86/lib/getuser.S | 8 ++++---- arch/x86/lib/putuser.S | 8 ++++---- arch/x86/mm/fault.c | 6 +++--- drivers/net/slip/slhc.c | 2 +- drivers/staging/iio/ring_sw.c | 2 +- fs/binfmt_elf.c | 6 +++--- fs/nfsd/nfscache.c | 2 +- fs/xattr.c | 21 +++++++++++++++++++++ include/linux/syscalls.h | 2 +- include/linux/xattr.h | 3 +++ init/main.c | 3 +++ kernel/futex_compat.c | 2 +- kernel/trace/trace.h | 2 +- net/socket.c | 2 +- security/Kconfig | 2 +- 22 files changed, 67 insertions(+), 34 deletions(-) commit 814820abfe5b9a34401d838b2510431a4cd92be9 Author: Dan Carpenter Date: Mon May 6 09:31:17 2013 +0000 Upstream commit: 6bf15191f666c5965d212561d7a5c7b78b808dfa tipc: potential divide by zero in tipc_link_recv_fragment() The worry here is that fragm_sz could be zero since it comes from skb->data. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit b58503d2784f0a4dbf4d9dbef9bdcc7bf163e3c1 Author: Dan Carpenter Date: Mon May 6 08:28:41 2013 +0000 Upstream commit: cb4b102f0ab29fcbaf945c6b1f85ef006cdb8edc tipc: add a bounds check in link_recv_changeover_msg() The bearer_id here comes from skb->data and it can be a number from 0 to 7. The problem is that the ->links[] array has only 2 elements so I have added a range check. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/tipc/link.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit ed0428c4ef6c5498870772f212ac651216eb8d0c Merge: 2452d8d dbf932a Author: Brad Spengler Date: Sun May 12 21:18:25 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/cpu/perf_event_intel_uncore.c arch/x86/mm/init.c commit a113d6ac19303cd76d405df5aef5a4d190e6e7d7 Author: Brad Spengler Date: Sun May 12 20:24:01 2013 -0400 compile fix grsecurity/gracl.c | 1 + grsecurity/gracl_segv.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) commit 1bd664ee9054a28bbcf1dad6f9ffbc9e8500bb00 Author: Brad Spengler Date: Sun May 12 18:25:26 2013 -0400 fix btrfs support here as well grsecurity/gracl_segv.c | 17 +++++++++-------- 1 files changed, 9 insertions(+), 8 deletions(-) commit c75e4664fe4d20da1639f70d9def097c4f20856b Author: Brad Spengler Date: Sun May 12 18:12:57 2013 -0400 Fix RBAC compatibility with btrfs compiled as a module, as reported on the forums by YuHg at: http://forums.grsecurity.net/viewtopic.php?t=2575&p=12952#p12952 fs/btrfs/inode.c | 11 +---------- grsecurity/gracl.c | 19 ++++++++++--------- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_disabled.c | 2 +- 4 files changed, 13 insertions(+), 21 deletions(-) commit e40c5804acc5b83e10d16ca3ba92502a3e5f7f27 Author: Brad Spengler Date: Sat May 11 12:12:00 2013 -0400 allow copies just up to the start of kernel code fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 04638852588cf243f865f5a73aa9dab94fab53b7 Author: Brad Spengler Date: Fri May 10 16:53:07 2013 -0400 MODULES_EXEC_VADDR is a virtual address fs/exec.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 017fc58a177b8b3fd9c2a7a4366f3590c9d49435 Author: Brad Spengler Date: Fri May 10 16:51:03 2013 -0400 exempt module rx areas from usercopy protection under i386 kernexec their .rodata will be placed between stext/etext causing copies of constant strings to trigger usercopy reports/terminations fs/exec.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit c1b2cc5dd5f5ae5c88402c7acbcb270f8d36a9da Author: Brad Spengler Date: Wed May 8 20:25:52 2013 -0400 User jorgus on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3446 discovered that the upstreamed version of enforcing RLIMIT_NPROC at setuid/exec time missed an important corner case: If RLIMIT_NPROC is set after a setuid occurs and the user's process limit is reached elsewhere, no enforcement of RLIMIT_NPROC will happen at exec time for the task with a modified RLIMIT_NPROC. This patch fixes that. kernel/sys.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit 85ffce8c95bd1d9114852f74db8c66ddbc2e77ff Merge: 539fff0 2452d8d Author: Brad Spengler Date: Wed May 8 18:13:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 2452d8d0416d5c9c32805443dd89e5c9778dea4a Merge: 6c850d8 9c9ab76 Author: Brad Spengler Date: Wed May 8 18:13:31 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/irq.c kernel/trace/trace_stack.c commit 539fff0cf95c3dcc02c5e0ac3ef8da4519efdb9a Author: Brad Spengler Date: Tue May 7 21:43:00 2013 -0400 turn counter into a flag grsecurity/Kconfig | 2 +- grsecurity/grsec_chroot.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 3da48c0f89377e1ef76470d4b19f19df793fdf32 Author: Brad Spengler Date: Tue May 7 21:02:39 2013 -0400 add GRKERNSEC_CHROOT_INITRD to work around Plymouth stupidity useful for Fedora/RHEL users grsecurity/Kconfig | 10 ++++++++++ grsecurity/grsec_chroot.c | 17 +++++++++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) commit 418102925c0cfb0de51b0a021abaa575e28fafa6 Author: Peter Zijlstra Date: Fri May 3 14:11:25 2013 +0200 Upstream commit: 7cc23cd6c0c7d7f4bee057607e7ce01568925717 perf/x86/intel/lbr: Demand proper privileges for PERF_SAMPLE_BRANCH_KERNEL We should always have proper privileges when requesting kernel data. Signed-off-by: Peter Zijlstra Cc: Cc: Andi Kleen Cc: eranian@google.com Link: http://lkml.kernel.org/r/20130503121256.230745028@chello.nl [ Fix build error reported by fengguang.wu@intel.com, propagate error code back. ] Signed-off-by: Ingo Molnar Link: http://lkml.kernel.org/n/tip-v0x9ky3ahzr6nm3c6ilwrili@git.kernel.org arch/x86/kernel/cpu/perf_event_intel_lbr.c | 13 ++++++++++--- 1 files changed, 10 insertions(+), 3 deletions(-) commit f9e1af27cca1722a4c6a801000b5b3b5410401a2 Author: Eric Dumazet Date: Mon Apr 29 05:58:52 2013 +0000 Upstream commit: aebda156a570782a86fc4426842152237a19427d net: defer net_secret[] initialization Instead of feeding net_secret[] at boot time, defer the init at the point first socket is created. This permits some platforms to use better entropy sources than the ones available at boot time. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/secure_seq.h | 1 + net/core/secure_seq.c | 4 +--- net/ipv4/af_inet.c | 5 ++++- 3 files changed, 6 insertions(+), 4 deletions(-) commit a9229d75129cd9744a5e486ec99a0fe6aeaf10ac Author: Daniel Borkmann Date: Wed May 1 02:59:23 2013 +0000 Upstream commit: be3e45810bb1ee0bdfa93f6b9532d8c451e50f48 net: sctp: attribute printl with __printf for gcc fmt checks Let GCC check for format string errors in sctp's probe printl function. This patch fixes the warning when compiled with W=1: net/sctp/probe.c:73:2: warning: function might be possible candidate for 'gnu_printf' format attribute [-Wmissing-format-attribute] Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller net/sctp/probe.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 81b98190c66a90f0ed2de4560f542b1dea7664f2 Author: Brad Spengler Date: Thu May 2 19:58:54 2013 -0400 remove no-longer-needed vmware 8 compat fix mm/page_alloc.c | 6 ------ 1 files changed, 0 insertions(+), 6 deletions(-) commit a7716a90c1dbe09a8a6d98c74ea2f7fe2a530e94 Author: Brad Spengler Date: Thu May 2 19:55:23 2013 -0400 remove unnecessary < 0 check net/phonet/af_phonet.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a4e8dd5b1cca13c2e4145af75694a04aaa811f3f Author: Brad Spengler Date: Wed May 1 18:30:48 2013 -0400 remove references to CONFIG_X86_WP_WORKS_OK arch/um/defconfig | 1 - security/Kconfig | 2 +- 2 files changed, 1 insertions(+), 2 deletions(-) commit 408da6791f93ffe00d26bfe919f1b2218fe0804d Merge: a8dbe8e 6c850d8 Author: Brad Spengler Date: Wed May 1 18:28:44 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/mm/ultra.S drivers/tty/tty_io.c commit 6c850d8b76b375e418b6a18a33cc8263f36fabcf Merge: cdbcbef 9fa1d01 Author: Brad Spengler Date: Wed May 1 18:25:18 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a8dbe8ee7a0a3ace489e2f95d69d33e14d5f0b78 Author: Brad Spengler Date: Mon Apr 29 18:44:23 2013 -0400 add module.h to silence compiler warning, thanks to Sergei Trofimovich fs/btrfs/inode.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 55eba82aca97aa56378e000840c48965557721e8 Author: Brad Spengler Date: Mon Apr 29 18:43:03 2013 -0400 compilation fix kernel/trace/trace.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e3bf912b54af6df7fbebc68b5999554562056c5c Merge: 5b72e37 cdbcbef Author: Brad Spengler Date: Mon Apr 29 18:34:42 2013 -0400 Merge branch 'pax-test' into grsec-test commit cdbcbef45c4f003cbee11e10668a35d424c17c60 Author: Brad Spengler Date: Mon Apr 29 18:33:35 2013 -0400 Update to pax-linux-3.8.10-test21.patch: - removed size overflow coverage of resource_size(), reported at http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 - fixed bad pointer arithmetic in nfsd_cache_update, reported by Jason A. Donenfeld and http://forums.grsecurity.net/viewtopic.php?f=3&t=3438 note that the false positive is not fixed yet - fixed a few unintended bitmask computations found by a not-yet-public gcc plugin - fixed the kernel stack leak bug in do_tgkill, found by the size overflow plugin (https://code.google.com/p/chromium/issues/detail?id=223444) - reverted the nested NMI fix in search for a real one - simplified the arm_delay_ops constification arch/arm/include/asm/delay.h | 8 ++++---- arch/arm/lib/delay.c | 17 +++++------------ arch/x86/kernel/entry_64.S | 11 ++++++++++- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kvm/vmx.c | 4 ++-- drivers/block/pktcdvd.c | 2 +- fs/btrfs/extent-tree.c | 2 +- fs/nfsd/nfscache.c | 6 ++++-- kernel/trace/trace.c | 2 +- tools/gcc/structleak_plugin.c | 4 ++++ 11 files changed, 34 insertions(+), 26 deletions(-) commit 5b72e3790fa0e8a16a09c0ef745d8065620a1e74 Author: Brad Spengler Date: Fri Apr 26 20:53:06 2013 -0400 don't use file_inode() drivers/tty/tty_io.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a2df9595fa2e3c7a0c63b1acac75425fd4feb946 Author: Jiri Slaby Date: Fri Apr 26 13:48:53 2013 +0200 Upstream commit: 37b7f3c76595e23257f61bd80b223de8658617ee TTY: fix atime/mtime regression In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") we removed timestamps from tty inodes to fix a security issue and waited if something breaks. Well, 'w', the utility to find out logged users and their inactivity time broke. It shows that users are inactive since the time they logged in. To revert to the old behaviour while still preventing attackers to guess the password length, we update the timestamps in one-minute intervals by this patch. Signed-off-by: Jiri Slaby Cc: Greg Kroah-Hartman Signed-off-by: Linus Torvalds Conflicts: drivers/tty/tty_io.c drivers/tty/tty_io.c | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) commit c9c76fe07da7611a5062dd3234e5d2369e0a78ec Author: Jiri Slaby Date: Fri Feb 15 15:25:05 2013 +0100 Upstream commit: b0de59b5733d TTY: do not update atime/mtime on read/write On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find out length of a password using timestamps of /dev/ptmx. It is documented in "Timing Analysis of Keystrokes and Timing Attacks on SSH". To avoid that problem, do not update time when reading from/writing to a TTY. I am afraid of regressions as this is a behavior we have since 0.97 and apps may expect the time to be current, e.g. for monitoring whether there was a change on the TTY. Now, there is no change. So this would better have a lot of testing before it goes upstream. References: CVE-2013-0160 Signed-off-by: Jiri Slaby Cc: stable # after 3.9 is out Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 8 ++------ 1 files changed, 2 insertions(+), 6 deletions(-) commit 5344a24e2320d61dbdb88aae04922f0799deefd0 Author: Zhao Hongjiang Date: Fri Apr 26 11:03:53 2013 +0800 Upstream commit: 91d80a84bbc8f28375cca7e65ec666577b4209ad aio: fix possible invalid memory access when DEBUG is enabled dprintk() shouldn't access @ring after it's unmapped. Signed-off-by: Zhao Hongjiang Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/aio.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 786841cb279bbd8e458d67e112a1d01a3d4598a7 Author: John David Anglin Date: Tue Apr 23 22:42:07 2013 +0200 Upstream commit: bda079d336cd8183e1d844a265ea87ae3e1bbe78 parisc: use spin_lock_irqsave/spin_unlock_irqrestore for PTE updates User applications running on SMP kernels have long suffered from instability and random segmentation faults. This patch improves the situation although there is more work to be done. One of the problems is the various routines in pgtable.h that update page table entries use different locking mechanisms, or no lock at all (set_pte_at). This change modifies the routines to all use the same lock pa_dbit_lock. This lock is used for dirty bit updates in the interruption code. The patch also purges the TLB entries associated with the PTE to ensure that inconsistent values are not used after the page table entry is updated. The UP and SMP code are now identical. The change also includes a minor update to the purge_tlb_entries function in cache.c to improve its efficiency. Signed-off-by: John David Anglin Cc: Helge Deller Signed-off-by: Helge Deller arch/parisc/include/asm/pgtable.h | 47 +++++++++++++++++++----------------- arch/parisc/kernel/cache.c | 5 +--- 2 files changed, 26 insertions(+), 26 deletions(-) commit 775a77ad179d4c25bc94e85ef81135cbdffcfdc1 Merge: ba54c97 4d05084 Author: Brad Spengler Date: Fri Apr 26 18:17:20 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kvm/x86.c include/linux/capability.h commit 4d0508463d0ee3ec4b9eca1ea6bed3be03a3df21 Merge: c664779 bb8dd67 Author: Brad Spengler Date: Fri Apr 26 18:15:45 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit ba54c977fe8c3afc4a9efd7afc3f30cf10b02fa2 Author: David S. Miller Date: Wed Apr 24 16:52:18 2013 -0700 Upstream commit: f0af97070acbad5d6a361f485828223a4faaa0ee sparc64: Fix missing put_cpu_var() in tlb_batch_add_one() when not batching. Reported-by: Meelis Roos Signed-off-by: David S. Miller arch/sparc/mm/tlb.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit dc080cfd57c7cdc426f8c6c2da11911ac99959d8 Author: David S. Miller Date: Fri Apr 19 17:26:26 2013 -0400 Upstream commit: f36391d2790d04993f48da6a45810033a2cdf847 sparc64: Fix race in TLB batch processing. As reported by Dave Kleikamp, when we emit cross calls to do batched TLB flush processing we have a race because we do not synchronize on the sibling cpus completing the cross call. So meanwhile the TLB batch can be reset (tb->tlb_nr set to zero, etc.) and either flushes are missed or flushes will flush the wrong addresses. Fix this by using generic infrastructure to synchonize on the completion of the cross call. This first required getting the flush_tlb_pending() call out from switch_to() which operates with locks held and interrupts disabled. The problem is that smp_call_function_many() cannot be invoked with IRQs disabled and this is explicitly checked for with WARN_ON_ONCE(). We get the batch processing outside of locked IRQ disabled sections by using some ideas from the powerpc port. Namely, we only batch inside of arch_{enter,leave}_lazy_mmu_mode() calls. If we're not in such a region, we flush TLBs synchronously. 1) Get rid of xcall_flush_tlb_pending and per-cpu type implementations. 2) Do TLB batch cross calls instead via: smp_call_function_many() tlb_pending_func() __flush_tlb_pending() 3) Batch only in lazy mmu sequences: a) Add 'active' member to struct tlb_batch b) Define __HAVE_ARCH_ENTER_LAZY_MMU_MODE c) Set 'active' in arch_enter_lazy_mmu_mode() d) Run batch and clear 'active' in arch_leave_lazy_mmu_mode() e) Check 'active' in tlb_batch_add_one() and do a synchronous flush if it's clear. 4) Add infrastructure for synchronous TLB page flushes. a) Implement __flush_tlb_page and per-cpu variants, patch as needed. b) Likewise for xcall_flush_tlb_page. c) Implement smp_flush_tlb_page() to invoke the cross-call. d) Wire up global_flush_tlb_page() to the right routine based upon CONFIG_SMP 5) It turns out that singleton batches are very common, 2 out of every 3 batch flushes have only a single entry in them. The batch flush waiting is very expensive, both because of the poll on sibling cpu completeion, as well as because passing the tlb batch pointer to the sibling cpus invokes a shared memory dereference. Therefore, in flush_tlb_pending(), if there is only one entry in the batch perform a completely asynchronous global_flush_tlb_page() instead. Reported-by: Dave Kleikamp Signed-off-by: David S. Miller Acked-by: Dave Kleikamp arch/sparc/include/asm/pgtable_64.h | 1 + arch/sparc/include/asm/switch_to_64.h | 3 +- arch/sparc/include/asm/tlbflush_64.h | 37 +++++++++-- arch/sparc/kernel/smp_64.c | 41 ++++++++++- arch/sparc/mm/tlb.c | 38 +++++++++- arch/sparc/mm/tsb.c | 57 ++++++++++++---- arch/sparc/mm/ultra.S | 119 ++++++++++++++++++++++++++------- 7 files changed, 241 insertions(+), 55 deletions(-) commit cd80cc3cfd122295e6ec6db1e5e16e5b7a5d3b59 Author: Linus Torvalds Date: Fri Apr 19 15:32:32 2013 +0000 Upstream commit: 83f1b4ba917db5dc5a061a44b3403ddb6e783494 net: fix incorrect credentials passing Commit 257b5358b32f ("scm: Capture the full credentials of the scm sender") changed the credentials passing code to pass in the effective uid/gid instead of the real uid/gid. Obviously this doesn't matter most of the time (since normally they are the same), but it results in differences for suid binaries when the wrong uid/gid ends up being used. This just undoes that (presumably unintentional) part of the commit. Reported-by: Andy Lutomirski Cc: Eric W. Biederman Cc: Serge E. Hallyn Cc: David S. Miller Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Acked-by: "Eric W. Biederman" Signed-off-by: David S. Miller include/net/scm.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit e126225d1fcaa405ff2a7f1518d615cffe42e7d5 Author: Brad Spengler Date: Thu Apr 18 19:22:40 2013 -0400 move _etext to only cover kernel code, not read-only data, as reported by Gu1 arch/arm/kernel/vmlinux.lds.S | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 98ad6adbc48759e4f9eae435d3e51ba487155685 Author: Brad Spengler Date: Thu Apr 18 19:17:24 2013 -0400 add asm/sections.h for USERCOPY change fs/exec.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c403a6c43da1bcac9b1ef2bca9bba0fb84a40f10 Author: Dmitry Popov Date: Thu Apr 11 08:55:07 2013 +0000 Upstream commit: d66954a066158781ccf9c13c91d0316970fe57b6 tcp: incoming connections might use wrong route under synflood There is a bug in cookie_v4_check (net/ipv4/syncookies.c): flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP, inet_sk_flowi_flags(sk), (opt && opt->srr) ? opt->faddr : ireq->rmt_addr, ireq->loc_addr, th->source, th->dest); Here we do not respect sk->sk_bound_dev_if, therefore wrong dst_entry may be taken. This dst_entry is used by new socket (get_cookie_sock -> tcp_v4_syn_recv_sock), so its packets may take the wrong path. Signed-off-by: Dmitry Popov Signed-off-by: David S. Miller net/ipv4/syncookies.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 3600395e8fef3ae712e72f9b68c3609639616df8 Author: Thomas Graf Date: Thu Apr 11 10:57:18 2013 +0000 Upstream commit: 50bceae9bd3569d56744882f3012734d48a1d413 tcp: Reallocate headroom if it would overflow csum_start If a TCP retransmission gets partially ACKed and collapsed multiple times it is possible for the headroom to grow beyond 64K which will overflow the 16bit skb->csum_start which is based on the start of the headroom. It has been observed rarely in the wild with IPoIB due to the 64K MTU. Verify if the acking and collapsing resulted in a headroom exceeding what csum_start can cover and reallocate the headroom if so. A big thank you to Jim Foraker and the team at LLNL for helping out with the investigation and testing. Reported-by: Jim Foraker Signed-off-by: Thomas Graf Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 4b0b9a5038da806a2b6eba9efc3f3a53c5188a61 Author: Ivan Vecera Date: Fri Apr 12 16:49:24 2013 +0200 Upstream commit: f11a869d4e38397ac81f2a3d22e8d2aeb3992b0f be2net: take care of __vlan_put_tag return value The driver should use return value of __vlan_put_tag with appropriate NULL-check instead of old skb pointer. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/emulex/benet/be_main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit 8d3aca40a891f13b9b1e0d957913fa788fd1cc55 Author: Wei Yongjun Date: Fri Apr 12 03:17:12 2013 +0000 Upstream commit: 3be8fbab18fbc06b6ff94a56f9c225e29ea64a73 tuntap: fix error return code in tun_set_iff() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. [ Bug added in linux-3.8 , commit 4008e97f866db665 ("tuntap: fix ambigious multiqueue API") ] Signed-off-by: Wei Yongjun Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 42cfd101287e0ffa5e8425ca7dd3c4131a7a601c Author: Wei Yongjun Date: Sat Apr 13 15:49:03 2013 +0000 Upstream commit: 06848c10f720cbc20e3b784c0df24930b7304b93 esp4: fix error return code in esp_output() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Steffen Klassert Signed-off-by: David S. Miller net/ipv4/esp4.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 2b45b5f52c2a8930f80c62de392a62516c83e225 Author: Bjørn Mork Date: Tue Apr 16 00:17:07 2013 +0000 Upstream commit: 32b161aa88aa40a83888a995c6e2ef81140219b1 net: cdc_mbim: remove bogus sizeof() The intention was to test against the constant, not the size of the constant. Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/cdc_mbim.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 17d7408795519037a5a1272c7888238e20830bfe Author: Vyacheslav Dubeyko Date: Wed Apr 17 15:58:33 2013 -0700 Upstream commit: 12f267a20aecf8b84a2a9069b9011f1661c779b4 hfsplus: fix potential overflow in hfsplus_file_truncate() Change a u32 to loff_t hfsplus_file_truncate(). Signed-off-by: Vyacheslav Dubeyko Cc: Christoph Hellwig Cc: Al Viro Cc: Hin-Tak Leung Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/hfsplus/extents.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5c9574e7f16e7a9b3ea9b419c46ddc57110a555b Author: Emese Revfy Date: Wed Apr 17 15:58:36 2013 -0700 Upstream commit: b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f kernel/signal.c: stop info leak via the tkill and the tgkill syscalls This fixes a kernel memory contents leak via the tkill and tgkill syscalls for compat processes. This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field when handling signals delivered from tkill. The place of the infoleak: int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) { ... put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); ... } Signed-off-by: Emese Revfy Reviewed-by: PaX Team Signed-off-by: Kees Cook Cc: Al Viro Cc: Oleg Nesterov Cc: "Eric W. Biederman" Cc: Serge Hallyn Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/signal.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 0942d16614b0ef59d50b10151d77ec52fc98c2d0 Author: Brad Spengler Date: Wed Apr 17 20:17:00 2013 -0400 Improve PAX_USERCOPY to reject direct copies to/from main kernel text fs/exec.c | 29 +++++++++++++++++++++++++++-- 1 files changed, 27 insertions(+), 2 deletions(-) commit 3cb37d0c0c77dc3928ff8417f982139f95366eba Merge: e87c19f c664779 Author: Brad Spengler Date: Wed Apr 17 20:06:08 2013 -0400 Merge branch 'pax-test' into grsec-test commit c664779987cb0c27a242029f0e0db812e3236203 Author: Brad Spengler Date: Wed Apr 17 19:54:09 2013 -0400 add intentional_overflow marking for resource_size() as reasoned by: http://forums.grsecurity.net/viewtopic.php?f=3&t=3412 include/linux/ioport.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e87c19f8312355b8658e5138c16bfa6043a379c8 Merge: 802d119 d0c636c Author: Brad Spengler Date: Wed Apr 17 16:57:12 2013 -0400 Merge branch 'pax-test' into grsec-test commit d0c636ceaaf406e606898ce3e770e32fb043ea8a Merge: bc88628 2396403 Author: Brad Spengler Date: Wed Apr 17 16:57:01 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/x86/kernel/paravirt.c commit 802d1193dcb507b2a62a2de0a869a7dbadd66b9b Author: Brad Spengler Date: Sun Apr 14 21:39:51 2013 -0400 move location of RBAC user check on setfsuid until after capability checks for consistency with other checks kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 1a860d7d67051559ab2e6d10f9888649c92904e6 Author: Brad Spengler Date: Sun Apr 14 21:34:46 2013 -0400 A denied setfsuid by the RBAC system would result in an abort_creds() being called with an uninitalized pointer, introduced by a bad forward-port kernel/sys.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 9f94b84d0e5e101fe8ea8ebcc8eeb141d8a6edb9 Merge: c38d142 bc88628 Author: Brad Spengler Date: Sun Apr 14 21:28:33 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit bc88628a6a8fcccaabb90908640809b0540df225 Author: Brad Spengler Date: Sun Apr 14 21:26:41 2013 -0400 Update to pax-linux-3.8.7-test20.patch: - fixed KERNEXEC and NMI nesting problem reported by stef&hunger - changed PHYSICAL_ALIGN/START to fix http://forums.grsecurity.net/viewtopic.php?f=3&t=3414 - CONSTIFY depends on KERNEXEC (for the kernel open/close feature) - fixed CONSTIFY and powerpc interference, reported by John Hardin (https://bugs.gentoo.org/show_bug.cgi?id=456364) arch/powerpc/include/asm/smp.h | 2 +- arch/x86/Kconfig | 4 ++-- arch/x86/kernel/entry_64.S | 8 ++++---- security/Kconfig | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) commit c38d142744489fc4d9be80188b6435a278438fd9 Author: Suleiman Souhlal Date: Sat Apr 13 16:03:06 2013 -0700 Upstream commit: 5b55d708335a9e3e4f61f2dadf7511502205ccd1 vfs: Revert spurious fix to spinning prevention in prune_icache_sb Revert commit 62a3ddef6181 ("vfs: fix spinning prevention in prune_icache_sb"). This commit doesn't look right: since we are looking at the tail of the list (sb->s_inode_lru.prev) if we want to skip an inode, we should put it back at the head of the list instead of the tail, otherwise we will keep spinning on it. Discovered when investigating why prune_icache_sb came top in perf reports of a swapping load. Signed-off-by: Suleiman Souhlal Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v3.2+ Signed-off-by: Linus Torvalds fs/inode.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93019624b80ba59798393942798d7f6ed0c1dbc6 Author: Linus Torvalds Date: Sat Apr 13 15:15:30 2013 -0700 Upstream commit: a49b7e82cab0f9b41f483359be83f44fbb6b4979 kobject: fix kset_find_obj() race with concurrent last kobject_put() Anatol Pomozov identified a race condition that hits module unloading and re-loading. To quote Anatol: "This is a race codition that exists between kset_find_obj() and kobject_put(). kset_find_obj() might return kobject that has refcount equal to 0 if this kobject is freeing by kobject_put() in other thread. Here is timeline for the crash in case if kset_find_obj() searches for an object tht nobody holds and other thread is doing kobject_put() on the same kobject: THREAD A (calls kset_find_obj()) THREAD B (calls kobject_put()) splin_lock() atomic_dec_return(kobj->kref), counter gets zero here ... starts kobject cleanup .... spin_lock() // WAIT thread A in kobj_kset_leave() iterate over kset->list atomic_inc(kobj->kref) (counter becomes 1) spin_unlock() spin_lock() // taken // it does not know that thread A increased counter so it remove obj from list spin_unlock() vfree(module) // frees module object with containing kobj // kobj points to freed memory area!! kobject_put(kobj) // OOPS!!!! The race above happens because module.c tries to use kset_find_obj() when somebody unloads module. The module.c code was introduced in commit 6494a93d55fa" Anatol supplied a patch specific for module.c that worked around the problem by simply not using kset_find_obj() at all, but rather than make a local band-aid, this just fixes kset_find_obj() to be thread-safe using the proper model of refusing the get a new reference if the refcount has already dropped to zero. See examples of this proper refcount handling not only in the kref documentation, but in various other equivalent uses of this pattern by grepping for atomic_inc_not_zero(). [ Side note: the module race does indicate that module loading and unloading is not properly serialized wrt sysfs information using the module mutex. That may require further thought, but this is the correct fix at the kobject layer regardless. ] Reported-analyzed-and-tested-by: Anatol Pomozov Cc: Greg Kroah-Hartman Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds lib/kobject.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 5277b052b5fab36729e1255fb3b12f47a4b12867 Author: Dave Hansen Date: Fri Apr 12 16:23:54 2013 -0700 Upstream commit: 1de14c3c5cbc9bb17e9dcc648cda51c0c85d54b9 x86-32: Fix possible incomplete TLB invalidate with PAE pagetables This patch attempts to fix: https://bugzilla.kernel.org/show_bug.cgi?id=56461 The symptom is a crash and messages like this: chrome: Corrupted page table at address 34a03000 *pdpt = 0000000000000000 *pde = 0000000000000000 Bad pagetable: 000f [#1] PREEMPT SMP Ingo guesses this got introduced by commit 611ae8e3f520 ("x86/tlb: enable tlb flush range support for x86") since that code started to free unused pagetables. On x86-32 PAE kernels, that new code has the potential to free an entire PMD page and will clear one of the four page-directory-pointer-table (aka pgd_t entries). The hardware aggressively "caches" these top-level entries and invlpg does not actually affect the CPU's copy. If we clear one we *HAVE* to do a full TLB flush, otherwise we might continue using a freed pmd page. (note, we do this properly on the population side in pud_populate()). This patch tracks whenever we clear one of these entries in the 'struct mmu_gather', and ensures that we follow up with a full tlb flush. BTW, I disassembled and checked that: if (tlb->fullmm == 0) and if (!tlb->fullmm && !tlb->need_flush_all) generate essentially the same code, so there should be zero impact there to the !PAE case. Signed-off-by: Dave Hansen Cc: Peter Anvin Cc: Ingo Molnar Cc: Artem S Tashkinov Signed-off-by: Linus Torvalds arch/x86/include/asm/tlb.h | 2 +- arch/x86/mm/pgtable.c | 7 +++++++ include/asm-generic/tlb.h | 7 ++++++- mm/memory.c | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) commit 521e573fc77d1783c1d4636dfbb4617a922f043d Merge: 032f626 f807619 Author: Brad Spengler Date: Fri Apr 12 19:29:34 2013 -0400 Merge branch 'pax-test' into grsec-test commit f80761993b85df96fc142dfc3a317cadc0f8eae5 Author: Brad Spengler Date: Fri Apr 12 19:28:21 2013 -0400 Update to pax-linux-3.8.7-test19.patch: - fixed STACKLEAK/XEN interference once again, reported by Jason A. Donenfeld - fixed small typo, reported by mlarm (http://forums.grsecurity.net/viewtopic.php?f=3&t=3411) - fixed the structleak plugin to compile for gcc 4.5-4.6 as well Makefile | 2 +- arch/x86/xen/enlighten.c | 6 +++--- tools/gcc/structleak_plugin.c | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) commit 032f626a4ae9bc3196313a2e762650c3d9abdc96 Merge: a3a770e 89886f5 Author: Brad Spengler Date: Fri Apr 12 18:38:40 2013 -0400 Merge branch 'pax-test' into grsec-test commit 89886f561cc0d1c42a99624ec8c3704711088155 Merge: 9123489 531ec28 Author: Brad Spengler Date: Fri Apr 12 18:38:30 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit a3a770e18578841e4fbe2aa0831a22811b4812cf Author: Brad Spengler Date: Thu Apr 11 20:46:20 2013 -0400 Revert "Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot" Will be fixed with the next PaX patch This reverts commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7. security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit fc98763e4f1f1487928750b26a63098b9e0ed5b1 Author: Konrad Rzeszutek Wilk Date: Fri Mar 29 10:20:56 2013 -0400 Upstream commit: b22227944b8fe92b19150b4c36421e37979d9a16 xen/mmu: On early bootup, flush the TLB when changing RO->RW bits Xen provided pagetables. Occassionaly on a DL380 G4 the guest would crash quite early with this: (XEN) d244:v0: unhandled page fault (ec=0003) (XEN) Pagetable walk from ffffffff84dc7000: (XEN) L4[0x1ff] = 00000000c3f18067 0000000000001789 (XEN) L3[0x1fe] = 00000000c3f14067 000000000000178d (XEN) L2[0x026] = 00000000dc8b2067 0000000000004def (XEN) L1[0x1c7] = 00100000dc8da067 0000000000004dc7 (XEN) domain_crash_sync called from entry.S (XEN) Domain 244 (vcpu#0) crashed on cpu#3: (XEN) ----[ Xen-4.1.3OVM x86_64 debug=n Not tainted ]---- (XEN) CPU: 3 (XEN) RIP: e033:[] (XEN) RFLAGS: 0000000000000216 EM: 1 CONTEXT: pv guest (XEN) rax: 0000000000000000 rbx: ffffffff81785f88 rcx: 000000000000003f (XEN) rdx: 0000000000000000 rsi: 00000000dc8da063 rdi: ffffffff84dc7000 The offending code shows it to be a loop writting the value zero (%rax) in the %rdi (the L4 provided by Xen) register: 0: 44 00 00 add %r8b,(%rax) 3: 31 c0 xor %eax,%eax 5: b9 40 00 00 00 mov $0x40,%ecx a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 11: 00 00 13: ff c9 dec %ecx 15:* 48 89 07 mov %rax,(%rdi) <-- trapping instruction 18: 48 89 47 08 mov %rax,0x8(%rdi) 1c: 48 89 47 10 mov %rax,0x10(%rdi) which fails. xen_setup_kernel_pagetable recycles some of the Xen's page-table entries when it has switched over to its Linux page-tables. Right before try to clear the page, we make a hypercall to change it from _RO to _RW and that works (otherwise we would hit an BUG()). And the _RW flag is set for that page: (XEN) L1[0x1c7] = 001000004885f067 0000000000004dc7 The error code is 3, so PFEC_page_present and PFEC_write_access, so page is present (correct), and we tried to write to the page, but a violation occurred. The one theory is that the the page entries in hardware (which are cached) are not up to date with what we just set. Especially as we have just done an CR3 write and flushed the multicalls. This patch does solve the problem by flusing out the TLB page entry after changing it from _RO to _RW and we don't hit this issue anymore. Fixed-Oracle-Bug: 16243091 [ON OCCASIONS VM START GOES INTO 'CRASH' STATE: CLEAR_PAGE+0X12 ON HP DL380 G4] Reported-and-Tested-by: Saar Maoz Signed-off-by: Konrad Rzeszutek Wilk arch/x86/xen/mmu.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) commit d56bdc2595e76ca48cbfd695def7f82c3ab80c11 Author: Namhyung Kim Date: Mon Apr 1 21:46:23 2013 +0900 Upstream commit: 83e03b3fe4daffdebbb42151d5410d730ae50bd1 tracing: Fix double free when function profile init failed On the failure path, stat->start and stat->pages will refer same page. So it'll attempt to free the same page again and get kernel panic. Link: http://lkml.kernel.org/r/1364820385-32027-1-git-send-email-namhyung@kernel.org Cc: Frederic Weisbecker Cc: Namhyung Kim Cc: stable@vger.kernel.org Signed-off-by: Namhyung Kim Signed-off-by: Steven Rostedt kernel/trace/ftrace.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit c86b0de9f4c42a7ede40df5af9436e87ccc784bb Author: Neil Horman Date: Tue Apr 9 23:19:00 2013 +0000 Upstream commit: 61a0f6efc8932e9914e1782ff3a027e23c687fc6 e100: Add dma mapping error check e100 uses pci_map_single, but fails to check for a dma mapping error after its use, resulting in a stack trace: [ 46.656594] ------------[ cut here ]------------ [ 46.657004] WARNING: at lib/dma-debug.c:933 check_unmap+0x47b/0x950() [ 46.657004] Hardware name: To Be Filled By O.E.M. [ 46.657004] e100 0000:00:0e.0: DMA-API: device driver failed to check map error[device address=0x000000007a4540fa] [size=90 bytes] [mapped as single] [ 46.657004] Modules linked in: [ 46.657004] w83627hf hwmon_vid snd_via82xx ppdev snd_ac97_codec ac97_bus snd_seq snd_pcm snd_mpu401 snd_mpu401_uart ns558 snd_rawmidi gameport parport_pc e100 snd_seq_device parport snd_page_alloc snd_timer snd soundcore skge shpchp k8temp mii edac_core i2c_viapro edac_mce_amd nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput ata_generic pata_acpi radeon i2c_algo_bit drm_kms_helper ttm firewire_ohci drm firewire_core pata_via sata_via i2c_core sata_promise crc_itu_t [ 46.657004] Pid: 792, comm: ip Not tainted 3.8.0-0.rc6.git0.1.fc19.x86_64 #1 [ 46.657004] Call Trace: [ 46.657004] [] warn_slowpath_common+0x70/0xa0 [ 46.657004] [] warn_slowpath_fmt+0x4c/0x50 [ 46.657004] [] check_unmap+0x47b/0x950 [ 46.657004] [] debug_dma_unmap_page+0x5f/0x70 [ 46.657004] [] ? e100_tx_clean+0x30/0x210 [e100] [ 46.657004] [] e100_tx_clean+0xe8/0x210 [e100] [ 46.657004] [] e100_poll+0x56f/0x6c0 [e100] [ 46.657004] [] ? net_rx_action+0xa1/0x370 [ 46.657004] [] net_rx_action+0x172/0x370 [ 46.657004] [] __do_softirq+0xef/0x3d0 [ 46.657004] [] call_softirq+0x1c/0x30 [ 46.657004] [] do_softirq+0x85/0xc0 [ 46.657004] [] irq_exit+0xd5/0xe0 [ 46.657004] [] do_IRQ+0x56/0xc0 [ 46.657004] [] common_interrupt+0x72/0x72 [ 46.657004] [] ? _raw_spin_unlock_irqrestore+0x3b/0x70 [ 46.657004] [] __slab_free+0x58/0x38b [ 46.657004] [] ? fsnotify_clear_marks_by_inode+0x34/0x120 [ 46.657004] [] ? kmem_cache_free+0x97/0x320 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] ? sock_destroy_inode+0x34/0x40 [ 46.657004] [] kmem_cache_free+0x312/0x320 [ 46.657004] [] sock_destroy_inode+0x34/0x40 [ 46.657004] [] destroy_inode+0x38/0x60 [ 46.657004] [] evict+0x10e/0x1a0 [ 46.657004] [] iput+0xf5/0x180 [ 46.657004] [] dput+0x248/0x310 [ 46.657004] [] __fput+0x171/0x240 [ 46.657004] [] ____fput+0xe/0x10 [ 46.657004] [] task_work_run+0xac/0xe0 [ 46.657004] [] do_exit+0x26d/0xc30 [ 46.657004] [] ? finish_task_switch+0x7c/0x120 [ 46.657004] [] ? retint_swapgs+0x13/0x1b [ 46.657004] [] do_group_exit+0x49/0xc0 [ 46.657004] [] sys_exit_group+0x14/0x20 [ 46.657004] [] system_call_fastpath+0x16/0x1b [ 46.657004] ---[ end trace 4468c44e2156e7d1 ]--- [ 46.657004] Mapped at: [ 46.657004] [] debug_dma_map_page+0x91/0x140 [ 46.657004] [] e100_xmit_prepare+0x12b/0x1c0 [e100] [ 46.657004] [] e100_exec_cb+0x84/0x140 [e100] [ 46.657004] [] e100_xmit_frame+0x3a/0x190 [e100] [ 46.657004] [] dev_hard_start_xmit+0x259/0x6c0 Easy fix, modify the cb paramter to e100_exec_cb to return an error, and do the dma_mapping_error check in the obvious place This was reported previously here: http://article.gmane.org/gmane.linux.network/257893 But nobody stepped up and fixed it. CC: Josh Boyer CC: e1000-devel@lists.sourceforge.net Signed-off-by: Neil Horman Reported-by: Michal Jaegermann Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/e100.c | 36 +++++++++++++++++++++++++----------- 1 files changed, 25 insertions(+), 11 deletions(-) commit df93708573ce6c512b9a9406a83a6fd4e87ff6a6 Author: Trond Myklebust Date: Wed Apr 10 12:44:18 2013 -0400 Upstream commit: eb04e0ac198cec3bab407ad220438dfa65c19c67 NFSv4: Doh! Typo in the fix to nfs41_walk_client_list Make sure that we set the status to 0 on success. Missed in testing because it never appears when doing multiple mounts to _different_ servers. Signed-off-by: Trond Myklebust Cc: # 3.7.x: 7b1f1fd: NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list fs/nfs/nfs4client.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 0ea7b7294f627588b0b3dc26a8a0ff8e1e27b5ea Author: Yuval Mintz Date: Wed Apr 10 13:34:39 2013 +0300 Upstream commit: fea75645342c7ad574214497a78e562db12dfd7b bnx2x: Prevent null pointer dereference in AFEX mode The cnic module is responsible for initializing various bnx2x structs via callbacks provided by the bnx2x module. One such struct is the queue object for the FCoE queue. If a device is working in AFEX mode and its configuration allows FCoE yet the cnic module is not loaded, it's very likely a null pointer dereference will occur, as the bnx2x will erroneously access the FCoE's queue object. Prevent said access until cnic properly registers itself. Signed-off-by: Yuval Mintz Signed-off-by: Ariel Elior Signed-off-by: Eilon Greenstein Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 2908830232725db624aaa052f7ad38d1f98bf541 Author: Wei Yongjun Date: Tue Apr 9 14:16:04 2013 +0800 Upstream commit: 3480a2125923e4b7a56d79efc76743089bf273fc can: gw: use kmem_cache_free() instead of kfree() Memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Cc: linux-stable # >= v3.2 Signed-off-by: Wei Yongjun Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/gw.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit d40b572e845a5fb561e3c4a80cc306cd38888a4e Author: Christoph Paasch Date: Sun Apr 7 04:53:15 2013 +0000 Upstream commit: 50a75a8914539c5dcd441c5f54d237a666a426fd ipv6/tcp: Stop processing ICMPv6 redirect messages Tetja Rediske found that if the host receives an ICMPv6 redirect message after sending a SYN+ACK, the connection will be reset. He bisected it down to 093d04d (ipv6: Change skb->data before using icmpv6_notify() to propagate redirect), but the origin of the bug comes from ec18d9a26 (ipv6: Add redirect support to all protocol icmp error handlers.). The bug simply did not trigger prior to 093d04d, because skb->data did not point to the inner IP header and thus icmpv6_notify did not call the correct err_handler. This patch adds the missing "goto out;" in tcp_v6_err. After receiving an ICMPv6 Redirect, we should not continue processing the ICMP in tcp_v6_err, as this may trigger the removal of request-socks or setting sk_err(_soft). Reported-by: Tetja Rediske Signed-off-by: Christoph Paasch Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv6/tcp_ipv6.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit c7d5c2524456ef3ea9194840e7a9a75069a46824 Author: Brad Spengler Date: Wed Apr 10 20:32:54 2013 -0400 - fixed typo in Makefile reported by mlarm (https://forums.grsecurity.net/viewtopic.php?t=3411) Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit acac2380fd97acee4367d2aa24c74322dcf1d22b Author: Trond Myklebust Date: Fri Apr 5 16:11:11 2013 -0400 Upstream commit: 7b1f1fd1842e6ede25183c267ae733a7f67f00bc NFSv4/4.1: Fix bugs in nfs4[01]_walk_client_list It is unsafe to use list_for_each_entry_safe() here, because when we drop the nn->nfs_client_lock, we pin the _current_ list entry and ensure that it stays in the list, but we don't do the same for the _next_ list entry. Use of list_for_each_entry() is therefore the correct thing to do. Also fix the refcounting in nfs41_walk_client_list(). Finally, ensure that the nfs_client has finished being initialised and, in the case of NFSv4.1, that the session is set up. Signed-off-by: Trond Myklebust Cc: Chuck Lever Cc: Bryan Schumaker Cc: stable@vger.kernel.org [>= 3.7] fs/nfs/nfs4client.c | 44 ++++++++++++++++++++++++++++---------------- 1 files changed, 28 insertions(+), 16 deletions(-) commit a6cf5f387b882ac0ce655b75f623f86c075517be Author: Chuck Lever Date: Fri Mar 22 12:52:59 2013 -0400 Upstream commit: a58e0be6f6b3eb2079b0b8fedc9df6fa86869f1e SUNRPC: Remove extra xprt_put() While testing error cases where rpc_new_client() fails, I saw some oopses. If rpc_new_client() fails, it already invokes xprt_put(). Thus __rpc_clone_client() does not need to invoke it again. Introduced by commit 1b63a751 "SUNRPC: Refactor rpc_clone_client()" Fri Sep 14, 2012. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org [>=3.7] Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit a744b307c1f65ceb100412dc18cdd7ecc9a8ae00 Author: Trond Myklebust Date: Fri Apr 5 14:13:21 2013 -0400 Upstream commit: f05c124a70a4953a66acbd6d6c601ea1eb5d0fa7 SUNRPC: Fix a potential memory leak in rpc_new_client If the call to rpciod_up() fails, we currently leak a reference to the struct rpc_xprt. As part of the fix, we also remove the redundant check for xprt!=NULL. This is already taken care of by the callers. Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 7 ++----- 1 files changed, 2 insertions(+), 5 deletions(-) commit 43b9f1b9b8380984c5c100978bd33e8f16da06ac Author: Brad Spengler Date: Wed Apr 10 19:16:05 2013 -0400 From https://lkml.org/lkml/2013/4/8/469: [PATCH] rtnetlink: call nlmsg_parse() with correct header length net/core/rtnetlink.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9529169b8c405874fd543b785f53c74fa0501c2a Author: Christopher Harvey Date: Fri Apr 5 10:51:15 2013 -0400 Upstream commit: 1812a3db0874be1d1524086da9e84397b800f546 drm/mgag200: Index 24 in extended CRTC registers is 24 in hex, not decimal. This change properly enables the "requester" in G200ER cards that is responsible for getting pixels out of memory and clocking them out to the screen. Signed-off-by: Christopher Harvey Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/mgag200/mgag200_mode.c | 13 +++---------- 1 files changed, 3 insertions(+), 10 deletions(-) commit 07c42243c7b01e2a7a9d168ad491e28b9ef9082a Author: Al Viro Date: Thu Mar 28 13:30:23 2013 -0400 Upstream commit: 52f21999c7b921a0390708b66ed286282c2e4bee ecryptfs: close rmmod race Signed-off-by: Al Viro fs/ecryptfs/miscdev.c | 14 ++------------ 1 files changed, 2 insertions(+), 12 deletions(-) commit 2800bdcf9cd642b967e5fdc2a15c1c4aefbadd9b Author: Brad Spengler Date: Wed Apr 10 19:03:45 2013 -0400 Backport overflow fix from upstream commit: ccf932042fa7785832d8989ba1369cd7c7f5d7a1 arch/ia64/kernel/palinfo.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 83280e384ae3ceadad30369ced111dc7d4b46085 Author: Andrey Vagin Date: Tue Apr 9 17:33:29 2013 +0400 Upstream commit: e9c5d8a562f01b211926d70443378eb14b29a676 mnt: release locks on error path in do_loopback do_loopback calls lock_mount(path) and forget to unlock_mount if clone_mnt or copy_mnt fails. [ 77.661566] ================================================ [ 77.662939] [ BUG: lock held when returning to user space! ] [ 77.664104] 3.9.0-rc5+ #17 Not tainted [ 77.664982] ------------------------------------------------ [ 77.666488] mount/514 is leaving the kernel with locks still held! [ 77.668027] 2 locks held by mount/514: [ 77.668817] #0: (&sb->s_type->i_mutex_key#7){+.+.+.}, at: [] lock_mount+0x32/0xe0 [ 77.671755] #1: (&namespace_sem){+++++.}, at: [] lock_mount+0x4a/0xe0 Signed-off-by: Andrey Vagin Signed-off-by: Al Viro fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 679e536b9d9536d804f049fe942367a596253e6d Author: Alex Williamson Date: Tue Mar 26 11:33:16 2013 -0600 Upstream commit: 904c680c7bf016a8619a045850937427f8d7368c vfio-pci: Fix possible integer overflow The VFIO_DEVICE_SET_IRQS ioctl takes a start and count parameter, both of which are unsigned. We attempt to bounds check these, but fail to account for the case where start is a very large number, allowing start + count to wrap back into the valid range. Bounds check both start and start + count. Reported-by: Dan Carpenter Signed-off-by: Alex Williamson drivers/vfio/pci/vfio_pci.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 63badcd2023717cc62b6c3ad5f25fe504c49e6d7 Author: Brad Spengler Date: Wed Apr 10 18:48:45 2013 -0400 Don't auto-enable stackleak if kernel is used for xen dom0, kernel will not boot security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b5261a6384ee42499b29495aaae40b271e77d394 Author: Brad Spengler Date: Tue Apr 9 17:30:45 2013 -0400 some undefined behavior fixups grsecurity/gracl.c | 4 ++-- grsecurity/gracl_ip.c | 10 +++++----- grsecurity/gracl_segv.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) commit 9f83caa35e78be1f3e753586ab217555c3b21ff4 Author: Brad Spengler Date: Tue Apr 9 17:28:54 2013 -0400 don't whine about denied ipv6 when it's not enabled grsecurity/gracl_ip.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 5a02f8bc96bd0c31f9ff09e63f9d85d560b8be61 Merge: 97bca88 9123489 Author: Brad Spengler Date: Tue Apr 9 17:18:45 2013 -0400 Merge branch 'pax-test' into grsec-test commit 9123489428c58668a89f316db6619739cbdd2c2a Author: Brad Spengler Date: Tue Apr 9 17:17:46 2013 -0400 Update to pax-linux-3.8.6-test18.patch: - new size overflow plugin from Emese to work around a gcc optimization resulting in an intentional overflow, reported by Carlos Carvalho (http://forums.grsecurity.net/viewtopic.php?f=3&t=3409) tools/gcc/size_overflow_plugin.c | 68 ++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 2 deletions(-) commit 97bca8889e0f1e853f16b7026c39c6729a8587ab Merge: 675a41e e9d6073 Author: Brad Spengler Date: Mon Apr 8 21:32:59 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/sparc/kernel/us3_cpufreq.c commit e9d6073f15010ccace0b6b0f0a19ed63cf1adeef Author: Brad Spengler Date: Mon Apr 8 21:19:03 2013 -0400 Update to pax-linux-3.8.6-test17.patch: - fixed ia64/ppc/sparc compilation by spender - improved the STRUCTLEAK gcc plugin to cover a few more cases (credit to stef for the bugreport) arch/ia64/include/asm/uaccess.h | 2 - arch/powerpc/include/asm/uaccess.h | 2 - arch/sparc/include/asm/uaccess.h | 7 ---- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/us3_cpufreq.c | 69 ++++++++++-------------------------- tools/gcc/structleak_plugin.c | 15 ++++---- 6 files changed, 28 insertions(+), 69 deletions(-) commit 675a41e42a636dcb1e97bffe0f0fa6262242e64b Author: Brad Spengler Date: Sun Apr 7 12:00:50 2013 -0400 fix similar leaks in sys_recvfrom as fixed in recvmsg, already handled by the new structleak plugin net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5a216624a06429488f24ce47db093da042f90e48 Author: Brad Spengler Date: Sat Apr 6 13:22:24 2013 -0400 fix typo arch/sparc/kernel/us3_cpufreq.c | 5 +---- 1 files changed, 1 insertions(+), 4 deletions(-) commit e476ca18d21788898cd3acd1b57049971a2fb70f Author: Brad Spengler Date: Sat Apr 6 13:16:13 2013 -0400 properly fix cpufreq_driver for ultrasparc III with constification arch/sparc/kernel/us3_cpufreq.c | 35 +++++++++++++++++------------------ 1 files changed, 17 insertions(+), 18 deletions(-) commit 3ef64a33c8a38d17db7d1e6ff13d9036c75598ae Author: Brad Spengler Date: Sat Apr 6 12:58:48 2013 -0400 mark prom_sparc_ops __initconst arch/sparc/kernel/prom_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit daaa8e290cb1eb08e86c6d3f0fb1a8270d897439 Author: Brad Spengler Date: Sat Apr 6 12:53:16 2013 -0400 fix ia64/powerpc/sparc compilation arch/ia64/include/asm/uaccess.h | 2 -- arch/powerpc/include/asm/uaccess.h | 2 -- arch/sparc/include/asm/uaccess.h | 7 ------- 3 files changed, 0 insertions(+), 11 deletions(-) commit 4a0cd3af0fd8788bd1c84de775743c8ae51e9a39 Author: Johannes Berg Date: Tue Mar 19 20:26:57 2013 +0100 Upstream commit: ce1eadda6badef9e4e3460097ede674fca47383d cfg80211: fix wdev tracing crash Arend reported a crash in tracing if the driver returns an ERR_PTR() value from the add_virtual_intf() callback. This is due to the tracing then still attempting to dereference the "pointer", fix this by using IS_ERR_OR_NULL(). Reported-by: Arend van Spriel Tested-by: Arend van Spriel Signed-off-by: Johannes Berg net/wireless/trace.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 68e6eafdaf9a3b37c780b3916a35a1961b1559fd Author: Johannes Berg Date: Mon Mar 25 11:51:14 2013 +0100 Upstream commit: 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b mac80211: fix remain-on-channel cancel crash If a ROC item is canceled just as it expires, the work struct may be scheduled while it is running (and waiting for the mutex). This results in it being run after being freed, which obviously crashes. To fix this don't free it when aborting is requested but instead mark it as "to be freed", which makes the work a no-op and allows freeing it outside. Cc: stable@vger.kernel.org [3.6+] Reported-by: Jouni Malinen Tested-by: Jouni Malinen Signed-off-by: Johannes Berg net/mac80211/cfg.c | 6 ++++-- net/mac80211/ieee80211_i.h | 3 ++- net/mac80211/offchannel.c | 23 +++++++++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) commit dd5df32b00e3c2344ba39fe01071e7b67b83e1e4 Author: Stone Piao Date: Fri Mar 29 19:21:21 2013 -0700 Upstream commit: 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f mwifiex: limit channel number not to overflow memory Limit the channel number in scan request, or the driver scan config structure memory will be overflowed. Cc: # 3.5+ Signed-off-by: Stone Piao Signed-off-by: Bing Zhao Signed-off-by: John W. Linville drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 207c411512bdaf0e4271f93ecac6ca26588da36f Author: Gao feng Date: Thu Mar 21 19:48:41 2013 +0000 Upstream commit: 130549fed828cc34c22624c6195afcf9e7ae56fe netfilter: reset nf_trace in nf_reset We forgot to clear the nf_trace of sk_buff in nf_reset, When we use veth device, this nf_trace information will be leaked from one net namespace to another net namespace. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso include/linux/skbuff.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 3b12800d73c763265b2de5f2a7a745d9caa62c6f Author: Wei Yongjun Date: Fri Mar 22 01:28:18 2013 +0000 Upstream commit: 558724a5b2a73ad0c7638e21e8dffc419d267b6c netfilter: nfnetlink_queue: fix error return code in nfnetlink_queue_init() Fix to return a negative error code from the error handling case instead of 0, as returned elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_queue_core.c | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) commit a79feb7d3251eca577d83d7f69eee2b961ab2924 Author: Pablo Neira Ayuso Date: Sat Mar 23 16:57:59 2013 +0100 Upstream commit: deadcfc3324410726cd6a663fb4fc46be595abe7 netfilter: nfnetlink_acct: return -EINVAL if object name is empty If user-space tries to create accounting object with an empty name, then return -EINVAL. Reported-by: Michael Zintakis Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 1a51dca4fc16538d90a7a4c92b1ffe7e0fd76cf7 Author: Matthias Schiffer Date: Sat Mar 30 10:23:12 2013 +0000 Upstream commit: 906b1c394d0906a154fbdc904ca506bceb515756 netfilter: ip6t_NPT: Fix translation for non-multiple of 32 prefix lengths The bitmask used for the prefix mangling was being calculated incorrectly, leading to the wrong part of the address being replaced when the prefix length wasn't a multiple of 32. Signed-off-by: Matthias Schiffer Signed-off-by: Pablo Neira Ayuso net/ipv6/netfilter/ip6t_NPT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3425de1e3dc22e1602f9c77fe8d258da58416d5e Author: Veaceslav Falico Date: Wed Apr 3 05:46:33 2013 +0000 Upstream commit: 4de79c737b200492195ebc54a887075327e1ec1d bonding: remove sysfs before removing devices We have a race condition if we try to rmmod bonding and simultaneously add a bond master through sysfs. In bonding_exit() we first remove the devices (through rtnl_link_unregister() ) and only after that we remove the sysfs. If we manage to add a device through sysfs after that the devices were removed - we'll end up with that device/sysfs structure and with the module unloaded. Fix this by first removing the sysfs and only after that calling rtnl_link_unregister(). Signed-off-by: Veaceslav Falico Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d12cae44a9d12441d81c489178803237219d403d Author: Eric W. Biederman Date: Wed Apr 3 16:14:47 2013 +0000 Upstream commit: 0e82e7f6dfeec1013339612f74abc2cdd29d43d2 af_unix: If we don't care about credentials coallesce all messages It was reported that the following LSB test case failed https://lsbbugs.linuxfoundation.org/attachment.cgi?id=2144 because we were not coallescing unix stream messages when the application was expecting us to. The problem was that the first send was before the socket was accepted and thus sock->sk_socket was NULL in maybe_add_creds, and the second send after the socket was accepted had a non-NULL value for sk->socket and thus we could tell the credentials were not needed so we did not bother. The unnecessary credentials on the first message cause unix_stream_recvmsg to start verifying that all messages had the same credentials before coallescing and then the coallescing failed because the second message had no credentials. Ignoring credentials when we don't care in unix_stream_recvmsg fixes a long standing pessimization which would fail to coallesce messages when reading from a unix stream socket if the senders were different even if we did not care about their credentials. I have tested this and verified that the in the LSB test case mentioned above that the messages do coallesce now, while the were failing to coallesce without this change. Reported-by: Karel Srot Reported-by: Ding Tianhong Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 126d882492b130da6367f71cdf3ac59bf4f4c1bf Author: Eric W. Biederman Date: Wed Apr 3 16:13:35 2013 +0000 Upstream commit: 25da0e3e9d3fb2b522bc2a598076735850310eb1 Revert "af_unix: dont send SCM_CREDENTIAL when dest socket is NULL" This reverts commit 14134f6584212d585b310ce95428014b653dfaf6. The problem that the above patch was meant to address is that af_unix messages are not being coallesced because we are sending unnecesarry credentials. Not sending credentials in maybe_add_creds totally breaks unconnected unix domain sockets that wish to send credentails to other sockets. In practice this break some versions of udev because they receive a message and the sending uid is bogus so they drop the message. Reported-by: Sven Joachim Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 1295b4f600e8f5ab56af71e5a89e4c0e74e95663 Author: Wei Yongjun Date: Wed Mar 20 21:31:42 2013 +0000 Upstream commit: cb0e51d80694fc9964436be1a1a15275e991cb1e lantiq_etop: use free_netdev(netdev) instead of kfree() Freeing netdev without free_netdev() leads to net, tx leaks. And it may lead to dereferencing freed pointer. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller drivers/net/ethernet/lantiq_etop.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1dcdddf846697fbd0b474e7b12ff92f7b408fe5f Author: Cong Wang Date: Fri Mar 22 19:14:07 2013 +0000 Upstream commit: 4a7df340ed1bac190c124c1601bfc10cde9fb4fb 8021q: fix a potential use-after-free vlan_vid_del() could possibly free ->vlan_info after a RCU grace period, however, we may still refer to the freed memory area by 'grp' pointer. Found by code inspection. This patch moves vlan_vid_del() as behind as possible. Cc: Patrick McHardy Cc: "David S. Miller" Signed-off-by: Cong Wang Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/8021q/vlan.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit fff29c277024a39845d4b535083c8dafc21b45d9 Author: Hong zhi guo Date: Sat Mar 23 02:27:50 2013 +0000 Upstream commit: 9b46922e15f4d9d2aedcd320c3b7f7f54d956da7 bridge: fix crash when set mac address of br interface When I tried to set mac address of a bridge interface to a mac address which already learned on this bridge, I got system hang. The cause is straight forward: function br_fdb_change_mac_address calls fdb_insert with NULL source nbp. Then an fdb lookup is performed. If an fdb entry is found and it's local, it's OK. But if it's not local, source is dereferenced for printk without NULL check. Signed-off-by: Hong Zhiguo Signed-off-by: David S. Miller net/bridge/br_fdb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b72eca0f8495b4b084bcf3eb4fbb425281ba5349 Author: Kumar Amit Mehta Date: Sat Mar 23 20:10:25 2013 +0000 Upstream commit: 8fe7f99a9e11a43183bc27420309ae105e1fec1a bnx2x: fix assignment of signed expression to unsigned variable fix for incorrect assignment of signed expression to unsigned variable. Signed-off-by: Kumar Amit Mehta Acked-by: Dmitry Kravkov Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_dcb.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) commit 4d2d5e3694574d8e9d7594bf6111f144dccc873e Author: dingtianhong Date: Mon Mar 25 17:02:04 2013 +0000 Upstream commit: 14134f6584212d585b310ce95428014b653dfaf6 af_unix: dont send SCM_CREDENTIAL when dest socket is NULL SCM_SCREDENTIALS should apply to write() syscalls only either source or destination socket asserted SOCK_PASSCRED. The original implememtation in maybe_add_creds is wrong, and breaks several LSB testcases ( i.e. /tset/LSB.os/netowkr/recvfrom/T.recvfrom). Origionally-authored-by: Karel Srot Signed-off-by: Ding Tianhong Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit b964e1e61f0f0ccaa380be3342f956c604054bdc Author: Eric W. Biederman Date: Thu Mar 21 02:30:41 2013 -0700 Upstream commit: eddc0a3abff273842a94784d2d022bbc36dc9015 yama: Better permission check for ptraceme Change the permission check for yama_ptrace_ptracee to the standard ptrace permission check, testing if the traceer has CAP_SYS_PTRACE in the tracees user namespace. Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" security/yama/yama_lsm.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) commit b94e71c7b6abe75989edff18aca2781233fa143b Author: Stanislav Kinsbursky Date: Mon Apr 1 11:40:51 2013 +0400 Upstream commit: 2dc958fa2fe6987e7ab106bd97029a09a82fcd8d ipc: set msg back to -EAGAIN if copy wasn't performed Make sure that msg pointer is set back to error value in case of MSG_COPY flag is set and desired message to copy wasn't found. This garantees that msg is either a error pointer or a copy address. Otherwise the last message in queue will be freed without unlinking from the queue (which leads to memory corruption) and the dummy allocated copy won't be released. Signed-off-by: Stanislav Kinsbursky Signed-off-by: Linus Torvalds ipc/msg.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit a997fbbe7a37ffd805f4784a18b8e530da6978d1 Author: Jan Kara Date: Fri Mar 29 15:39:16 2013 +0100 Upstream commit: 35e5cbc0af240778e61113286c019837e06aeec6 reiserfs: Fix warning and inode leak when deleting inode with xattrs After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs started failing to delete xattrs from inode. This was due to a buggy test for '.' and '..' in fill_with_dentries() which resulted in passing '.' and '..' entries to lookup_one_len() in some cases. That returned error and so we failed to iterate over all xattrs of and inode. Fix the test in fill_with_dentries() along the lines of the one in lookup_one_len(). Reported-by: Pawel Zawora CC: stable@vger.kernel.org Signed-off-by: Jan Kara fs/reiserfs/xattr.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 9f07957378e0f55abb81da8e23b124a608fbe1cc Author: Paul Bolle Date: Wed Apr 3 12:24:45 2013 +0100 Upstream commit: 4e1db26a0b42e2b6e27c05d68adcc01709c2eed2 ARM: 7690/1: mm: fix CONFIG_LPAE typos CONFIG_LPAE doesn't exist: the correct option is CONFIG_ARM_LPAE, so fix up the two typos under arch/arm/. The fix to head.S is slightly scary, but this is just for setting up an early io-mapping for the serial port when running on a big-endian, LPAE system. Since these systems don't exist in the wild (at least, I have no access to one outside of kvmtool, which doesn't provide a serial port suitable for earlyprintk), then we can revisit the code later if it causes any problems. Signed-off-by: Paul Bolle Signed-off-by: Will Deacon Signed-off-by: Russell King arch/arm/kernel/head.S | 2 +- arch/arm/kernel/setup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 984ba346b2d8f158473e9723ba145031368431ed Author: Catalin Marinas Date: Tue Mar 26 23:35:04 2013 +0100 Upstream commit: 93dc68876b608da041fe40ed39424b0fcd5aa2fb ARM: 7684/1: errata: Workaround for Cortex-A15 erratum 798181 (TLBI/DSB operations) On Cortex-A15 (r0p0..r3p2) the TLBI/DSB are not adequately shooting down all use of the old entries. This patch implements the erratum workaround which consists of: 1. Dummy TLBIMVAIS and DSB on the CPU doing the TLBI operation. 2. Send IPI to the CPUs that are running the same mm (and ASID) as the one being invalidated (or all the online CPUs for global pages). 3. CPU receiving the IPI executes a DMB and CLREX (part of the exception return code already). Signed-off-by: Catalin Marinas Signed-off-by: Russell King Conflicts: arch/arm/include/asm/tlbflush.h arch/arm/kernel/smp_tlb.c arch/arm/mm/context.c arch/arm/Kconfig | 10 +++++ arch/arm/include/asm/highmem.h | 7 ++++ arch/arm/include/asm/mmu_context.h | 2 + arch/arm/include/asm/tlbflush.h | 15 ++++++++ arch/arm/kernel/smp_tlb.c | 66 ++++++++++++++++++++++++++++++++++++ arch/arm/mm/context.c | 6 ++- 6 files changed, 104 insertions(+), 2 deletions(-) commit 9a6ef010c38b3d5471886d2dea6e3c1622e2a286 Author: Jan Stancek Date: Thu Apr 4 11:35:10 2013 -0700 Upstream commit: b6a9b7f6b1f21735a7456d534dc0e68e61359d2c mm: prevent mmap_cache race in find_vma() find_vma() can be called by multiple threads with read lock held on mm->mmap_sem and any of them can update mm->mmap_cache. Prevent compiler from re-fetching mm->mmap_cache, because other readers could update it in the meantime: thread 1 thread 2 | find_vma() | find_vma() struct vm_area_struct *vma = NULL; | vma = mm->mmap_cache; | if (!(vma && vma->vm_end > addr | && vma->vm_start <= addr)) { | | mm->mmap_cache = vma; return vma; | ^^ compiler may optimize this | local variable out and re-read | mm->mmap_cache | This issue can be reproduced with gcc-4.8.0-1 on s390x by running mallocstress testcase from LTP, which triggers: kernel BUG at mm/rmap.c:1088! Call Trace: ([<000003d100c57000>] 0x3d100c57000) [<000000000023a1c0>] do_wp_page+0x2fc/0xa88 [<000000000023baae>] handle_pte_fault+0x41a/0xac8 [<000000000023d832>] handle_mm_fault+0x17a/0x268 [<000000000060507a>] do_protection_exception+0x1e2/0x394 [<0000000000603a04>] pgm_check_handler+0x138/0x13c [<000003fffcf1f07a>] 0x3fffcf1f07a Last Breaking-Event-Address: [<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168 Thanks to Jakub Jelinek for his insight on gcc and helping to track this down. Signed-off-by: Jan Stancek Acked-by: David Rientjes Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds mm/mmap.c | 2 +- mm/nommu.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 53f5096daa14967938bc154e6c41f9119863fb36 Merge: e988d7c 0a45285 Author: Brad Spengler Date: Fri Apr 5 17:32:31 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/net/ethernet/broadcom/tg3.c commit 0a452855444d02502df6eb21ef3083cf303f71e1 Merge: 0277fa1 00cfbb8 Author: Brad Spengler Date: Fri Apr 5 17:31:15 2013 -0400 Update to pax-linux-3.8.6-test16.patch: - fixed some attribute leakage into userland headers, patch by Mathias Krause - fixed some of the access_*_vm related breakage that trigger size overflows, reported by Hunger Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/intel_display.c commit e988d7c8d946c816a2cb97f0d38048a1584966b8 Merge: baec40e 0277fa1 Author: Brad Spengler Date: Wed Apr 3 22:05:41 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0277fa123b486cf11420967e4568d7653e225fd3 Author: Brad Spengler Date: Wed Apr 3 22:04:48 2013 -0400 Update to pax-linux-3.8.5-test15.patch: - fixed section mismatch error caused by CONSTIFY (http://forums.grsecurity.net/viewtopic.php?f=3&t=3388 and http://forums.grsecurity.net/viewtopic.php?f=3&t=3391) - fixed integer type mixup in the cx88 driver (http://forums.grsecurity.net/viewtopic.php?f=3&t=3394) drivers/media/pci/cx88/cx88-video.c | 6 +++--- include/net/net_namespace.h | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) commit baec40e6708fd5ae2000cad6c70c5980c998b91c Author: Brad Spengler Date: Tue Apr 2 19:50:32 2013 -0400 fix compilation as reported on forums for gcc versions lacking plugin support include/net/net_namespace.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit f6da5efca8a7edc9d3af02d6c35fddae0d2fd095 Merge: 6b69c35 0db9d15 Author: Brad Spengler Date: Tue Apr 2 17:47:27 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0db9d156826bdd50510086fde837648a3dfd370e Author: Brad Spengler Date: Tue Apr 2 17:46:05 2013 -0400 Update to pax-linux-3.8.5-test14.patch: - removed some no longer necessary __size_overflow marks and updated the overflow plugin's hash table arch/x86/include/asm/uaccess_64.h | 6 +- include/linux/moduleloader.h | 4 +- tools/gcc/size_overflow_hash.data | 98 +++++++++++++++++++++---------------- 3 files changed, 61 insertions(+), 47 deletions(-) commit 6b69c3589fa97b454a08c28ecfac5a512f610f4d Author: Brad Spengler Date: Tue Apr 2 17:35:06 2013 -0400 remove duplicate compiler.h include/linux/sysrq.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 01e1d503fd2220adaaec0b92ea19441bdff73555 Author: Brad Spengler Date: Fri Mar 29 19:53:50 2013 -0400 fix intentional_overflow marking on sys_sendto include/linux/syscalls.h | 2 +- net/socket.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit cd5ff114d958470f471c63775278e8c05e774630 Author: Brad Spengler Date: Fri Mar 29 18:46:16 2013 -0400 fix size_overflow false positive kernel/futex_compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 295ba16cc53df2375261accbedd6575ea327770a Merge: 18340f1 278a989 Author: Brad Spengler Date: Fri Mar 29 17:36:18 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/exec.c include/linux/thread_info.h commit 278a989c831d62193c7b3d119fe2302babd45d12 Author: Brad Spengler Date: Fri Mar 29 17:34:34 2013 -0400 Resync with pax-linux-3.8.5-test13.patch arch/arm/include/asm/pgtable.h | 3 ++- arch/arm/lib/delay.c | 1 + fs/exec.c | 8 ++++---- include/linux/compiler.h | 1 + include/linux/proc_fs.h | 2 +- include/linux/thread_info.h | 6 +++--- include/linux/zlib.h | 3 ++- init/main.c | 4 ++-- kernel/user_namespace.c | 2 +- lib/list_debug.c | 4 ++-- mm/slab.c | 1 + mm/slob.c | 1 + mm/slub.c | 1 + net/core/sysctl_net_core.c | 3 +-- tools/gcc/constify_plugin.c | 1 + 15 files changed, 24 insertions(+), 17 deletions(-) commit 18340f14bd42d06c60995ab04cf6bb235bcaade6 Merge: 05f01ae e8cfeae Author: Brad Spengler Date: Fri Mar 29 17:30:57 2013 -0400 Merge branch 'pax-test' into grsec-test commit e8cfeae7751abb844911a15114dff5c9b2b9fcd9 Merge: b461cb7 aa4cfde Author: Brad Spengler Date: Fri Mar 29 17:30:44 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: drivers/gpu/drm/i915/i915_gem_execbuffer.c fs/nfsd/vfs.c commit 05f01ae4c3479541586a2387f916a6620889c479 Author: Brad Spengler Date: Fri Mar 29 17:05:39 2013 -0400 Another infoleak, up to 128 bytes on the stack in __sys_recvmsg takes user-provided length, copies up to that amount in a sockaddr_storage struct on the stack, then takes an upper-bounded-only user-provided length and copies the sockaddr_storage struct back out to userland, complete with uninitialized data net/socket.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit eea6ade59490784e83e08ec67322288fcf14cb31 Author: Brad Spengler Date: Thu Mar 28 23:07:37 2013 -0400 return a proper error, otherwise we could be accessing uninitialized data (previous define was a positive value) drivers/usb/storage/realtek_cr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3cc43b90104c3016adb40f412ce2e4b0dcdd4c9e Merge: c3dc9a6 b461cb7 Author: Brad Spengler Date: Thu Mar 28 20:54:24 2013 -0400 Merge branch 'pax-test' into grsec-test commit b461cb7b1d85490430ef7896c247794af72c3749 Author: Brad Spengler Date: Thu Mar 28 20:54:11 2013 -0400 Add structleak plugin tools/gcc/structleak_plugin.c | 270 +++++++++++++++++++++++++++++++++++++++++ 1 files changed, 270 insertions(+), 0 deletions(-) commit c3dc9a6ef10782894bb11fd088fd712db44d8062 Author: Brad Spengler Date: Thu Mar 28 20:53:22 2013 -0400 Enable structleak by default for the security auto-config security/Kconfig | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) commit 6568e7348222fbe00256c9d337c4c24ee57e3f7e Merge: d8503a3 74bec16 Author: Brad Spengler Date: Thu Mar 28 20:47:10 2013 -0400 Merge branch 'pax-test' into grsec-test commit 74bec16b657147a5575b1f14f4423a717ba317a6 Author: Brad Spengler Date: Thu Mar 28 20:46:13 2013 -0400 Update to pax-linux-3.8.4-test13.patch: - fixed bug with the old PAGEEXEC method and hugetlb, reported by Alex Efros (https://bugs.gentoo.org/show_bug.cgi?id=437722) - added a new gcc plugin to plug (pun intended) some of the kernel stack leaks to userland Makefile | 5 +++- arch/x86/include/asm/compat.h | 2 +- arch/x86/mm/fault.c | 3 +- fs/binfmt_elf.c | 2 +- include/linux/compiler.h | 42 ++++++++++++++-------------------------- security/Kconfig | 16 +++++++++++++++ tools/gcc/Makefile | 2 + tools/gcc/constify_plugin.c | 7 +++++- 8 files changed, 47 insertions(+), 32 deletions(-) commit d8503a3a35d68b9ba1615d29335aef3f70d51465 Author: Brad Spengler Date: Thu Mar 28 20:02:40 2013 -0400 Fix 8-byte stack infoleak in ia32_rt_sigpending User controls length, kernel only performs check on the upper bound, will fill in any amount less than sizeof(sigset_t) via a copy_to_user under KERNEL_DS in sys_rt_sigpending, then will copy the full size of compat_sigset_t regardless of whether the sigset_t content copied into it has been initialized or not arch/x86/ia32/sys_ia32.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 46a9f4b871ebf298ee67cc3f799dbd6c2382022b Author: Brad Spengler Date: Tue Mar 26 21:05:05 2013 -0400 commit 814d9d4f9164c3d778dadd093a54bb55d9a0c576 Author: J. Bruce Fields Date: Tue Mar 26 14:11:13 2013 -0400 nfsd4: reject "negative" acl lengths Since we only enforce an upper bound, not a lower bound, a "negative" length can get through here. The symptom seen was a warning when we attempt to a kmalloc with an excessive size. Reported-by: Toralf Förster Signed-off-by: J. Bruce Fields fs/nfsd/nfs4xdr.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2cf84a1843bfdf9298e2a1dc8df4e52d11a1af89 Author: Jeff Layton Date: Mon Mar 11 09:52:19 2013 -0400 Upstream commit: f853c616883a8de966873a1dab283f1369e275a1 cifs: ignore everything in SPNEGO blob after mechTypes We've had several reports of people attempting to mount Windows 8 shares and getting failures with a return code of -EINVAL. The default sec= mode changed recently to sec=ntlmssp. With that, we expect and parse a SPNEGO blob from the server in the NEGOTIATE reply. The current decode_negTokenInit function first parses all of the mechTypes and then tries to parse the rest of the negTokenInit reply. The parser however currently expects a mechListMIC or nothing to follow the mechTypes, but Windows 8 puts a mechToken field there instead to carry some info for the new NegoEx stuff. In practice, we don't do anything with the fields after the mechTypes anyway so I don't see any real benefit in continuing to parse them. This patch just has the kernel ignore the fields after the mechTypes. We'll probably need to reinstate some of this if we ever want to support NegoEx. Reported-by: Jason Burgess Reported-by: Yan Li Signed-off-by: Jeff Layton Cc: Signed-off-by: Steve French fs/cifs/asn1.c | 53 +++++------------------------------------------------ 1 files changed, 5 insertions(+), 48 deletions(-) commit 0b1c6223105a05d5a84e39a5e951868e37610e1c Merge: 93ff726 0deb54c Author: Brad Spengler Date: Mon Mar 25 18:35:15 2013 -0400 Merge branch 'pax-test' into grsec-test commit 0deb54c1f47145aef38f4d2bf0b7de3e9fbab959 Author: Brad Spengler Date: Mon Mar 25 18:35:05 2013 -0400 fix typo arch/x86/mm/ioremap.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 93ff72680353534d4b0b213aecb61f1fc2f9a152 Merge: be9f8b8 f95e53a Author: Brad Spengler Date: Mon Mar 25 18:30:06 2013 -0400 Merge branch 'pax-test' into grsec-test commit f95e53abadb6e4665866e4502ff9f518514193e1 Author: Brad Spengler Date: Mon Mar 25 18:29:25 2013 -0400 Update to pax-linux-3.8.4-test12.patch: - fixed perf compilation reported by Michael Tremer - fixed USERCOPY reports triggered by SCTP, reported by mcp - last fix for aslr gap accounting, promise (thanks to spender) arch/x86/mm/ioremap.c | 3 +++ fs/binfmt_elf.c | 5 ++--- mm/mmap.c | 2 +- net/sctp/socket.c | 19 +++++++++++++++---- tools/perf/util/include/linux/compiler.h | 8 ++++++++ 5 files changed, 29 insertions(+), 8 deletions(-) commit be9f8b82b0d8a21d7515fb6e44a907623381c5df Author: Brad Spengler Date: Mon Mar 25 16:48:34 2013 -0400 From: Al Viro To: Brad Spengler Cc: Linus Torvalds Umm... I see what you are describing, and AFAICS you are correct; let me see if I am misreading your analysis: * vfsmount_lock may act fair; A holding it shared, with B spinning on attempt to take it exclusive may lead to C spinning on attempt to take it shared. * path_is_under() tries get rename_lock while holding vfsmount_lock shared. * d_path() et.al. try to take vfsmount_lock shared, while holding rename_lock. All true and yes, it's a bug (I'd probably classify it as a livelock, but that doesn't make any real difference). There are three possible solutions, AFAICS: 1) two-liner in path_is_under() replacing the use of vfsmount_lock with that of namespace_sem; trivial, but results in function unexpectedly blocking. The current callers are fine with that, but it's a trouble waiting to happen. 2) replace write_seqlock() in prepend_path() callers with read_seqbegin/read_seqretry loops; bigger and more brittle, since unlike is_subdir() we need more than just ->d_parent not pointing to something freed - we also care about ->d_name.len being in sync with ->d_name.name. It probably can be worked around, but... 3) declare that rename_lock nests inside vfsmount_lock and let the callers of prepend_path() take vfsmount_lock(). I'd probably prefer that one... Nest rename_lock inside vfsmount_lock ... lest we get livelocks between path_is_under() and d_path() and friends. [ add grsec-specific bits, thanks to Alexey Vlasov for his patience in reproducing the issue ] Spotted-by: Brad Spengler Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/dcache.c | 16 +++++++++++----- grsecurity/gracl.c | 20 ++++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) commit d9253ae96e0e88510ae7b8adb8ab3ef089be6dee Author: Linus Torvalds Date: Fri Mar 22 11:44:04 2013 -0700 Upstream commit: 51f0885e5415b4cc6535e9cdcc5145bfbc134353 vfs,proc: guarantee unique inodes in /proc Dave Jones found another /proc issue with his Trinity tool: thanks to the namespace model, we can have multiple /proc dentries that point to the same inode, aliasing directories in /proc//net/ for example. This ends up being a total disaster, because it acts like hardlinked directories, and causes locking problems. We rely on the topological sort of the inodes pointed to by dentries, and if we have aliased directories, that odering becomes unreliable. In short: don't do this. Multiple dentries with the same (directory) inode is just a bad idea, and the namespace code should never have exposed things this way. But we're kind of stuck with it. This solves things by just always allocating a new inode during /proc dentry lookup, instead of using "iget_locked()" to look up existing inodes by superblock and number. That actually simplies the code a bit, at the cost of potentially doing more inode [de]allocations. That said, the inode lookup wasn't free either (and did a lot of locking of inodes), so it is probably not that noticeable. We could easily keep the old lookup model for non-directory entries, but rather than try to be excessively clever this just implements the minimal and simplest workaround for the problem. Reported-and-tested-by: Dave Jones Analyzed-by: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Conflicts: fs/proc/inode.c fs/proc/inode.c | 9 +++------ 1 files changed, 3 insertions(+), 6 deletions(-) commit 399d3bbdb82db765c86118ae5a0bf1d2d17762fb Author: Vladimir Davydov Date: Fri Mar 22 15:04:51 2013 -0700 Upstream commit: 38d78e587d4960d0db94add518d27ee74bad2301 mqueue: sys_mq_open: do not call mnt_drop_write() if read-only mnt_drop_write() must be called only if mnt_want_write() succeeded, otherwise the mnt_writers counter will diverge. mnt_writers counters are used to check if remounting FS as read-only is OK, so after an extra mnt_drop_write() call, it would be impossible to remount mqueue FS as read-only. Besides, on umount a warning would be printed like this one: ===================================== [ BUG: bad unlock balance detected! ] 3.9.0-rc3 #5 Not tainted ------------------------------------- a.out/12486 is trying to release lock (sb_writers) at: mnt_drop_write+0x1f/0x30 but there are no more locks to release! Signed-off-by: Vladimir Davydov Cc: Doug Ledford Cc: KOSAKI Motohiro Cc: "Eric W. Biederman" Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/mqueue.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit d3859c71e2ec174b6f3e5cbe06d3011cdddaa59e Author: Brad Spengler Date: Sat Mar 23 13:02:32 2013 -0400 Don't use constify plugin if not enabled in config, reported by Alexey Vlasov Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 3afb82e020593249ac394e9859397c3e0ef5341c Author: Brad Spengler Date: Sat Mar 23 12:50:13 2013 -0400 oded 0day #2 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 20 drivers/net/ethernet/broadcom/tg3.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 4cc4b98b29faff2530540be16e0fcd8a74800b06 Author: Brad Spengler Date: Sat Mar 23 12:15:50 2013 -0400 oded 0day #1 http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf slide 18 drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8a3292af6fdae4b88b49a2a4ef96eee145b4d479 Author: Brad Spengler Date: Sat Mar 23 12:13:12 2013 -0400 remove warning on accessing this /proc entry, HIDESYM already caught the infoleak drivers/gpu/drm/i915/i915_debugfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 44cb11a9470f72157601d0ad4d572d111f90f504 Author: Brad Spengler Date: Fri Mar 22 18:11:42 2013 -0400 use VM_DONTDUMP fs/binfmt_elf.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 92dd7f850ae63e3ddc3d262f2b7134cf54b51abb Author: Brad Spengler Date: Fri Mar 22 17:53:09 2013 -0400 fix recent RLIMIT_AS changes (due to vm_flags typo) Conflicts: fs/binfmt_elf.c fs/binfmt_elf.c | 2 +- mm/mmap.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit fd5f0d92b0fbec02029dad124501a9c80e527a32 Author: Brad Spengler Date: Fri Mar 22 17:08:48 2013 -0400 complete_walk drops rcu-walk mode, no need for our own dropping method outside of generic_permission fs/namei.c | 30 ------------------------------ 1 files changed, 0 insertions(+), 30 deletions(-) commit b49ab1c73edb6442eec609b26bba4d850b3111b6 Merge: 5e9a707 783ade9 Author: Brad Spengler Date: Thu Mar 21 21:56:28 2013 -0400 Merge branch 'pax-test' into grsec-test commit 783ade9f97f0f736e3c83275b7c9fcb2d6e9d9c4 Author: Brad Spengler Date: Thu Mar 21 21:55:31 2013 -0400 Update to pax-linux-3.8.3-test11.patch: - rewrote the ASLR gap accounting code once again - fixed ptrace compat bug found by the size overflow plugin fs/binfmt_elf.c | 25 ++++++++++++------------- fs/exec.c | 7 ++----- include/linux/compat.h | 2 +- include/linux/mm.h | 5 +++++ include/linux/mm_types.h | 2 +- kernel/ptrace.c | 2 +- mm/mmap.c | 15 ++++++++++----- 7 files changed, 32 insertions(+), 26 deletions(-) commit 5e9a7077d935b2279f25428c5d32fd53cbbfb92a Author: Brad Spengler Date: Thu Mar 21 19:37:33 2013 -0400 Make the constify plugin usage actually depend on the introduced config option (it was still forced on) tools/gcc/Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 1974b4f58d9d729c80ac1987785446115304a54c Author: Brad Spengler Date: Thu Mar 21 16:12:38 2013 -0400 fix failed merge arch/arm/mm/fault.c | 15 +++------------ 1 files changed, 3 insertions(+), 12 deletions(-) commit 675a8ab4a8fe8315df348735a37a302a7535224c Author: Brad Spengler Date: Wed Mar 20 23:36:14 2013 -0400 From c4dab66c31612717f798e1e8ff11b57253a81a31 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 10 Mar 2013 20:09:31 +0000 Subject: drm/i915: bounds check execbuffer relocation count It is possible to wrap the counter used to allocate the buffer for relocation copies. This could lead to heap writing overflows. CVE-2013-0913 Signed-off-by: Kees Cook Reported-by: Pinkie Pie Cc: stable@vger.kernel.org drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) commit ddeac12cbb9076bffd51c544e03463f94c9eaa39 Author: Andy Honig Date: Wed Feb 20 14:48:10 2013 -0800 Upstream commit: 0b79459b482e85cb7426aa7da683a9f2c97aeae1 KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797) There is a potential use after free issue with the handling of MSR_KVM_SYSTEM_TIME. If the guest specifies a GPA in a movable or removable memory such as frame buffers then KVM might continue to write to that address even after it's removed via KVM_SET_USER_MEMORY_REGION. KVM pins the page in memory so it's unlikely to cause an issue, but if the user space component re-purposes the memory previously used for the guest, then the guest will be able to corrupt that memory. Tested: Tested against kvmclock unit test Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/include/asm/kvm_host.h | 4 +- arch/x86/kvm/x86.c | 47 ++++++++++++++++---------------------- 2 files changed, 22 insertions(+), 29 deletions(-) commit 0bcac31b57c381001feb69fd6ec8069e61e03432 Author: Andy Honig Date: Mon Mar 11 09:34:52 2013 -0700 Upstream commit: c300aa64ddf57d9c5d9c898a64b36877345dd4a9 KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME (CVE-2013-1796) If the guest sets the GPA of the time_page so that the request to update the time straddles a page then KVM will write onto an incorrect page. The write is done byusing kmap atomic to get a pointer to the page for the time structure and then performing a memcpy to that page starting at an offset that the guest controls. Well behaved guests always provide a 32-byte aligned address, however a malicious guest could use this to corrupt host kernel memory. Tested: Tested against kvmclock unit test. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti arch/x86/kvm/x86.c | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) commit 695c59887e4ec10b0b695ab4f645d1226c433be0 Author: Andy Honig Date: Wed Feb 20 14:49:16 2013 -0800 Upstream commit: a2c118bfab8bc6b8bb213abfc35201e441693d55 KVM: Fix bounds checking in ioapic indirect register reads (CVE-2013-1798) If the guest specifies a IOAPIC_REG_SELECT with an invalid value and follows that with a read of the IOAPIC_REG_WINDOW KVM does not properly validate that request. ioapic_read_indirect contains an ASSERT(redir_index < IOAPIC_NUM_PINS), but the ASSERT has no effect in non-debug builds. In recent kernels this allows a guest to cause a kernel oops by reading invalid memory. In older kernels (pre-3.3) this allows a guest to read from large ranges of host memory. Tested: tested against apic unit tests. Signed-off-by: Andrew Honig Signed-off-by: Marcelo Tosatti virt/kvm/ioapic.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit c77e4017f6f372ac09751b6fcd85c35781dc2d9e Merge: aec3cd4 c522e3a Author: Brad Spengler Date: Wed Mar 20 19:38:25 2013 -0400 Merge branch 'pax-test' into grsec-test commit c522e3a2167ff5e18996e55ca8cca5ca6f6d29e3 Merge: c57d855 405acc3 Author: Brad Spengler Date: Wed Mar 20 19:38:11 2013 -0400 Merge branch 'linux-3.8.y' into pax-test commit aec3cd4d2bd54673b155d9ae3fb9c44becc790d1 Author: Brad Spengler Date: Tue Mar 19 19:56:04 2013 -0400 include linux/compiler.h include/linux/zlib.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 1f1109e97bc609218e52e4bb57683d3b23cf2e8e Author: Brad Spengler Date: Tue Mar 19 18:42:20 2013 -0400 fix missing sock_release() net/irda/af_irda.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit dd65c05cd24faf8946d4941434a553ee285c35a3 Author: Brad Spengler Date: Tue Mar 19 18:36:17 2013 -0400 fix mpt fusion infoleak drivers/message/fusion/mptbase.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit e297b4f150b769efdc4c547d3caf1e3c0f24735f Author: Brad Spengler Date: Tue Mar 19 18:33:45 2013 -0400 Fix size_overflow false positive reported by slashbeast include/linux/zlib.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 5b9982733764361c7102c2b1a9cbe42e5bf4f4be Author: Brad Spengler Date: Tue Mar 19 17:35:36 2013 -0400 fix up failed merge arch/arm/mm/fault.c | 9 ++------- 1 files changed, 2 insertions(+), 7 deletions(-) commit a1bdc34d1d882da3abf47923a760e5b0bbdaf0bd Author: Brad Spengler Date: Tue Mar 19 17:34:36 2013 -0400 update documentation on consequences of building without gcc plugin support Makefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit f49ae0f6c3bbedf6b3817ee2b1b232e0da7fa537 Author: Brad Spengler Date: Tue Mar 19 17:18:13 2013 -0400 fix compilation failure associated with the latent entropy plugin and lack of gcc plugin support reported on the forums init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit f00195c633f91cfbd8c1f530d2c371b713026e20 Author: Brad Spengler Date: Mon Mar 18 22:27:33 2013 -0400 Fix compile error reported by KDE on the forums kernel/user_namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2979c6ee78aabb4421873ea53581380c6bb6ed05 Merge: 0949569 c57d855 Author: Brad Spengler Date: Mon Mar 18 22:20:46 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/mm/fault.c arch/x86/mm/fault.c fs/exec.c commit c57d8557f5f2d77c2c7fa1f58316819a5e1f9293 Author: Brad Spengler Date: Mon Mar 18 21:22:03 2013 -0400 Update to pax-linux-3.8.2-test9.patch: arm changes from spender - removed userland access to the vectors page - removed obsolete sigreturn trampoline handling - added emulation for __kuser_get_tls - fixed missing uderef instrumentation in unaligned memory accessors (failed safe) - fixed recent sysfs/power_supply attr breakage reported by Steven Allen - hopefully fixed the remaining issues with aslr_gap accounting (http://forums.grsecurity.net/viewtopic.php?f=3&t=2960) - changed debian packager rules to include the compiler plugins, from Tyler Coumbes - fixed the sa_restorer leak discovered and reported by Emese Revfy (CVE-2013-0914, google chromium bug #177956) - new size overflow plugin from Emese that instruments a whole lot more code due to tracking function return values and more type casts as well. this found the above mentioned sa_restorer leak and would have protected against CVE-2013-0913. arch/arm/kernel/process.c | 5 +- arch/arm/kernel/signal.c | 24 +- arch/arm/kernel/traps.c | 7 - arch/arm/mm/alignment.c | 8 + arch/arm/mm/fault.c | 23 +- arch/arm/mm/mmu.c | 2 +- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/desc.h | 2 +- arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/io.h | 8 +- arch/x86/include/asm/paravirt.h | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 16 +- arch/x86/kernel/setup_percpu.c | 2 +- arch/x86/mm/fault.c | 4 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/physaddr.c | 4 +- drivers/ata/libahci.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 2 +- drivers/lguest/page_tables.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/power/power_supply_core.c | 1 + drivers/usb/core/message.c | 2 +- fs/befs/endian.h | 4 +- fs/binfmt_elf.c | 5 +- fs/exec.c | 4 +- fs/qnx6/qnx6.h | 4 +- fs/sysv/sysv.h | 2 +- fs/ubifs/io.c | 2 +- fs/ufs/swab.h | 4 +- include/linux/compat.h | 4 +- include/linux/completion.h | 6 +- include/linux/cpumask.h | 12 +- include/linux/ctype.h | 2 +- include/linux/err.h | 4 +- include/linux/math64.h | 6 +- include/linux/sched.h | 2 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/uapi/linux/byteorder/little_endian.h | 4 +- include/uapi/linux/swab.h | 6 +- kernel/sched/core.c | 6 +- kernel/signal.c | 3 + kernel/time.c | 2 +- kernel/timer.c | 2 +- lib/div64.c | 4 +- mm/page-writeback.c | 2 +- net/socket.c | 2 + scripts/package/builddeb | 1 + tools/gcc/size_overflow_hash.data | 8869 +++++++++++++++---------- tools/gcc/size_overflow_plugin.c | 1072 ++-- 53 files changed, 6227 insertions(+), 3951 deletions(-) commit 09495691bb31f11ec14d9127429f9a0f3f716f22 Author: Brad Spengler Date: Sun Mar 17 20:51:50 2013 -0400 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit deb85b00d0f9f886e264e116313f298401ec5c59 Author: Brad Spengler Date: Sun Mar 17 20:03:33 2013 -0400 Call update_rlimit_cpu to immediately change RLIMIT_CPU on the task with a subject applied to it with RES_CPU. Otherwise, the limit will only begin to be applied at fork time. Thanks to Bjornar Ness for the report. grsecurity/gracl.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 2126421f123513f604ceef2b23ba9ed516de7e58 Author: Brad Spengler Date: Sat Mar 16 22:07:43 2013 -0400 Move inode auditing prior to our refcnt dropping fs/namei.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4d4e665885aab4bacfe662ad6d2190fc9d817146 Author: Brad Spengler Date: Sat Mar 16 22:00:30 2013 -0400 Drop reference on completed path walked in RCU mode or when violating the chroot fchdir check inside a chroot -- possible culprit for a reported vfsmount_lock hang during unmount fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit 53a8a413f45340ee176dd36dd283de3a1ebb7417 Author: Brad Spengler Date: Sat Mar 16 16:43:45 2013 -0400 add user_arg_ptr back to exec.c fs/exec.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 83d285953c7e75db388c7f65be5cf1e16fcedec8 Author: Brad Spengler Date: Sat Mar 16 11:22:36 2013 -0400 Don't globally include compat.h -- with the new X32 support it changes some definitions involving ELF binaries resulting in invalid coredumps, as reported by KDE on the forums: http://forums.grsecurity.net/viewtopic.php?f=3&t=3310 Thanks to the PaX Team for debugging fs/exec.c | 3 +++ grsecurity/grsec_exec.c | 13 +++++++++++++ include/linux/grsecurity.h | 15 --------------- 3 files changed, 16 insertions(+), 15 deletions(-) commit 67a94583659cf6c583fbbb023ec2a8ed471ba94a Author: Brad Spengler Date: Thu Mar 14 20:59:26 2013 -0400 Add peer information to /proc/net/unix from Kenan Kalajdzic: http://marc.info/?l=linux-netdev&m=126745636809191&w=2 We use a "P" prefix to the inode number instead of "peer=". This additional information can be used, for instance, to find what processes are connected to MySQL's unix domain socket. net/unix/af_unix.c | 12 +++++++++--- 1 files changed, 9 insertions(+), 3 deletions(-) commit 1cd623d11a462d151ea8a5cace4521e1724911a3 Author: Oliver Neukum Date: Tue Mar 12 14:52:42 2013 +0100 Upstream commit: c0f5ecee4e741667b2493c742b60b6218d40b3aa USB: cdc-wdm: fix buffer overflow The buffer for responses must not overflow. If this would happen, set a flag, drop the data and return an error after user space has read all remaining data. Signed-off-by: Oliver Neukum CC: stable@kernel.org Signed-off-by: Greg Kroah-Hartman drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- 1 files changed, 20 insertions(+), 3 deletions(-) commit 3e9e7beb379eaf424d0634c0c556e47c07d367fc Merge: 9cdf9bc db4cb92 Author: Brad Spengler Date: Thu Mar 14 20:23:14 2013 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/keys/compat.c commit db4cb924546e3fec3a59f78d056f48176eaf7100 Author: Brad Spengler Date: Thu Mar 14 20:22:24 2013 -0400 Update to pax-linux-3.8.2-test8.patch arch/arm/include/asm/cache.h | 2 ++ arch/arm/mach-omap2/gpmc.c | 22 ++++++++++++---------- arch/arm/mach-omap2/omap_device.c | 4 ++-- arch/arm/mach-omap2/omap_device.h | 4 ++-- arch/arm/plat-orion/include/plat/addr-map.h | 2 +- 5 files changed, 19 insertions(+), 15 deletions(-) commit 5e72fcce7c468d29168c64c72c18ff5ff0d3b4ae Merge: 3c865f9 1a45c31 Author: Brad Spengler Date: Thu Mar 14 20:20:54 2013 -0400 Merge branch 'linux-3.8.y' into pax-test Conflicts: arch/arm/include/asm/delay.h arch/arm/include/asm/pgtable.h arch/arm/lib/delay.c security/keys/compat.c commit 9cdf9bccf22d6a6741e4152bb5d32335beb8caf1 Author: Al Viro Date: Tue Mar 12 02:59:49 2013 +0000 Upstream commit: a930d8790552658140d7d0d2e316af4f0d76a512 vfs: fix pipe counter breakage If you open a pipe for neither read nor write, the pipe code will not add any usage counters to the pipe, causing the 'struct pipe_inode_info" to be potentially released early. That doesn't normally matter, since you cannot actually use the pipe, but the pipe release code - particularly fasync handling - still expects the actual pipe infrastructure to all be there. And rather than adding NULL pointer checks, let's just disallow this case, the same way we already do for the named pipe ("fifo") case. This is ancient going back to pre-2.4 days, and until trinity, nobody naver noticed. Reported-by: Dave Jones Signed-off-by: Linus Torvalds fs/pipe.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit c11fa4be226659a40a6c73f0fa09fee074fba1b2 Author: Mathieu Desnoyers Date: Mon Feb 25 10:20:36 2013 -0500 Upstream commit: 8aec0f5d4137532de14e6554fd5dd201ff3a3c49 Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Looking at mm/process_vm_access.c:process_vm_rw() and comparing it to compat_process_vm_rw() shows that the compatibility code requires an explicit "access_ok()" check before calling compat_rw_copy_check_uvector(). The same difference seems to appear when we compare fs/read_write.c:do_readv_writev() to fs/compat.c:compat_do_readv_writev(). This subtle difference between the compat and non-compat requirements should probably be debated, as it seems to be error-prone. In fact, there are two others sites that use this function in the Linux kernel, and they both seem to get it wrong: Now shifting our attention to fs/aio.c, we see that aio_setup_iocb() also ends up calling compat_rw_copy_check_uvector() through aio_setup_vectored_rw(). Unfortunately, the access_ok() check appears to be missing. Same situation for security/keys/compat.c:compat_keyctl_instantiate_key_iov(). I propose that we add the access_ok() check directly into compat_rw_copy_check_uvector(), so callers don't have to worry about it, and it therefore makes the compat call code similar to its non-compat counterpart. Place the access_ok() check in the same location where copy_from_user() can trigger a -EFAULT error in the non-compat code, so the ABI behaviors are alike on both compat and non-compat. While we are here, fix compat_do_readv_writev() so it checks for compat_rw_copy_check_uvector() negative return values. And also, fix a memory leak in compat_keyctl_instantiate_key_iov() error handling. Acked-by: Linus Torvalds Acked-by: Al Viro Signed-off-by: Mathieu Desnoyers Signed-off-by: Linus Torvalds Conflicts: security/keys/compat.c fs/compat.c | 15 +++++++-------- mm/process_vm_access.c | 8 -------- security/keys/compat.c | 3 ++- 3 files changed, 9 insertions(+), 17 deletions(-) commit 13487f197ab2d5bc76156224c24c45a44bbd6a11 Author: Brad Spengler Date: Mon Mar 11 18:38:38 2013 -0400 Fix leak of signal handler addresses across execve, found by Emese Revfy kernel/signal.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 79b130c4b11c7940daf2b33d653a17666331c634 Merge: 6480ce9 3c865f9 Author: Brad Spengler Date: Sun Mar 10 20:04:03 2013 -0400 Merge branch 'pax-test' into grsec-test commit 3c865f9184c6fd56c634bce0096cfc8039d5c43d Author: Brad Spengler Date: Sun Mar 10 20:03:12 2013 -0400 Update to pax-linux-3.8.2-test7.patch: - fixed gcc asserts reported by KDE (http://forums.grsecurity.net/viewtopic.php?f=3&t=3342) - adjusted RLIMIT_AS accounting for the extra ASLR gap mappings, reported by Alexander Stoll (https://bugs.gentoo.org/show_bug.cgi?id=459268) fs/binfmt_elf.c | 3 ++- fs/exec.c | 3 +++ include/linux/mm_types.h | 2 +- init/main.c | 4 ++-- mm/mmap.c | 2 +- mm/page_alloc.c | 4 ++-- tools/gcc/latent_entropy_plugin.c | 11 +++++++---- 7 files changed, 18 insertions(+), 11 deletions(-) commit 6480ce919bd7d68ba14f3194e4bdd7b61bc8e491 Merge: 4a5305e 25b3569 Author: Brad Spengler Date: Sun Mar 10 10:41:16 2013 -0400 Merge branch 'pax-test' into grsec-test commit 25b356980568bed9958315bb5a551fdc610055ed Author: Brad Spengler Date: Sun Mar 10 10:40:48 2013 -0400 Update to pax-linux-3.8.2-test6.patch: - fixed a KERNEXEC false positive on arm reported by Gu1 - fixed various compile errors reported by x14sg1 (http://forums.grsecurity.net/viewtopic.php?f=3&t=3340) - fixed too strict mmap parameter checking on i386, reported by browndav (http://forums.grsecurity.net/viewtopic.php?f=1&t=3339) - added fix from spender for some namespace breakage reported by zakalwe - small latent entropy improvement: pass pax_extra_latent_entropy to the kernel to extract entropy from RAM content during boot Documentation/kernel-parameters.txt | 5 +++++ arch/arm/kernel/patch.c | 2 ++ arch/x86/kernel/sys_i386_32.c | 5 +++-- drivers/acpi/blacklist.c | 2 +- drivers/video/aty/mach64_cursor.c | 1 + init/main.c | 4 ---- mm/page_alloc.c | 27 +++++++++++++++++++++++++++ net/ipv4/ip_fragment.c | 2 +- security/Kconfig | 5 +++++ tools/gcc/latent_entropy_plugin.c | 7 +++++-- 10 files changed, 50 insertions(+), 10 deletions(-) commit 4a5305eb7b6c5e49c332feeca9b6bfead9ab917f Author: Brad Spengler Date: Sat Mar 9 11:19:06 2013 -0500 From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause , Stephen Hemminger Subject: [PATCH 1/3] bridge: fix mdb info leaks Date: Sat, 9 Mar 2013 16:52:19 +0100 The bridging code discloses heap and stack bytes via the RTM_GETMDB netlink interface and via the notify messages send to group RTNLGRP_MDB afer a successful add/del. Fix both cases by initializing all unset members/padding bytes with memset(0). Cc: Stephen Hemminger Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 2/3] rtnl: fix info leak on RTM_GETLINK request for VF devices Date: Sat, 9 Mar 2013 16:52:20 +0100 Initialize the mac address buffer with 0 as the driver specific function will probably not fill the whole buffer. In fact, all in-kernel drivers fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible bytes. Therefore we currently leak 26 bytes of stack memory to userland via the netlink interface. Signed-off-by: Mathias Krause From: Mathias Krause To: "David S. Miller" Cc: netdev@vger.kernel.org, Mathias Krause Subject: [PATCH 3/3] dcbnl: fix various netlink info leaks Date: Sat, 9 Mar 2013 16:52:21 +0100 The dcb netlink interface leaks stack memory in various places: * perm_addr[] buffer is only filled at max with 12 of the 32 bytes but copied completely, * no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes for ieee_pfc structs, etc., * the same is true for CEE -- no in-kernel driver fills the whole struct, Prevent all of the above stack info leaks by properly initializing the buffers/structures involved. Signed-off-by: Mathias Krause net/bridge/br_mdb.c | 4 ++++ net/core/rtnetlink.c | 1 + net/dcb/dcbnl.c | 8 ++++++++ 3 files changed, 13 insertions(+), 0 deletions(-) commit 601dd446f896e3a362f706943df18a68d50420a1 Author: Brad Spengler Date: Sat Mar 9 09:35:25 2013 -0500 add open/close wrappers in __patch_text() as reported by Gu1 on IRC arch/arm/kernel/patch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit ae39966fd85a493e9079b357e3faa62245a41222 Author: Peter Hurley Date: Fri Mar 8 12:43:27 2013 -0800 Upstream commit: 88b9e456b1649722673ffa147914299799dc9041 ipc: don't allocate a copy larger than max When MSG_COPY is set, a duplicate message must be allocated for the copy before locking the queue. However, the copy could not be larger than was sent which is limited to msg_ctlmax. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msg.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) commit 61240e99650ea3e540a03a3e994349c5086f166b Author: Peter Hurley Date: Fri Mar 8 12:43:26 2013 -0800 Upstream commit: e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 ipc: fix potential oops when src msg > 4k w/ MSG_COPY If the src msg is > 4k, then dest->next points to the next allocated segment; resetting it just prior to dereferencing is bad. Signed-off-by: Peter Hurley Acked-by: Stanislav Kinsbursky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds ipc/msgutil.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit 51727f602a267f34fb2e0dc9557f1714028d51a2 Author: Brad Spengler Date: Fri Mar 8 22:14:06 2013 -0500 add missing 'else' in recent constify fixups net/ipv4/ip_fragment.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a38c1a640729b3d8e584d1ab98e908c221bc12cf Merge: 1580bb3 47c3f47 Author: Brad Spengler Date: Fri Mar 8 18:18:37 2013 -0500 Merge branch 'pax-test' into grsec-test commit 47c3f47ba4f874f5c72e4c04b76b6b92e44daebe Author: Brad Spengler Date: Fri Mar 8 18:17:22 2013 -0500 Update to pax-linux-3.8.2-test5.patch: - fixed some fallout after the last round of constification changes, reported by several people arch/arm/common/gic.c | 4 ++-- arch/arm/include/asm/hardware/gic.h | 3 ++- arch/x86/include/asm/nmi.h | 2 +- arch/x86/kernel/nmi.c | 2 +- arch/x86/pci/irq.c | 2 +- drivers/base/power/domain.c | 4 ++-- drivers/cpufreq/cpufreq_governor.c | 4 ++-- drivers/mfd/twl4030-irq.c | 1 + drivers/video/vesafb.c | 7 +++++-- include/linux/irq.h | 1 + include/linux/pm_domain.h | 2 +- kernel/sched/core.c | 4 ++++ lib/Kconfig.debug | 4 ++-- net/core/sysctl_net_core.c | 2 +- net/decnet/af_decnet.c | 1 + net/ipv4/devinet.c | 2 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/route.c | 2 +- net/ipv4/sysctl_net_ipv4.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- net/ipv6/reassembly.c | 2 +- scripts/sortextable.h | 6 +++--- 22 files changed, 36 insertions(+), 25 deletions(-) commit 1580bb38b4db0bf2a46316599815e8b234edad81 Author: Brad Spengler Date: Thu Mar 7 22:02:59 2013 -0500 add an additional open/close wrapper kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 21622672d28d58e0d93a805cd1f9650a894a752a Author: Brad Spengler Date: Thu Mar 7 21:58:24 2013 -0500 fix oops at shutdown with new constify code kernel/sched/core.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f6b9ab9fcc747bb1b14a4857d59e6681936220ec Author: Brad Spengler Date: Thu Mar 7 21:18:44 2013 -0500 Add PAX_CONSTIFY_PLUGIN, which we previously enabled unconditionally it currently conflicts with some lock debugging options, so made as an option to allow for debugging when necessary Makefile | 2 -- lib/Kconfig.debug | 6 +++--- security/Kconfig | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 5 deletions(-) commit 0885b00b8373a1597b69c38032a0c9eee279303b Author: Brad Spengler Date: Thu Mar 7 20:55:19 2013 -0500 disable DEBUG_LOCK_ALLOC, as it conflicts with the new constify lib/Kconfig.debug | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c8a2617165e7127a54f293cbf57d22d50dd83abd Author: Brad Spengler Date: Thu Mar 7 20:30:41 2013 -0500 Fix error: drivers/video/vesafb.c:502:3: error: assignment of member ‘fb_pan_display’ in read-only object with cast and proper kernexec accessors drivers/video/vesafb.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit 99f2814d3e2a6db25985edc47c7e09c4a2d8c408 Author: Brad Spengler Date: Thu Mar 7 20:20:28 2013 -0500 fix typo grsecurity/gracl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 399674de6c42bbcae2d01b082d6d9ce9d183b000 Author: Brad Spengler Date: Thu Mar 7 20:12:17 2013 -0500 fix compilation error -- no reason for task_pid_nr to not take a const task ptr include/linux/sched.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a6c239eacf683f9dd2aeebb1b1adb71e5eedbd9f Author: Kees Cook Date: Mon Feb 25 21:32:25 2013 +0000 Upstream commit: e70ab977991964a5a7ad1182799451d067e62669 proc connector: reject unprivileged listener bumps While PROC_CN_MCAST_LISTEN/IGNORE is entirely advisory, it was possible for an unprivileged user to turn off notifications for all listeners by sending PROC_CN_MCAST_IGNORE. Instead, require the same privileges as required for a multicast bind. Signed-off-by: Kees Cook Cc: Evgeniy Polyakov Cc: Matt Helsley Cc: stable@vger.kernel.org Acked-by: Evgeniy Polyakov Acked-by: Matt Helsley Signed-off-by: David S. Miller drivers/connector/cn_proc.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) commit ac6014ded57101e3e608941555ff507e20c1ece3 Author: Dan Carpenter Date: Tue Feb 26 19:15:02 2013 +0000 Upstream commit: 90c7881ecee1f08e0a49172cf61371cf2509ee4a irda: small read beyond end of array in debug code charset comes from skb->data. It's a number in the 0-255 range. If we have debugging turned on then this could cause a read beyond the end of the array. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/iriap.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) commit e60bd2aad9bfdb68731cc888eae14a7600bd2ffe Author: Guenter Roeck Date: Wed Feb 27 10:57:31 2013 +0000 Upstream commit: 726bc6b092da4c093eb74d13c07184b18c1af0f1 net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS Building sctp may fail with: In function ‘copy_from_user’, inlined from ‘sctp_getsockopt_assoc_stats’ at net/sctp/socket.c:5656:20: arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct if built with W=1 due to a missing parameter size validation before the call to copy_from_user. Signed-off-by: Guenter Roeck Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/sctp/socket.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit be49e0ae9a4d0e8daa831d7d8d6f3a56beda3e3c Author: Guillaume Nault Date: Fri Mar 1 05:02:02 2013 +0000 Upstream commit: 8b82547e33e85fc24d4d172a93c796de1fefa81a l2tp: Restore socket refcount when sendmsg succeeds The sendmsg() syscall handler for PPPoL2TP doesn't decrease the socket reference counter after successful transmissions. Any successful sendmsg() call from userspace will then increase the reference counter forever, thus preventing the kernel's session and tunnel data from being freed later on. The problem only happens when writing directly on L2TP sockets. PPP sockets attached to L2TP are unaffected as the PPP subsystem uses pppol2tp_xmit() which symmetrically increase/decrease reference counters. This patch adds the missing call to sock_put() before returning from pppol2tp_sendmsg(). Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 98a9a5f981f5deda4059a255c1196886f2f27e2f Author: Cong Wang Date: Sun Mar 3 16:18:11 2013 +0000 Upstream commit: ece6b0a2b25652d684a7ced4ae680a863af041e0 rds: limit the size allocated by rds_message_alloc() Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [] warn_slowpath_common+0x75/0xa0 [] warn_slowpath_null+0x1a/0x20 [] __alloc_pages_nodemask+0xa0d/0xbe0 [] ? native_sched_clock+0x26/0x90 [] ? trace_hardirqs_off_caller+0x28/0xc0 [] ? trace_hardirqs_off+0xd/0x10 [] alloc_pages_current+0xb8/0x180 [] __get_free_pages+0x2a/0x80 [] kmalloc_order_trace+0x3e/0x1a0 [] __kmalloc+0x2f5/0x3a0 [] ? local_bh_enable_ip+0x7c/0xf0 [] rds_message_alloc+0x23/0xb0 [rds] [] rds_sendmsg+0x2b1/0x990 [rds] [] ? trace_hardirqs_off+0xd/0x10 [] sock_sendmsg+0xb0/0xe0 [] ? get_lock_stats+0x22/0x70 [] ? put_lock_stats.isra.23+0xe/0x40 [] sys_sendto+0x130/0x180 [] ? trace_hardirqs_on+0xd/0x10 [] ? _raw_spin_unlock_irq+0x3b/0x60 [] ? sysret_check+0x1b/0x56 [] ? trace_hardirqs_on_caller+0x115/0x1a0 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones Cc: Dave Jones Cc: David S. Miller Cc: Venkat Venkatsubra Signed-off-by: Cong Wang Acked-by: Venkat Venkatsubra Signed-off-by: David S. Miller net/rds/message.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b46df323e01c63c62fdb82cf2c47e4386f5a0499 Author: Cong Wang Date: Sun Mar 3 16:28:27 2013 +0000 Upstream commit: 3f736868b47687d1336fe88185560b22bb92021e sctp: use KMALLOC_MAX_SIZE instead of its own MAX_KMALLOC_SIZE Don't definite its own MAX_KMALLOC_SIZE, use the one defined in mm. Cc: Vlad Yasevich Cc: Sridhar Samudrala Cc: Neil Horman Cc: David S. Miller Signed-off-by: Cong Wang Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/ssnmap.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit 4295a024e812f903fc580c81de5e81cc149503fa Author: Brad Spengler Date: Thu Mar 7 17:57:49 2013 -0500 Upstream commit: https://lkml.org/lkml/2013/3/6/535 security/keys/process_keys.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 33edd486a9899a145a15586d7134636b0300aaee Merge: 4eeeaf3 a2a2094 Author: Brad Spengler Date: Thu Mar 7 17:53:00 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: arch/arm/include/asm/domain.h commit a2a20947f5e1332e474160a39af520738b3c8c19 Author: Brad Spengler Date: Thu Mar 7 17:51:04 2013 -0500 Update to pax-linux-3.8.2-test4.patch: fixed arm compilation problems reported by Michael Tremer - the constify plugin got smarter that enabled, with some additional patching, the elimination of about half the static function pointers on amd64/allmod (up from about 18%), depending on the kernel config it can be even more (70%) Documentation/dontdiff | 2 + arch/arm/include/asm/domain.h | 1 + arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/nmi.h | 4 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 10 +- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/i8259.c | 6 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/nmi.c | 6 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/irq.c | 6 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/base/bus.c | 4 +- drivers/base/node.c | 2 +- drivers/base/syscore.c | 4 +- drivers/block/drbd/drbd_receiver.c | 4 +- drivers/char/random.c | 2 +- drivers/cpufreq/acpi-cpufreq.c | 20 ++- drivers/cpufreq/cpufreq.c | 7 +- drivers/cpufreq/cpufreq_governor.c | 4 +- drivers/cpufreq/cpufreq_governor.h | 2 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/cpuidle.c | 2 +- drivers/cpuidle/governor.c | 4 +- drivers/cpuidle/sysfs.c | 2 +- drivers/devfreq/devfreq.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci_sysfs.c | 2 +- drivers/firewire/core-device.c | 2 +- drivers/firmware/dmi-id.c | 2 +- drivers/firmware/efivars.c | 2 +- drivers/firmware/google/memconsole.c | 4 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_ioc32.c | 9 +- drivers/gpu/drm/i915/i915_ioc32.c | 11 +- drivers/gpu/drm/i915/intel_display.c | 26 ++- drivers/gpu/drm/mga/mga_ioc32.c | 11 +- drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/r128/r128_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 11 +- drivers/gpu/drm/radeon/radeon_ttm.c | 33 ++-- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/hwmon/acpi_power_meter.c | 4 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/pmbus/pmbus_core.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/input/mouse/psmouse.h | 2 +- drivers/iommu/iommu.c | 2 +- drivers/leds/leds-clevo-mail.c | 2 +- drivers/leds/leds-ss4200.c | 2 +- drivers/media/v4l2-core/v4l2-ioctl.c | 5 +- drivers/mfd/twl4030-irq.c | 8 +- drivers/mfd/twl6030-irq.c | 10 +- drivers/misc/c2port/core.c | 4 +- drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_main.c | 2 +- drivers/net/macvlan.c | 16 +- drivers/net/vxlan.c | 2 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/platform/x86/msi-laptop.c | 14 +- drivers/platform/x86/sony-laptop.c | 2 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 6 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/staging/iio/iio_hwmon.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/video/aty/atyfb_base.c | 8 +- drivers/video/aty/mach64_cursor.c | 4 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fb_defio.c | 6 +- drivers/video/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/nvidia/nvidia.c | 27 ++- drivers/video/s1d13xxxfb.c | 6 +- drivers/video/smscufx.c | 4 +- drivers/video/udlfb.c | 4 +- drivers/video/uvesafb.c | 14 +- fs/exec.c | 6 +- fs/ext4/super.c | 2 +- fs/jfs/super.c | 4 +- fs/nfs/callback_xdr.c | 2 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 6 +- fs/nls/nls_base.c | 18 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/proc/proc_sysctl.c | 18 +- include/drm/drmP.h | 12 +- include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 2 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 2 +- include/linux/fscache.h | 2 +- include/linux/genl_magic_func.h | 2 +- include/linux/hwmon-sysfs.h | 5 +- include/linux/iommu.h | 2 +- include/linux/irq.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kobject.h | 1 + include/linux/kobject_ns.h | 2 +- include/linux/list.h | 14 +- include/linux/mod_devicetable.h | 2 +- include/linux/module.h | 5 +- include/linux/net.h | 2 +- include/linux/netfilter.h | 2 +- include/linux/nls.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/platform_data/usb-exynos.h | 2 +- include/linux/pnp.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/rculist.h | 16 ++ include/linux/sched.h | 2 +- include/linux/sock_diag.h | 2 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 6 +- include/linux/sysfs.h | 10 +- include/linux/sysrq.h | 1 + include/linux/xattr.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/genetlink.h | 2 +- include/net/ip.h | 2 +- include/net/ip_vs.h | 4 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/net_namespace.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/rtnetlink.h | 2 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/xfrm.h | 4 +- ipc/ipc_sysctl.c | 10 +- ipc/mq_sysctl.c | 2 +- kernel/kmod.c | 2 +- kernel/ksysfs.c | 2 +- kernel/module.c | 4 +- kernel/pid_namespace.c | 2 +- kernel/rcutree_plugin.h | 2 +- kernel/sched/core.c | 39 ++-- kernel/smpboot.c | 4 +- kernel/softirq.c | 2 +- kernel/sysctl.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- lib/Kconfig.debug | 2 +- lib/kobject.c | 4 +- lib/list_debug.c | 57 ++++- lib/swiotlb.c | 2 +- mm/hugetlb.c | 16 +- mm/memory-failure.c | 2 +- mm/slab_common.c | 2 +- net/9p/mod.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/core/neighbour.c | 2 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/rtnetlink.c | 11 +- net/core/sock_diag.c | 9 +- net/core/sysctl_net_core.c | 15 +- net/ipv4/af_inet.c | 8 +- net/ipv4/devinet.c | 12 +- net/ipv4/inet_connection_sock.c | 2 +- net/ipv4/ip_fragment.c | 9 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipip.c | 4 +- net/ipv4/route.c | 14 +- net/ipv4/sysctl_net_ipv4.c | 43 ++-- net/ipv6/addrconf.c | 4 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_gre.c | 6 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/reassembly.c | 11 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 4 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netlink/genetlink.c | 16 +- net/phonet/sysctl.c | 2 +- net/rds/rds.h | 2 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/sysctl.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/svc.c | 4 +- net/unix/sysctl_net_unix.c | 2 +- net/xfrm/xfrm_policy.c | 11 +- net/xfrm/xfrm_state.c | 29 ++- net/xfrm/xfrm_sysctl.c | 2 +- security/apparmor/lsm.c | 2 +- security/keys/key.c | 18 +- security/yama/yama_lsm.c | 22 +- tools/gcc/Makefile | 4 +- tools/gcc/constify_plugin.c | 299 +++++++++++++++++++------ tools/gcc/size_overflow_plugin.c | 7 +- 248 files changed, 994 insertions(+), 668 deletions(-) commit 4eeeaf3a560e25d1685f8973ef676b205efaa81b Author: Brad Spengler Date: Wed Mar 6 12:58:21 2013 -0500 Make slab_state __read_only, it's only written to during init mm/slab_common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit e7067b68d36fb9e0e8818de5d9ce1b4ba19ce24a Author: Brad Spengler Date: Wed Mar 6 12:31:35 2013 -0500 Make two new helper functions: gr_is_global_root() and gr_is_global_nonroot() grsecurity/gracl.c | 10 +++++----- grsecurity/gracl_segv.c | 2 +- grsecurity/grsec_link.c | 4 ++-- grsecurity/grsec_sig.c | 10 +++++----- grsecurity/grsec_tpe.c | 6 +++--- include/linux/uidgid.h | 2 ++ 6 files changed, 18 insertions(+), 16 deletions(-) commit d45d88eddd4998b280b1e5b5384289ee11ca7088 Author: Brad Spengler Date: Wed Mar 6 12:14:41 2013 -0500 convert remaining task->pid to task_pid_nr(task) grsecurity/gracl.c | 22 +++++++++++----------- grsecurity/gracl_shm.c | 2 +- grsecurity/grsec_chroot.c | 4 ++-- grsecurity/grsec_sig.c | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) commit c877f2ece03ee2232dd281c1977ae59507297124 Author: Brad Spengler Date: Tue Mar 5 17:29:54 2013 -0500 compat-log is only used anymore by vm86-on-64bit and allows unlimited spamming of the kernel log buffer (and since it includes the changable process name, can avoid syslog log deduplication) Turn it off by default fs/compat.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7c1964c4b7276889d7967bee70e46918cdca1b14 Author: Brad Spengler Date: Mon Mar 4 17:19:10 2013 -0500 fix compilation error reported on IRC and forums when GRKERNSEC_PROC_USERGROUP is enabled, introduced with recent userns support init/main.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit c3ce01b94d8dd42b9c7942c0d513b152613e0656 Author: Brad Spengler Date: Sun Mar 3 18:46:12 2013 -0500 Prevent TOMOYO from auto-loading modules by unprivileged users (Only reachable if TOMOYO is actually used) security/tomoyo/mount.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 79e142f9455b398759ff9d93d4963a21b98dddda Author: Brad Spengler Date: Sun Mar 3 18:28:45 2013 -0500 For now, don't permit any special access to /proc in a user namespace Later we can go back and allow a userns-uid0 special access to a /proc with a non-global pid namespace fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8b91fb393049ce5f3c0a86f62247409853fd9700 Merge: d931eb8 603ef05 Author: Brad Spengler Date: Sun Mar 3 17:42:09 2013 -0500 Merge branch 'pax-test' into grsec-test commit 603ef0579b9c3765d999c1938cb7a120d8c8e00b Author: Brad Spengler Date: Sun Mar 3 17:41:31 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/mach-omap2/wd_timer.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit b4c9ce81fdd7839a150c97873c710c479e788280 Author: Brad Spengler Date: Sun Mar 3 17:39:53 2013 -0500 Fix compilation error on ARM reported by Michael Tremer arch/arm/kernel/armksyms.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d931eb81ab3da46896268fd61373a6aa7bbea930 Merge: bfa7f44 5948f93 Author: Brad Spengler Date: Sun Mar 3 17:34:36 2013 -0500 Merge branch 'pax-test' into grsec-test commit 5948f930bc1c2d22138c1c76ca7e1bc94b6a3ce0 Merge: ab30472 19b00d2 Author: Brad Spengler Date: Sun Mar 3 17:34:08 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit bfa7f445c5d484de51a5828b92ad2ff65053cc87 Author: Brad Spengler Date: Sun Mar 3 15:12:12 2013 -0500 Initial support for user namespaces, as we previously didn't allow the option to be enabled at all. RBAC will act on the global uids/gids only, so all uids/gids in user namespaces will be converted Because Eric Biederman is insulted that I didn't support his backdoor prior to it receiving proper review. I still have the CAP_SYS_ADMIN check in for user namespaces, so this is generally irrelevant. fs/exec.c | 6 +- fs/proc/base.c | 2 +- fs/proc/proc_net.c | 4 +- grsecurity/gracl.c | 128 +++++++++++++++++++++++++++++------------- grsecurity/gracl_cap.c | 4 +- grsecurity/gracl_ip.c | 16 +++--- grsecurity/gracl_segv.c | 12 +++- grsecurity/gracl_shm.c | 4 +- grsecurity/grsec_disabled.c | 10 ++-- grsecurity/grsec_fifo.c | 6 +- grsecurity/grsec_init.c | 24 ++++---- grsecurity/grsec_log.c | 3 - grsecurity/grsec_tpe.c | 6 +- include/linux/grinternal.h | 12 ++-- include/linux/grsecurity.h | 12 ++-- include/linux/uidgid.h | 3 + init/Kconfig | 2 - ipc/shm.c | 2 +- kernel/cred.c | 5 +- kernel/kallsyms.c | 2 +- kernel/kmod.c | 6 +- kernel/sys.c | 12 ++-- 22 files changed, 166 insertions(+), 115 deletions(-) commit 27a8cc1a9f22f95de6fe8740bdc900a160274dff Author: Linus Torvalds Date: Wed Feb 27 08:36:04 2013 -0800 Upstream commit: 09884964335e85e897876d17783c2ad33cf8a2e0 mm: do not grow the stack vma just because of an overrun on preceding vma The stack vma is designed to grow automatically (marked with VM_GROWSUP or VM_GROWSDOWN depending on architecture) when an access is made beyond the existing boundary. However, particularly if you have not limited your stack at all ("ulimit -s unlimited"), this can cause the stack to grow even if the access was really just one past *another* segment. And that's wrong, especially since we first grow the segment, but then immediately later enforce the stack guard page on the last page of the segment. So _despite_ first growing the stack segment as a result of the access, the kernel will then make the access cause a SIGSEGV anyway! So do the same logic as the guard page check does, and consider an access to within one page of the next segment to be a bad access, rather than growing the stack to abut the next segment. Reported-and-tested-by: Heiko Carstens Signed-off-by: Linus Torvalds mm/mmap.c | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) commit 5596211af754867ca825f58e6e0300a8439950fe Author: H. Peter Anvin Date: Wed Feb 27 12:46:40 2013 -0800 Upstream commit: 7c10093692ed2e6f318387d96b829320aa0ca64c x86: Make sure we can boot in the case the BDA contains pure garbage On non-BIOS platforms it is possible that the BIOS data area contains garbage instead of being zeroed or something equivalent (firmware people: we are talking of 1.5K here, so please do the sane thing.) We need on the order of 20-30K of low memory in order to boot, which may grow up to < 64K in the future. We probably want to avoid the lowest of the low memory. At the same time, it seems extremely unlikely that a legitimate EBDA would ever reach down to the 128K (which would require it to be over half a megabyte in size.) Thus, pick 128K as the cutoff for "this is insane, ignore." We may still end up reserving a bunch of extra memory on the low megabyte, but that is not really a major issue these days. In the worst case we lose 512K of RAM. This code really should be merged with trim_bios_range() in arch/x86/kernel/setup.c, but that is a bigger patch for a later merge window. Reported-by: Darren Hart Signed-off-by: H. Peter Anvin Cc: Matt Fleming Cc: Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org arch/x86/kernel/head.c | 53 ++++++++++++++++++++++++++++++----------------- 1 files changed, 34 insertions(+), 19 deletions(-) commit 10eb1dabfb743fb22dcbcf186bb8d2192d2d55ea Author: Wei Yongjun Date: Wed Feb 27 17:05:46 2013 -0800 Upstream commit: 940da353a83e895ea600cb8ab17dceefb1bcb469 memstick: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Maxim Levitsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/memstick/host/r592.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 1a63cb1ca50a10748cbf766894ecedf34a89baa3 Author: Xi Wang Date: Wed Feb 27 17:05:21 2013 -0800 Upstream commit: df1778be1a33edffa51d094eeda87c858ded6560 sysctl: fix null checking in bin_dn_node_address() The null check of `strchr() + 1' is broken, which is always non-null, leading to OOB read. Instead, check the result of strchr(). Signed-off-by: Xi Wang Cc: "Eric W. Biederman" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/sysctl_binary.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit 7ca96db0817416fd40761e7437d1939fc0731380 Author: Tejun Heo Date: Wed Feb 27 17:03:34 2013 -0800 Upstream commit: 6cdae7416a1c45c2ce105a78187d9b7e8feb9e24 idr: fix a subtle bug in idr_get_next() The iteration logic of idr_get_next() is borrowed mostly verbatim from idr_for_each(). It walks down the tree looking for the slot matching the current ID. If the matching slot is not found, the ID is incremented by the distance of single slot at the given level and repeats. The implementation assumes that during the whole iteration id is aligned to the layer boundaries of the level closest to the leaf, which is true for all iterations starting from zero or an existing element and thus is fine for idr_for_each(). However, idr_get_next() may be given any point and if the starting id hits in the middle of a non-existent layer, increment to the next layer will end up skipping the same offset into it. For example, an IDR with IDs filled between [64, 127] would look like the following. [ 0 64 ... ] /----/ | | | NULL [ 64 ... 127 ] If idr_get_next() is called with 63 as the starting point, it will try to follow down the pointer from 0. As it is NULL, it will then try to proceed to the next slot in the same level by adding the slot distance at that level which is 64 - making the next try 127. It goes around the loop and finds and returns 127 skipping [64, 126]. Note that this bug also triggers in idr_for_each_entry() loop which deletes during iteration as deletions can make layers go away leaving the iteration with unaligned ID into missing layers. Fix it by ensuring proceeding to the next slot doesn't carry over the unaligned offset - ie. use round_up(id + 1, slot_distance) instead of id += slot_distance. Signed-off-by: Tejun Heo Reported-by: David Teigland Cc: KAMEZAWA Hiroyuki Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/idr.c | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) commit 745362f28034f54242ba2e64eaa7374ab9869613 Author: Brad Spengler Date: Fri Mar 1 20:31:42 2013 -0500 Fix dentry use-after-free after failed complete_walk() with RBAC enabled Many thanks to zakalwe from #grsecurity for the report and debugging help fs/namei.c | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-) commit b53b3b14330920c6f7cfb74c8508a3026e1be620 Author: Brad Spengler Date: Thu Feb 28 18:29:26 2013 -0500 Fix bad git merge fs/namespace.c | 8 -------- 1 files changed, 0 insertions(+), 8 deletions(-) commit 71886f69ea10fa22e593dba1bdbe5c0334c6fede Merge: 1cce1dd ab30472 Author: Brad Spengler Date: Thu Feb 28 17:45:14 2013 -0500 Merge branch 'pax-test' into grsec-test Conflicts: net/core/sock_diag.c commit ab3047280e1dfb43f1b301a296123757b4ac4f6e Merge: 4b61d21 4c91a0e Author: Brad Spengler Date: Thu Feb 28 17:43:56 2013 -0500 Merge branch 'linux-3.8.y' into pax-test commit 1cce1ddd17c584c80465521834c3faf1a7c607d7 Author: Brad Spengler Date: Wed Feb 27 22:20:22 2013 -0500 add compiler.h to sysrq.h to fix compilation problem reported by micu on forums include/linux/sysrq.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f1e7fe130803fde83eb903b575335f59cd2bd18 Author: Brad Spengler Date: Wed Feb 27 17:52:31 2013 -0500 declare check_syslog_permissions() earlier in file, fix bug in syslog_action_restricted() in upstream kernel kernel/printk.c | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) commit 11dd499888fa76f3466821ce4daa5e0c55e43d39 Author: Brad Spengler Date: Wed Feb 27 17:23:46 2013 -0500 Fix upstream vulnerability from addition of a /dev/kmsg device while neglecting to add the same set of existing permission checks from do_syslog. This bit both dmesg_restrict and GRKERNSEC_DMESG. A temporary workaround without this patch would be to chmod 0600 /dev/kmsg (and is likely a good idea anyway). Notified in #grsecurity IRC by Jason A. Donenfeld and Petr Matousek Initially reported to Redhat bugzilla by Christian Kujau: https://bugzilla.redhat.com/show_bug.cgi?id=903192 kernel/printk.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit 66c04806f5660988c3cb4855e60de294e77e3d0e Author: David Howells Date: Thu Feb 21 12:00:25 2013 +0000 Upstream commit: fe9453a1dcb5fb146f9653267e78f4a558066f6f KEYS: Revert one application of "Fix unreachable code" patch A patch to fix some unreachable code in search_my_process_keyrings() got applied twice by two different routes upstream as commits e67eab39bee2 and b010520ab3d2 (both "fix unreachable code"). Unfortunately, the second application removed something it shouldn't have and this wasn't detected by GIT. This is due to the patch not having sufficient lines of context to distinguish the two places of application. The effect of this is relatively minor: inside the kernel, the keyring search routines may search multiple keyrings and then prioritise the errors if no keys or negative keys are found in any of them. With the extra deletion, the presence of a negative key in the thread keyring (causing ENOKEY) is incorrectly overridden by an error searching the process keyring. So revert the second application of the patch. Signed-off-by: David Howells Cc: Jiri Kosina Cc: Andrew Morton Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds security/keys/process_keys.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 954b0c8a95b08c09c3d15ec38106ce403bf714da Author: Wei Yongjun Date: Thu Feb 21 16:42:43 2013 -0800 Upstream commit: 49deb4bc227cb9db5b8ebf9434367f8bed057c7a configfs: move the dereference below the NULL test The dereference should be moved below the NULL test. spatch with a semantic match is used to found this. (http://coccinelle.lip6.fr/) Signed-off-by: Wei Yongjun Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/configfs/dir.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) commit d16d42c4fdc8baca5816d75b4a115102bf3d3423 Author: Nicolas Pitre Date: Sun Feb 24 20:06:09 2013 -0500 Upstream commit: a883b70d8e0a88278c0a1f80753b4dc99962b541 tty vt: fix character insertion overflow Commit 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") broke insert_char() in multiple ways. Then commit b1a925f44a3a ("tty vt: Fix a regression in command line edition") partially fixed it. However, the buffer being moved is still too large and overflowing beyond the end of the current line, corrupting existing characters on the next line. Example test case: echo -e "abc\nde\x1b[A\x1b[4h \x1b[4l\x1b[B" Expected result: ab c de Current result: ab c e Needless to say that this is very annoying when inserting words in the middle of paragraphs with certain text editors. Signed-off-by: Nicolas Pitre Cc: Jean-François Moine Cc: Greg Kroah-Hartman Cc: Signed-off-by: Linus Torvalds drivers/tty/vt/vt.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6cda35071669b4aabde081bd039e0ffea36f997a Author: Robin Holt Date: Fri Feb 22 16:35:34 2013 -0800 Upstream commit: 751efd8610d3d7d67b7bdf7f62646edea7365dd7 mmu_notifier_unregister NULL Pointer deref and multiple ->release() callouts There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. Additionally, the list traversal in __mmu_notifier_release() is not protected by the by the mmu_notifier_mm->hlist_lock which can result in callouts to the ->release() notifier from both mmu_notifier_unregister() and __mmu_notifier_release(). -stable suggestions: The stable trees prior to 3.7.y need commits 21a92735f660 and 70400303ce0c cherry-picked in that order prior to cherry-picking this commit. The 3.7.y tree already has those two commits. Signed-off-by: Robin Holt Cc: Andrea Arcangeli Cc: Wanpeng Li Cc: Xiao Guangrong Cc: Avi Kivity Cc: Hugh Dickins Cc: Marcelo Tosatti Cc: Sagi Grimberg Cc: Haggai Eran Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mmu_notifier.c | 82 +++++++++++++++++++++++++++-------------------------- 1 files changed, 42 insertions(+), 40 deletions(-) commit bf5167ed78ba6131c6874887f714bda50c2cab83 Author: Mike Galbraith Date: Mon Jan 28 12:19:25 2013 +0100 Upstream commit: e0a79f529d5ba2507486d498b25da40911d95cf6 sched: Fix select_idle_sibling() bouncing cow syndrome If the previous CPU is cache affine and idle, select it. The current implementation simply traverses the sd_llc domain, taking the first idle CPU encountered, which walks buddy pairs hand in hand over the package, inflicting excruciating pain. 1 tbench pair (worst case) in a 10 core + SMT package: pre 15.22 MB/sec 1 procs post 252.01 MB/sec 1 procs Signed-off-by: Mike Galbraith Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/1359371965.5783.127.camel@marge.simpson.net Signed-off-by: Ingo Molnar kernel/sched/fair.c | 21 +++++++-------------- 1 files changed, 7 insertions(+), 14 deletions(-) commit cf7c2d257836fdcb5d51ad142cbc56ac12f7a37c Author: Eric W. Biederman Date: Fri Dec 28 18:58:39 2012 -0800 Upstream commit: c61a2810a2161986353705b44d9503e6bb079f4f userns: Avoid recursion in put_user_ns When freeing a deeply nested user namespace free_user_ns calls put_user_ns on it's parent which may in turn call free_user_ns again. When -fno-optimize-sibling-calls is passed to gcc one stack frame per user namespace is left on the stack, potentially overflowing the kernel stack. CONFIG_FRAME_POINTER forces -fno-optimize-sibling-calls so we can't count on gcc to optimize this code. Remove struct kref and use a plain atomic_t. Making the code more flexible and easier to comprehend. Make the loop in free_user_ns explict to guarantee that the stack does not overflow with CONFIG_FRAME_POINTER enabled. I have tested this fix with a simple program that uses unshare to create a deeply nested user namespace structure and then calls exit. With 1000 nesteuser namespaces before this change running my test program causes the kernel to die a horrible death. With 10,000,000 nested user namespaces after this change my test program runs to completion and causes no harm. Acked-by: Serge Hallyn Pointed-out-by: Vasily Kulikov Signed-off-by: "Eric W. Biederman" include/linux/user_namespace.h | 10 +++++----- kernel/user.c | 4 +--- kernel/user_namespace.c | 17 +++++++++-------- 3 files changed, 15 insertions(+), 16 deletions(-) commit 81501c7106ccc186c94806f4db954626295b5ebe Author: Brad Spengler Date: Tue Feb 26 17:12:30 2013 -0500 Pass the same flags to kern_path_create as the original function fs/namei.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit a677c8eee35afe48868f92c7d6745bfe809cd481 Author: Al Viro Date: Fri Feb 22 22:45:42 2013 -0500 Upstream commit: 9b40bc90abd126bcc5da5658059b8e72e285e559 get rid of unprotected dereferencing of mnt->mnt_ns It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/namespace.c | 29 +++++++++++++++++------------ 1 files changed, 17 insertions(+), 12 deletions(-) commit 89298124d0c96dc34a60377e7a1308f8f532ff75 Author: Greg Thelen Date: Fri Feb 22 16:36:01 2013 -0800 Upstream fix: 5f00110f7273f9ff04ac69a5f85bb535a4fd0987 tmpfs: fix use-after-free of mempolicy object The tmpfs remount logic preserves filesystem mempolicy if the mpol=M option is not specified in the remount request. A new policy can be specified if mpol=M is given. Before this patch remounting an mpol bound tmpfs without specifying mpol= mount option in the remount request would set the filesystem's mempolicy object to a freed mempolicy object. To reproduce the problem boot a DEBUG_PAGEALLOC kernel and run: # mkdir /tmp/x # mount -t tmpfs -o size=100M,mpol=interleave nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=102400k,mpol=interleave:0-3 0 0 # mount -o remount,size=200M nodev /tmp/x # grep /tmp/x /proc/mounts nodev /tmp/x tmpfs rw,relatime,size=204800k,mpol=??? 0 0 # note ? garbage in mpol=... output above # dd if=/dev/zero of=/tmp/x/f count=1 # panic here Panic: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) [...] Oops: 0010 [#1] SMP DEBUG_PAGEALLOC Call Trace: mpol_shared_policy_init+0xa5/0x160 shmem_get_inode+0x209/0x270 shmem_mknod+0x3e/0xf0 shmem_create+0x18/0x20 vfs_create+0xb5/0x130 do_last+0x9a1/0xea0 path_openat+0xb3/0x4d0 do_filp_open+0x42/0xa0 do_sys_open+0xfe/0x1e0 compat_sys_open+0x1b/0x20 cstar_dispatch+0x7/0x1f Non-debug kernels will not crash immediately because referencing the dangling mpol will not cause a fault. Instead the filesystem will reference a freed mempolicy object, which will cause unpredictable behavior. The problem boils down to a dropped mpol reference below if shmem_parse_options() does not allocate a new mpol: config = *sbinfo shmem_parse_options(data, &config, true) mpol_put(sbinfo->mpol) sbinfo->mpol = config.mpol /* BUG: saves unreferenced mpol */ This patch avoids the crash by not releasing the mempolicy if shmem_parse_options() doesn't create a new mpol. How far back does this issue go? I see it in both 2.6.36 and 3.3. I did not look back further. Signed-off-by: Greg Thelen Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/shmem.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 614943c76d9e49f12f3e1154f1dea80dc4bb2743 Author: Brad Spengler Date: Sat Feb 23 11:08:05 2013 -0500 Userland can send a netlink message requesting SOCK_DIAG_BY_FAMILY with a family greater or equal then AF_MAX -- the array size of sock_diag_handlers[]. The current code does not test for this condition therefore is vulnerable to an out-of-bound access opening doors for a privilege escalation. Signed-off-by: Mathias Krause The sock_diag_lock_handler() and sock_diag_unlock_handler() actually make the code less readable. Get rid of them and make the lock usage and access to sock_diag_handlers[] clear on the first sight. Signed-off-by: Mathias Krause net/core/sock_diag.c | 27 ++++++++++----------------- 1 files changed, 10 insertions(+), 17 deletions(-) commit e8d44970f8ac5ceda7b0e3f2c2ab33cefb800990 Author: Brad Spengler Date: Sat Feb 23 10:58:52 2013 -0500 Fix compilation failure reported by Hinnerk van Bruinehsen when CPU_USE_DOMAINS is not defined arch/arm/include/asm/domain.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 7b729586eb81f344fdedf0942fab0acc738a6725 Author: Brad Spengler Date: Fri Feb 22 19:02:51 2013 -0500 Add back capability check for user namespaces. They have not seen enough proper review and needlessly exposes additional attack surface for all users. kernel/fork.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) commit fadc560d0c486af88da83177735f5515e88acdcc Author: Brad Spengler Date: Thu Feb 21 23:06:48 2013 -0500 put is_hugetlbfs_mnt inside ifdefs grsecurity/gracl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 8252176922d405484f986eb2cc350b7cd3ae586e Author: Brad Spengler Date: Thu Feb 21 23:02:07 2013 -0500 remove unused label kernel/module.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit dad4a980f0b625059e215d13da728aa7fd02a374 Author: Brad Spengler Date: Thu Feb 21 23:00:52 2013 -0500 compile fix fs/open.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 13e3266c41b98a40f3d8a4a7fb8ee5c0983156b7 Author: Brad Spengler Date: Thu Feb 21 22:57:49 2013 -0500 remove kmalloc_array_error for the same reasons as kcalloc_error include/linux/slab.h | 9 --------- 1 files changed, 0 insertions(+), 9 deletions(-) commit 0c24df0e81ae880c4523cc78ff91609b9aa6133a Author: Brad Spengler Date: Thu Feb 21 22:49:35 2013 -0500 Initial port of grsecurity for Linux 3.8 Documentation/kernel-parameters.txt | 4 + Makefile | 10 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 14 +- arch/arm/include/asm/cache.h | 2 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/fault.c | 27 +- arch/arm/mm/mmap.c | 6 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 3 +- arch/ia64/mm/hugetlbpage.c | 3 +- arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/microblaze/include/asm/cache.h | 3 +- arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 9 +- arch/mips/kernel/ptrace.c | 9 + arch/mips/kernel/scall32-o32.S | 2 +- arch/mips/kernel/scall64-64.S | 2 +- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- arch/mips/mm/mmap.c | 3 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 19 +- arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 8 +- arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 8 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/thread_info_64.h | 9 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 6 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 3 +- arch/tile/include/asm/cache.h | 3 +- arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 5 +- arch/x86/Kconfig.debug | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 8 + arch/x86/kernel/entry_32.S | 2 +- arch/x86/kernel/entry_64.S | 2 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/ptrace.c | 14 + arch/x86/kernel/smpboot.c | 3 + arch/x86/kernel/sys_i386_32.c | 14 +- arch/x86/kernel/sys_x86_64.c | 3 +- arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 3 +- arch/x86/mm/init.c | 66 +- arch/x86/net/bpf_jit_comp.c | 126 +- arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- arch/xtensa/variants/s6000/include/variant/core.h | 3 +- crypto/ablkcipher.c | 12 +- crypto/aead.c | 9 +- crypto/ahash.c | 2 +- crypto/blkcipher.c | 6 +- crypto/crypto_user.c | 38 +- crypto/pcompress.c | 3 +- crypto/rng.c | 2 +- crypto/shash.c | 3 +- drivers/block/cciss.c | 2 + drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 12 + drivers/gpu/drm/drm_info.c | 4 + drivers/hid/hid-wiimote-debug.c | 2 +- drivers/media/radio/radio-cadet.c | 2 +- drivers/message/fusion/mptbase.c | 5 + drivers/net/phy/mdio-bitbang.c | 1 + drivers/pci/proc.c | 9 + drivers/rtc/rtc-dev.c | 3 + drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/video/logo/logo_linux_clut224.ppm | 2721 ++++++-------- drivers/xen/xenfs/xenstored.c | 5 + fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 6 + fs/btrfs/inode.c | 10 +- fs/btrfs/ioctl.c | 6 +- fs/compat.c | 18 + fs/coredump.c | 10 +- fs/debugfs/inode.c | 4 + fs/exec.c | 155 +- fs/ext2/balloc.c | 4 +- fs/ext3/balloc.c | 4 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 5 + fs/file.c | 4 + fs/filesystems.c | 5 + fs/fs_struct.c | 26 +- fs/hugetlbfs/inode.c | 5 +- fs/namei.c | 269 ++- fs/namespace.c | 24 + fs/open.c | 38 + fs/pipe.c | 2 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 59 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/inode.c | 17 + fs/proc/internal.h | 3 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 12 + fs/proc/proc_sysctl.c | 43 +- fs/proc/root.c | 8 + fs/proc/task_mmu.c | 75 +- fs/readdir.c | 19 + fs/select.c | 2 + fs/seq_file.c | 12 +- fs/stat.c | 19 +- fs/sysfs/dir.c | 12 + fs/utimes.c | 7 + fs/xattr.c | 19 +- grsecurity/Kconfig | 1021 +++++ grsecurity/Makefile | 38 + grsecurity/gracl.c | 4017 ++++++++++++++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 110 + grsecurity/gracl_fs.c | 431 +++ grsecurity/gracl_ip.c | 384 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 299 ++ grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 357 ++ grsecurity/grsec_disabled.c | 434 +++ grsecurity/grsec_exec.c | 174 + grsecurity/grsec_fifo.c | 24 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 283 ++ grsecurity/grsec_link.c | 58 + grsecurity/grsec_log.c | 329 ++ grsecurity/grsec_mem.c | 40 + grsecurity/grsec_mount.c | 62 + grsecurity/grsec_pax.c | 36 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 222 ++ grsecurity/grsec_sock.c | 244 ++ grsecurity/grsec_sysctl.c | 469 +++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 73 + grsecurity/grsum.c | 61 + include/linux/capability.h | 5 + include/linux/cred.h | 3 + include/linux/fs.h | 10 + include/linux/fsnotify.h | 6 + include/linux/gracl.h | 319 ++ include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 215 ++ include/linux/grmsg.h | 111 + include/linux/grsecurity.h | 257 ++ include/linux/grsock.h | 19 + include/linux/kallsyms.h | 14 +- include/linux/kmod.h | 2 + include/linux/netfilter/xt_gradm.h | 9 + include/linux/printk.h | 3 +- include/linux/proc_fs.h | 12 + include/linux/sched.h | 66 +- include/linux/security.h | 1 + include/linux/seq_file.h | 3 + include/linux/shm.h | 4 + include/linux/sysctl.h | 2 + include/linux/thread_info.h | 2 + include/linux/vermagic.h | 9 +- include/trace/events/fs.h | 53 + include/uapi/linux/personality.h | 1 + init/Kconfig | 5 +- init/main.c | 14 + ipc/mqueue.c | 1 + ipc/shm.c | 28 + kernel/capability.c | 39 +- kernel/cgroup.c | 2 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 109 +- kernel/exit.c | 10 +- kernel/fork.c | 24 +- kernel/futex.c | 1 + kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kmod.c | 71 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 + kernel/lockdep_proc.c | 10 +- kernel/module.c | 80 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/posix-timers.c | 8 + kernel/printk.c | 5 + kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 6 +- kernel/signal.c | 37 +- kernel/sys.c | 38 +- kernel/sysctl.c | 39 +- kernel/taskstats.c | 6 + kernel/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 12 + kernel/time/timer_stats.c | 10 +- lib/Kconfig.debug | 5 +- lib/is_single_threaded.c | 3 + lib/vsprintf.c | 35 +- localversion-grsec | 1 + mm/Kconfig | 4 +- mm/filemap.c | 1 + mm/kmemleak.c | 4 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 3 + mm/mmap.c | 62 +- mm/mprotect.c | 8 + mm/page_alloc.c | 6 + mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 2 +- mm/slub.c | 14 +- mm/vmalloc.c | 4 + mm/vmstat.c | 18 +- net/core/dev.c | 9 + net/core/sock_diag.c | 7 + net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netrom/af_netrom.c | 2 +- net/phonet/af_phonet.c | 4 +- net/sctp/proc.c | 3 +- net/socket.c | 62 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 19 + security/Kconfig | 320 ++- security/apparmor/lsm.c | 2 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/security.c | 2 - security/selinux/hooks.c | 2 - security/yama/Kconfig | 2 +- tools/gcc/Makefile | 2 +- 286 files changed, 15083 insertions(+), 2067 deletions(-) commit 4b61d2188de70da9dc9b3e67fc0565077370eb27 Author: Brad Spengler Date: Wed Feb 20 21:00:42 2013 -0500 Initial import of pax-linux-3.8-test3.patch Documentation/dontdiff | 43 +- Documentation/kernel-parameters.txt | 7 + Makefile | 97 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 10 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 421 +++- arch/arm/include/asm/cache.h | 3 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 2 + arch/arm/include/asm/delay.h | 8 +- arch/arm/include/asm/domain.h | 32 +- arch/arm/include/asm/elf.h | 13 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 7 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 2 +- arch/arm/include/asm/pgalloc.h | 22 +- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 + arch/arm/include/asm/pgtable-2level.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 4 + arch/arm/include/asm/pgtable-3level.h | 2 + arch/arm/include/asm/pgtable.h | 56 +- arch/arm/include/asm/proc-fns.h | 2 +- arch/arm/include/asm/processor.h | 5 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/uaccess.h | 92 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 4 +- arch/arm/kernel/entry-armv.S | 107 +- arch/arm/kernel/entry-common.S | 41 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 2 + arch/arm/kernel/head.S | 6 +- arch/arm/kernel/hw_breakpoint.c | 2 +- arch/arm/kernel/module.c | 29 +- arch/arm/kernel/perf_event_cpu.c | 2 +- arch/arm/kernel/process.c | 10 +- arch/arm/kernel/setup.c | 22 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/traps.c | 8 +- arch/arm/kernel/vmlinux.lds.S | 20 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 14 +- arch/arm/lib/uaccess_with_memcpy.c | 2 +- arch/arm/mach-kirkwood/common.c | 19 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-ux500/include/mach/setup.h | 7 - arch/arm/mm/Kconfig | 3 +- arch/arm/mm/fault.c | 78 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 41 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 36 +- arch/arm/mm/mmu.c | 186 +- arch/arm/mm/proc-v7-2level.S | 3 + arch/arm/plat-omap/sram.c | 2 + arch/arm/plat-orion/include/plat/addr-map.h | 2 +- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +- arch/arm64/kernel/debug-monitors.c | 2 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 7 +- arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 28 +- arch/ia64/kernel/err_inject.c | 2 +- arch/ia64/kernel/mca.c | 2 +- arch/ia64/kernel/module.c | 48 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/salinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 13 +- arch/ia64/kernel/topology.c | 2 +- arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/hugetlbpage.c | 2 +- arch/ia64/mm/init.c | 13 + arch/m32r/lib/usercopy.c | 6 + arch/mips/include/asm/atomic.h | 14 + arch/mips/include/asm/elf.h | 11 +- arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/process.c | 12 - arch/mips/mm/fault.c | 17 + arch/mips/mm/mmap.c | 51 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 6 +- arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 10 + arch/powerpc/include/asm/elf.h | 19 +- arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/uaccess.h | 142 +- arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 13 +- arch/powerpc/kernel/process.c | 55 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/sysfs.c | 2 +- arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 54 +- arch/powerpc/mm/mmap_64.c | 16 + arch/powerpc/mm/mmu_context_nohash.c | 2 +- arch/powerpc/mm/numa.c | 2 +- arch/powerpc/mm/slice.c | 23 +- arch/powerpc/platforms/powermac/smp.c | 2 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/elf.h | 13 +- arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 15 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 36 - arch/s390/mm/mmap.c | 24 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/kernel/cpu/sh4a/smp-shx3.c | 2 +- arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 106 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 2 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 8 + arch/sparc/include/asm/uaccess_32.h | 27 +- arch/sparc/include/asm/uaccess_64.h | 19 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 48 +- arch/sparc/kernel/sysfs.c | 2 +- arch/sparc/kernel/traps_64.c | 13 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 136 +- arch/sparc/lib/ksyms.c | 6 + arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 ++ arch/sparc/mm/fault_64.c | 486 +++ arch/sparc/mm/hugetlbpage.c | 21 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 10 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 6 +- arch/x86/Makefile | 10 + arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 4 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/eboot.c | 2 - arch/x86/boot/compressed/head_32.S | 7 +- arch/x86/boot/compressed/head_64.S | 4 +- arch/x86/boot/compressed/misc.c | 4 +- arch/x86/boot/cpucheck.c | 28 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 31 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 8 + arch/x86/crypto/camellia-x86_64-asm_64.S | 8 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 5 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 5 + arch/x86/crypto/sha1_ssse3_asm.S | 3 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 8 + arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 5 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/ia32/ia32_signal.c | 14 +- arch/x86/ia32/ia32entry.S | 141 +- arch/x86/ia32/sys_ia32.c | 12 +- arch/x86/include/asm/alternative-asm.h | 39 + arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 307 ++- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 202 ++- arch/x86/include/asm/bitops.h | 2 +- arch/x86/include/asm/boot.h | 7 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/cacheflush.h | 2 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 35 + arch/x86/include/asm/cpufeature.h | 4 +- arch/x86/include/asm/desc.h | 65 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/elf.h | 31 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu-internal.h | 6 +- arch/x86/include/asm/futex.h | 16 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/io.h | 13 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 142 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 16 +- arch/x86/include/asm/mmu_context.h | 76 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/page_64_types.h | 2 +- arch/x86/include/asm/paravirt.h | 44 +- arch/x86/include/asm/paravirt_types.h | 17 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 110 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 15 +- arch/x86/include/asm/pgtable_64.h | 19 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 36 +- arch/x86/include/asm/processor.h | 39 +- arch/x86/include/asm/ptrace.h | 26 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 24 +- arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/spinlock.h | 36 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/thread_info.h | 83 +- arch/x86/include/asm/uaccess.h | 96 +- arch/x86/include/asm/uaccess_32.h | 106 +- arch/x86/include/asm/uaccess_64.h | 232 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xsave.h | 10 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 65 +- arch/x86/kernel/apic/apic.c | 6 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/es7000_32.c | 5 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/numaq_32.c | 3 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/summit_32.c | 2 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 19 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 75 +- arch/x86/kernel/cpu/intel.c | 2 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 50 +- arch/x86/kernel/cpu/mcheck/mce.c | 29 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/therm_throt.c | 2 +- arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 4 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash.c | 4 +- arch/x86/kernel/doublefault_32.c | 8 +- arch/x86/kernel/dumpstack.c | 30 +- arch/x86/kernel/dumpstack_32.c | 34 +- arch/x86/kernel/dumpstack_64.c | 63 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/entry_32.S | 354 ++- arch/x86/kernel/entry_64.S | 512 +++- arch/x86/kernel/ftrace.c | 14 +- arch/x86/kernel/head32.c | 4 +- arch/x86/kernel/head_32.S | 237 ++- arch/x86/kernel/head_64.S | 158 +- arch/x86/kernel/i386_ksyms_32.c | 8 + arch/x86/kernel/i387.c | 2 +- arch/x86/kernel/i8259.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 10 +- arch/x86/kernel/irq_32.c | 69 +- arch/x86/kernel/irq_64.c | 2 +- arch/x86/kernel/kdebugfs.c | 2 +- arch/x86/kernel/kgdb.c | 25 +- arch/x86/kernel/kprobes-opt.c | 12 +- arch/x86/kernel/kprobes.c | 30 +- arch/x86/kernel/kvm.c | 2 +- arch/x86/kernel/ldt.c | 31 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/microcode_core.c | 2 +- arch/x86/kernel/microcode_intel.c | 4 +- arch/x86/kernel/module.c | 76 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 11 + arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 43 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/process.c | 57 +- arch/x86/kernel/process_32.c | 29 +- arch/x86/kernel/process_64.c | 15 +- arch/x86/kernel/ptrace.c | 25 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/relocate_kernel_64.S | 4 +- arch/x86/kernel/setup.c | 14 +- arch/x86/kernel/setup_percpu.c | 27 +- arch/x86/kernel/signal.c | 15 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 15 +- arch/x86/kernel/step.c | 10 +- arch/x86/kernel/sys_i386_32.c | 247 ++ arch/x86/kernel/sys_x86_64.c | 19 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 10 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/traps.c | 64 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 148 +- arch/x86/kernel/vsyscall_64.c | 12 +- arch/x86/kernel/x8664_ksyms_64.c | 2 - arch/x86/kernel/x86_init.c | 8 +- arch/x86/kernel/xsave.c | 2 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 4 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 47 +- arch/x86/kvm/x86.c | 10 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 103 +- arch/x86/lib/checksum_32.S | 100 +- arch/x86/lib/clear_page_64.S | 5 +- arch/x86/lib/cmpxchg16b_emu.S | 2 + arch/x86/lib/copy_page_64.S | 24 +- arch/x86/lib/copy_user_64.S | 47 +- arch/x86/lib/copy_user_nocache_64.S | 20 +- arch/x86/lib/csum-copy_64.S | 2 + arch/x86/lib/csum-wrappers_64.c | 4 +- arch/x86/lib/getuser.S | 68 +- arch/x86/lib/insn.c | 6 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 18 +- arch/x86/lib/memmove_64.S | 34 +- arch/x86/lib/memset_64.S | 7 +- arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 18 +- arch/x86/lib/putuser.S | 90 +- arch/x86/lib/rwlock.S | 42 + arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/thunk_64.S | 2 + arch/x86/lib/usercopy_32.c | 376 ++- arch/x86/lib/usercopy_64.c | 25 +- arch/x86/mm/extable.c | 25 +- arch/x86/mm/fault.c | 555 +++- arch/x86/mm/gup.c | 2 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 30 +- arch/x86/mm/init.c | 92 +- arch/x86/mm/init_32.c | 122 +- arch/x86/mm/init_64.c | 48 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 12 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 41 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/pageattr-test.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 137 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/net/bpf_jit.S | 14 + arch/x86/net/bpf_jit_comp.c | 37 +- arch/x86/oprofile/backtrace.c | 8 +- arch/x86/pci/amd_bus.c | 2 +- arch/x86/pci/mrst.c | 4 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 19 + arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 8 + arch/x86/platform/mrst/mrst.c | 6 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 4 +- arch/x86/realmode/init.c | 8 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 2 +- arch/x86/tools/relocs.c | 95 +- arch/x86/vdso/Makefile | 2 +- arch/x86/vdso/vdso32-setup.c | 23 +- arch/x86/vdso/vma.c | 29 +- arch/x86/xen/enlighten.c | 47 +- arch/x86/xen/mmu.c | 9 + arch/x86/xen/smp.c | 18 +- arch/x86/xen/xen-asm_32.S | 12 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/blk-iopoll.c | 4 +- block/blk-map.c | 2 +- block/blk-softirq.c | 4 +- block/bsg.c | 12 +- block/compat_ioctl.c | 2 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 27 +- crypto/cryptd.c | 4 +- drivers/acpi/apei/cper.c | 8 +- drivers/acpi/ec_sys.c | 12 +- drivers/acpi/processor_driver.c | 2 +- drivers/ata/libata-core.c | 8 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/devtmpfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_int.h | 6 +- drivers/block/drbd/drbd_main.c | 8 +- drivers/block/drbd/drbd_receiver.c | 18 +- drivers/block/loop.c | 2 +- drivers/cdrom/cdrom.c | 9 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/frontend.c | 2 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 41 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 18 +- drivers/char/random.c | 8 +- drivers/char/sonypi.c | 9 +- drivers/char/tpm/tpm.c | 2 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clocksource/arm_generic.c | 2 +- drivers/cpufreq/cpufreq.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 2 +- drivers/dma/sh/shdma.c | 2 +- drivers/edac/edac_pci_sysfs.c | 20 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 2 +- drivers/firewire/core-cdev.c | 3 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi_scan.c | 7 +- drivers/firmware/efivars.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpu/drm/drm_crtc_helper.c | 2 +- drivers/gpu/drm/drm_drv.c | 4 +- drivers/gpu/drm/drm_fops.c | 18 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 14 +- drivers/gpu/drm/drm_ioc32.c | 4 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/drm_lock.c | 4 +- drivers/gpu/drm/drm_stub.c | 2 +- drivers/gpu/drm/i810/i810_dma.c | 8 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_drv.h | 6 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 6 +- drivers/gpu/drm/i915/i915_irq.c | 22 +- drivers/gpu/drm/i915/intel_display.c | 9 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.h | 2 +- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 2 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/radeon/rs690.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 4 +- drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/hid/hid-core.c | 4 +- drivers/hv/channel.c | 4 +- drivers/hv/hv.c | 2 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hv/vmbus_drv.c | 4 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 16 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 10 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/usb/dvb-usb/cxusb.c | 2 +- drivers/media/usb/dvb-usb/dw2102.c | 2 +- drivers/message/fusion/mptsas.c | 34 +- drivers/message/fusion/mptscsih.c | 19 +- drivers/message/i2o/i2o_proc.c | 51 +- drivers/message/i2o/iop.c | 8 +- drivers/mfd/janz-cmodio.c | 1 + drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 4 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/devices/doc2000.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nftlmount.c | 1 + drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/fakehard.c | 2 +- drivers/net/macvlan.c | 2 +- drivers/net/macvtap.c | 2 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/team/team.c | 2 +- drivers/net/tun.c | 5 +- drivers/net/usb/hso.c | 23 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 30 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 58 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 26 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 32 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 2 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 4 + drivers/pci/pcie/aspm.c | 6 +- drivers/pci/probe.c | 2 +- drivers/platform/x86/thinkpad_acpi.c | 70 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/resource.c | 4 +- drivers/power/pda_power.c | 7 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 8 +- drivers/regulator/mc13892-regulator.c | 6 +- drivers/scsi/bfa/bfa.h | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 30 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 16 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 6 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_tgt_lib.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 2 +- drivers/scsi/sg.c | 2 +- drivers/spi/spi.c | 2 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/ramster/tmem.c | 54 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sbe-2t3e3/netdev.c | 2 +- drivers/staging/usbip/vhci.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 6 +- drivers/staging/usbip/vhci_rx.c | 2 +- drivers/staging/vt6655/hostap.c | 7 +- drivers/staging/vt6656/hostap.c | 7 +- drivers/staging/zcache/tmem.c | 4 +- drivers/staging/zcache/tmem.h | 2 + drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 3 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 10 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 21 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/u_serial.c | 22 +- drivers/usb/serial/console.c | 6 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/video/aty/aty128fb.c | 2 +- drivers/video/fbcmap.c | 3 +- drivers/video/fbmem.c | 6 +- drivers/video/i810/i810_accel.c | 1 + drivers/video/udlfb.c | 32 +- drivers/video/uvesafb.c | 39 +- drivers/video/vesafb.c | 51 +- drivers/video/via/via_clock.h | 2 +- fs/9p/vfs_inode.c | 2 +- fs/Kconfig.binfmt | 2 +- fs/aio.c | 11 +- fs/autofs4/waitq.c | 2 +- fs/befs/linuxvfs.c | 2 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 604 ++++- fs/binfmt_flat.c | 6 + fs/bio.c | 6 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/relocation.c | 2 +- fs/btrfs/super.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/cachefiles/rdwr.c | 2 +- fs/ceph/dir.c | 2 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/link.c | 2 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 6 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 8 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 24 +- fs/dcache.c | 2 +- fs/ecryptfs/inode.c | 4 +- fs/ecryptfs/miscdev.c | 2 +- fs/ecryptfs/read_write.c | 4 +- fs/exec.c | 356 ++- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/fhandle.c | 3 +- fs/fifo.c | 22 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 36 +- fs/fscache/internal.h | 196 +- fs/fscache/object.c | 28 +- fs/fscache/operation.c | 30 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 344 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 2 +- fs/fuse/dir.c | 2 +- fs/gfs2/inode.c | 2 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/locks.c | 8 +- fs/namei.c | 15 +- fs/namespace.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/vfs.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/file.c | 4 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 33 +- fs/proc/array.c | 20 + fs/proc/kcore.c | 32 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/self.c | 2 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/quota/netlink.c | 4 +- fs/readdir.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 2 +- fs/splice.c | 36 +- fs/sysfs/file.c | 10 +- fs/sysfs/symlink.c | 2 +- fs/udf/misc.c | 2 +- fs/xattr_acl.c | 4 +- fs/xfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_sf.c | 10 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_iops.c | 2 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 210 ++ include/asm-generic/atomic.h | 2 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 8 + include/asm-generic/vmlinux.lds.h | 10 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 5 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/ttm/ttm_memory.h | 2 +- include/linux/atmdev.h | 2 +- include/linux/binfmts.h | 1 + include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 4 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/compiler-gcc4.h | 20 + include/linux/compiler.h | 72 +- include/linux/cpu.h | 2 +- include/linux/crypto.h | 6 +- include/linux/decompress/mm.h | 2 +- include/linux/dma-mapping.h | 2 +- include/linux/dmaengine.h | 4 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/filter.h | 4 + include/linux/frontswap.h | 2 +- include/linux/fs.h | 3 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 4 +- include/linux/fsnotify.h | 2 +- include/linux/ftrace_event.h | 2 +- include/linux/genhd.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/i2c.h | 1 + include/linux/i2o.h | 2 +- include/linux/if_pppox.h | 2 +- include/linux/init.h | 33 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 8 +- include/linux/kgdb.h | 6 +- include/linux/kobject.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/list.h | 3 + include/linux/mm.h | 91 +- include/linux/mm_types.h | 22 +- include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 55 +- include/linux/moduleloader.h | 18 +- include/linux/moduleparam.h | 4 +- include/linux/namei.h | 6 +- include/linux/netdevice.h | 3 +- include/linux/netfilter/ipset/ip_set.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/perf_event.h | 10 +- include/linux/pipe_fs_i.h | 6 +- include/linux/platform_data/usb-ehci-s5p.h | 2 +- include/linux/pm_runtime.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/random.h | 5 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 64 +- include/linux/seq_file.h | 1 + include/linux/skbuff.h | 12 +- include/linux/slab.h | 36 +- include/linux/slab_def.h | 33 +- include/linux/slob_def.h | 4 +- include/linux/slub_def.h | 10 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/clnt.h | 8 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sysrq.h | 2 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/unaligned/access_ok.h | 12 +- include/linux/usb.h | 2 +- include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vmalloc.h | 11 +- include/linux/vmstat.h | 20 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-ioctl.h | 1 - include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/gro_cells.h | 6 +- include/net/inet_connection_sock.h | 2 +- include/net/inetpeer.h | 8 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 4 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 6 +- include/net/netdma.h | 2 +- include/net/netlink.h | 2 +- include/net/netns/ipv4.h | 2 +- include/net/protocol.h | 4 +- include/net/sctp/sctp.h | 6 +- include/net/sctp/structs.h | 4 +- include/net/sock.h | 6 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 4 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_transport_fc.h | 3 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/byteorder/little_endian.h | 24 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/sysctl.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 22 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 40 +- init/main.c | 78 +- ipc/msg.c | 11 +- ipc/sem.c | 11 +- ipc/shm.c | 17 +- kernel/acct.c | 2 +- kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/capability.c | 3 + kernel/compat.c | 40 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 28 +- kernel/exit.c | 4 +- kernel/fork.c | 167 +- kernel/futex.c | 9 + kernel/gcov/base.c | 7 +- kernel/hrtimer.c | 4 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 39 +- kernel/kexec.c | 3 +- kernel/kmod.c | 2 +- kernel/kprobes.c | 8 +- kernel/lockdep.c | 7 +- kernel/module.c | 333 ++- kernel/mutex-debug.c | 12 +- kernel/mutex-debug.h | 4 +- kernel/mutex.c | 7 +- kernel/notifier.c | 17 +- kernel/panic.c | 3 +- kernel/pid.c | 2 +- kernel/posix-cpu-timers.c | 4 +- kernel/posix-timers.c | 20 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 6 +- kernel/rcutiny.c | 4 +- kernel/rcutiny_plugin.h | 2 +- kernel/rcutorture.c | 56 +- kernel/rcutree.c | 72 +- kernel/rcutree.h | 24 +- kernel/rcutree_plugin.h | 18 +- kernel/rcutree_trace.c | 22 +- kernel/rtmutex-tester.c | 24 +- kernel/sched/auto_group.c | 4 +- kernel/sched/core.c | 2 +- kernel/sched/fair.c | 4 +- kernel/signal.c | 12 +- kernel/smp.c | 2 +- kernel/softirq.c | 16 +- kernel/srcu.c | 6 +- kernel/stop_machine.c | 2 +- kernel/sys.c | 12 +- kernel/sysctl.c | 37 +- kernel/sysctl_binary.c | 14 +- kernel/time/alarmtimer.c | 2 +- kernel/time/tick-broadcast.c | 2 +- kernel/time/timer_stats.c | 10 +- kernel/timer.c | 4 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 20 +- kernel/trace/ring_buffer.c | 76 +- kernel/trace/trace.c | 6 +- kernel/trace/trace_events.c | 25 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 12 +- kernel/trace/trace_stack.c | 2 +- lib/Makefile | 2 +- lib/bitmap.c | 8 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/devres.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/list_debug.c | 89 +- lib/radix-tree.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/filemap.c | 2 +- mm/fremap.c | 5 + mm/highmem.c | 7 +- mm/hugetlb.c | 54 + mm/internal.h | 1 + mm/maccess.c | 4 +- mm/madvise.c | 41 + mm/memory-failure.c | 18 +- mm/memory.c | 404 ++- mm/mempolicy.c | 26 + mm/mlock.c | 16 +- mm/mmap.c | 573 +++- mm/mprotect.c | 138 +- mm/mremap.c | 44 +- mm/nommu.c | 11 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 14 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 38 +- mm/shmem.c | 19 +- mm/slab.c | 104 +- mm/slab.h | 5 +- mm/slab_common.c | 9 +- mm/slob.c | 200 +- mm/slub.c | 98 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 3 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 82 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/hard-interface.c | 4 +- net/batman-adv/soft-interface.c | 4 +- net/batman-adv/types.h | 6 +- net/batman-adv/unicast.c | 2 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 10 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/compat.c | 34 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/flow.c | 8 +- net/core/iovec.c | 4 +- net/core/rtnetlink.c | 2 +- net/core/scm.c | 8 +- net/core/sock.c | 24 +- net/decnet/sysctl_net_decnet.c | 4 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inetpeer.c | 4 +- net/ipv4/ip_fragment.c | 2 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ipcomp.c | 2 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 2 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 2 +- net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv6/addrconf.c | 2 +- net/ipv6/ip6_gre.c | 2 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/raw.c | 19 +- net/ipv6/udp.c | 8 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/mac80211/cfg.c | 4 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 14 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 6 +- net/mac80211/rate.c | 2 +- net/mac80211/rc80211_pid_debugfs.c | 2 +- net/mac80211/util.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 10 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/packet/af_packet.c | 12 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sctp/ipv6.c | 2 +- net/sctp/protocol.c | 8 +- net/sctp/socket.c | 2 + net/socket.c | 34 +- net/sunrpc/sched.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 6 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/link.c | 6 +- net/tipc/msg.c | 2 +- net/tipc/subscr.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 4 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 28 +- scripts/basic/fixdep.c | 12 +- scripts/gcc-plugin.sh | 17 + scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/pnmtologo.c | 6 +- security/Kconfig | 654 ++++- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/compat.c | 2 +- security/keys/keyctl.c | 8 +- security/keys/keyring.c | 6 +- security/security.c | 9 +- security/selinux/hooks.c | 2 +- security/selinux/include/xfrm.h | 2 +- security/smack/smack_lsm.c | 2 +- security/tomoyo/tomoyo.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/seq/seq_device.c | 8 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 2 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 43 + tools/gcc/checker_plugin.c | 171 + tools/gcc/colorize_plugin.c | 151 + tools/gcc/constify_plugin.c | 359 +++ tools/gcc/generate_size_overflow_hash.sh | 94 + tools/gcc/kallocstat_plugin.c | 170 + tools/gcc/kernexec_plugin.c | 465 +++ tools/gcc/latent_entropy_plugin.c | 321 ++ tools/gcc/size_overflow_hash.data | 3713 ++++++++++++++++++++++ tools/gcc/size_overflow_plugin.c | 1941 +++++++++++ tools/gcc/stackleak_plugin.c | 327 ++ tools/perf/util/include/asm/alternative-asm.h | 3 + virt/kvm/kvm_main.c | 32 +- 1311 files changed, 26668 insertions(+), 6394 deletions(-) commit a00016a11e35e91aec8e2d9b6ec4c6fbb11d6d2b Merge: 0949bd4 fc53d63 Author: Brad Spengler Date: Thu Mar 22 19:03:44 2012 -0400 Merge branch 'pax-test' into grsec-test commit fc53d6338964741b368070ec5c935bc579b8c2a6 Author: Brad Spengler Date: Thu Mar 22 19:02:45 2012 -0400 Update to pax-linux-3.2.12-test33.patch commit 0949bd46a6455b308f66ad7c993bfee62412db35 Author: Brad Spengler Date: Thu Mar 22 16:56:09 2012 -0400 Use current_umask() instead of current->fs->umask commit 22f6432d0fe733619cfcb523782ed7d80c46d645 Author: Brad Spengler Date: Wed Mar 21 19:42:42 2012 -0400 compile fix commit 0cad49d6b8fbb32395da924c1665a1110a9a9eef Author: Brad Spengler Date: Wed Mar 21 19:34:56 2012 -0400 Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions commit 47fc52e0a068a29d6cca2f809daf0679cba33c44 Author: Brad Spengler Date: Tue Mar 20 20:25:49 2012 -0400 zero kernel_role commit b00953b43c69238d181d21121ef1577c988d5f6b Author: Brad Spengler Date: Tue Mar 20 19:29:34 2012 -0400 zero real_root after releasing it commit 0b3ab73ce5d34a2c3206955cd65eddd6bdfd32a1 Merge: b724f59 273f98e Author: Brad Spengler Date: Tue Mar 20 19:11:26 2012 -0400 Merge branch 'pax-test' into grsec-test commit 273f98e58cdac555d3b5dce5c1ca168349f95878 Author: Brad Spengler Date: Tue Mar 20 19:10:52 2012 -0400 Temporary workaround for (most) size_overflow plugin false-positives Increase randomization for brk-managed heap to 21 bits Update to pax-linux-3.2.12-test32.patch commit b724f59125304460c2af8bd4b02921993afbb5d3 Author: Brad Spengler Date: Tue Mar 20 18:58:53 2012 -0400 compile fix commit 329f1a9d0f137d0a973316c53bbec18a6eeecd4f Author: Brad Spengler Date: Tue Mar 20 18:52:23 2012 -0400 Require default and kernel role commit a7c5c4f55bdd61cfcd0fb1be7a67160429409878 Author: Brad Spengler Date: Tue Mar 20 18:47:28 2012 -0400 Allow policies without special roles don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles) commit 402ec3d24d66d38403dc543c84851f5e72d39e22 Merge: 8e012dc f14661a Author: Brad Spengler Date: Mon Mar 19 18:06:59 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: fs/namei.c commit f14661aaf202155c97f66626cea0269017bb7775 Merge: eae671f 058b017 Author: Brad Spengler Date: Mon Mar 19 18:05:44 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 8e012dcf7a50b7cde34c2cec93ecedd049123b75 Author: Ryusuke Konishi Date: Fri Mar 16 17:08:39 2012 -0700 nilfs2: fix NULL pointer dereference in nilfs_load_super_block() According to the report from Slicky Devil, nilfs caused kernel oops at nilfs_load_super_block function during mount after he shrank the partition without resizing the filesystem: BUG: unable to handle kernel NULL pointer dereference at 00000048 IP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] *pde = 00000000 Oops: 0000 [#1] PREEMPT SMP ... Call Trace: [] init_nilfs+0x4b/0x2e0 [nilfs2] [] nilfs_mount+0x447/0x5b0 [nilfs2] [] mount_fs+0x36/0x180 [] vfs_kern_mount+0x51/0xa0 [] do_kern_mount+0x3e/0xe0 [] do_mount+0x169/0x700 [] sys_mount+0x6b/0xa0 [] sysenter_do_call+0x12/0x28 Code: 53 18 8b 43 20 89 4b 18 8b 4b 24 89 53 1c 89 43 24 89 4b 20 8b 43 20 c7 43 2c 00 00 00 00 23 75 e8 8b 50 68 89 53 28 8b 54 b3 20 <8b> 72 48 8b 7a 4c 8b 55 08 89 b3 84 00 00 00 89 bb 88 00 00 00 EIP: [] nilfs_load_super_block+0x17e/0x280 [nilfs2] SS:ESP 0068:ca9bbdcc CR2: 0000000000000048 This turned out due to a defect in an error path which runs if the calculated location of the secondary super block was invalid. This patch fixes it and eliminates the reported oops. Reported-by: Slicky Devil Signed-off-by: Ryusuke Konishi Tested-by: Slicky Devil Cc: [2.6.30+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8067d7f69bf27dc08057a771cf125e71e4575bf2 Author: Haogang Chen Date: Fri Mar 16 17:08:38 2012 -0700 nilfs2: clamp ns_r_segments_percentage to [1, 99] ns_r_segments_percentage is read from the disk. Bogus or malicious value could cause integer overflow and malfunction due to meaningless disk usage calculation. This patch reports error when mounting such bogus volumes. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e1a90645643f9b0194a5984ec8febd06360d5c8b Author: Eric Dumazet Date: Sat Mar 10 09:20:21 2012 +0000 tcp: fix syncookie regression commit ea4fc0d619 (ipv4: Don't use rt->rt_{src,dst} in ip_queue_xmit()) added a serious regression on synflood handling. Simon Kirby discovered a successful connection was delayed by 20 seconds before being responsive. In my tests, I discovered that xmit frames were lost, and needed ~4 retransmits and a socket dst rebuild before being really sent. In case of syncookie initiated connection, we use a different path to initialize the socket dst, and inet->cork.fl.u.ip4 is left cleared. As ip_queue_xmit() now depends on inet flow being setup, fix this by copying the temp flowi4 we use in cookie_v4_check(). Reported-by: Simon Kirby Bisected-by: Simon Kirby Signed-off-by: Eric Dumazet Tested-by: Eric Dumazet Signed-off-by: David S. Miller commit 06c6c8628bf38b08b4d97f4c55cde9fdecfb5d65 Author: Stanislav Kinsbursky Date: Mon Mar 12 02:59:41 2012 +0000 tun: don't hold network namespace by tun sockets v3: added previously removed sock_put() to the tun_release() callback, because sk_release_kernel() doesn't drop the socket reference. v2: sk_release_kernel() used for socket release. Dummy tun_release() is required for sk_release_kernel() ---> sock_release() ---> sock->ops->release() call. TUN was designed to destroy it's socket on network namesapce shutdown. But this will never happen for persistent device, because it's socket holds network namespace. This patch removes of holding network namespace by TUN socket and replaces it by creating socket in init_net and then changing it's net it to desired one. On shutdown socket is moved back to init_net prior to final put. Signed-off-by: Stanislav Kinsbursky Signed-off-by: David S. Miller commit 46ae7374bd387c58d673a9e58852a9fd31042c5c Author: Tyler Hicks Date: Mon Dec 12 10:02:30 2011 -0600 vfs: Correctly set the dir i_mutex lockdep class 9a7aa12f3911853a introduced additional logic around setting the i_mutex lockdep class for directory inodes. The idea was that some filesystems may want their own special lockdep class for different directory inodes and calling unlock_new_inode() should not clobber one of those special classes. I believe that the added conditional, around the *negated* return value of lockdep_match_class(), caused directory inodes to be placed in the wrong lockdep class. inode_init_always() sets the i_mutex lockdep class with i_mutex_key for all inodes. If the filesystem did not change the class during inode initialization, then the conditional mentioned above was false and the directory inode was incorrectly left in the non-directory lockdep class. If the filesystem did set a special lockdep class, then the conditional mentioned above was true and that class was clobbered with i_mutex_dir_key. This patch removes the negation from the conditional so that the i_mutex lockdep class is properly set for directory inodes. Special classes are preserved and directory inodes with unmodified classes are set with i_mutex_dir_key. Signed-off-by: Tyler Hicks Reviewed-by: Jan Kara Signed-off-by: Al Viro commit 603590b0d2eca61ce26499eac9c563bc567a18c9 Author: Jan Kara Date: Mon Feb 20 17:54:00 2012 +0100 udf: Fix deadlock in udf_release_file() udf_release_file() can be called from munmap() path with mmap_sem held. Thus we cannot take i_mutex there because that ranks above mmap_sem. Luckily, i_mutex is not needed in udf_release_file() anymore since protection by i_data_sem is enough to protect from races with write and truncate. Reported-by: Al Viro Reviewed-by: Namjae Jeon Signed-off-by: Jan Kara Signed-off-by: Al Viro commit ca79ab9034f3c2f7e3f65c35e0d9ed3ecea529bf Author: Miklos Szeredi Date: Tue Mar 6 13:56:33 2012 +0100 vfs: fix double put after complete_walk() complete_walk() already puts nd->path, no need to do it again at cleanup time. This would result in Oopses if triggered, apparently the codepath is not too well exercised. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro commit 13885ba2b18400f3ef6540497d30f1af896605e5 Author: Miklos Szeredi Date: Tue Mar 6 13:56:34 2012 +0100 vfs: fix return value from do_last() complete_walk() returns either ECHILD or ESTALE. do_last() turns this into ECHILD unconditionally. If not in RCU mode, this error will reach userspace which is complete nonsense. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Al Viro Conflicts: fs/namei.c commit f5ab7572c99ffb58953eb1070622307e904c3b7f Author: Al Viro Date: Sat Mar 10 17:07:28 2012 -0500 restore smp_mb() in unlock_new_inode() wait_on_inode() doesn't have ->i_lock Signed-off-by: Al Viro commit f3e758cd08e3881982d4b78eb72fe8a1ead6b872 Author: David S. Miller Date: Tue Mar 13 18:19:51 2012 -0700 sparc32: Add -Av8 to assembler command line. Newer version of binutils are more strict about specifying the correct options to enable certain classes of instructions. The sparc32 build is done for v7 in order to support sun4c systems which lack hardware integer multiply and divide instructions. So we have to pass -Av8 when building the assembler routines that use these instructions and get patched into the kernel when we find out that we have a v8 capable cpu. Reported-by: Paul Gortmaker Signed-off-by: David S. Miller commit 66276ec78b2a971d2e704e5ef963cdc8b6a049a4 Author: Thomas Gleixner Date: Fri Mar 9 20:55:10 2012 +0100 x86: Derandom delay_tsc for 64 bit Commit f0fbf0abc093 ("x86: integrate delay functions") converted delay_tsc() into a random delay generator for 64 bit. The reason is that it merged the mostly identical versions of delay_32.c and delay_64.c. Though the subtle difference of the result was: static void delay_tsc(unsigned long loops) { - unsigned bclock, now; + unsigned long bclock, now; Now the function uses rdtscl() which returns the lower 32bit of the TSC. On 32bit that's not problematic as unsigned long is 32bit. On 64 bit this fails when the lower 32bit are close to wrap around when bclock is read, because the following check if ((now - bclock) >= loops) break; evaluated to true on 64bit for e.g. bclock = 0xffffffff and now = 0 because the unsigned long (now - bclock) of these values results in 0xffffffff00000001 which is definitely larger than the loops value. That explains Tvortkos observation: "Because I am seeing udelay(500) (_occasionally_) being short, and that by delaying for some duration between 0us (yep) and 491us." Make those variables explicitely u32 again, so this works for both 32 and 64 bit. Reported-by: Tvrtko Ursulin Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org # >= 2.6.27 Signed-off-by: Linus Torvalds commit 2d0ddb60f5031bdf79b4d51225f9f2d5856255bf Author: Al Viro Date: Thu Mar 8 17:51:19 2012 +0000 aio: fix the "too late munmap()" race Current code has put_ioctx() called asynchronously from aio_fput_routine(); that's done *after* we have killed the request that used to pin ioctx, so there's nothing to stop io_destroy() waiting in wait_for_all_aios() from progressing. As the result, we can end up with async call of put_ioctx() being the last one and possibly happening during exit_mmap() or elf_core_dump(), neither of which expects stray munmap() being done to them... We do need to prevent _freeing_ ioctx until aio_fput_routine() is done with that, but that's all we care about - neither io_destroy() nor exit_aio() will progress past wait_for_all_aios() until aio_fput_routine() does really_put_req(), so the ioctx teardown won't be done until then and we don't care about the contents of ioctx past that point. Since actual freeing of these suckers is RCU-delayed, we don't need to bump ioctx refcount when request goes into list for async removal. All we need is rcu_read_lock held just over the ->ctx_lock-protected area in aio_fput_routine(). Signed-off-by: Al Viro Reviewed-by: Jeff Moyer Acked-by: Benjamin LaHaise Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 002124c055afbf09b52226af65621999e8316448 Author: Al Viro Date: Wed Mar 7 05:16:35 2012 +0000 aio: fix io_setup/io_destroy race Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro Acked-by: Benjamin LaHaise Reviewed-by: Jeff Moyer Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit a1cd2719b8ed8e40dbd98c87713ac23a2169f6d8 Author: Dan Carpenter Date: Thu Mar 15 15:17:12 2012 -0700 drivers/video/backlight/s6e63m0.c: fix corruption storing gamma mode strict_strtoul() writes a long but ->gamma_mode only has space to store an int, so on 64 bit systems we end up scribbling over ->gamma_table_count as well. I've changed it to use kstrtouint() instead. Signed-off-by: Dan Carpenter Acked-by: Inki Dae Signed-off-by: Florian Tobias Schandinat Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf83f735a5571f4341ee6eab947a1f7d833cea6e Merge: e4b05b6 eae671f Author: Brad Spengler Date: Fri Mar 16 21:04:27 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit eae671fafe93f04685c04a089cc13efebc05d600 Author: Brad Spengler Date: Fri Mar 16 20:58:01 2012 -0400 Update to pax-linux-3.2.11-test31.patch Introduction of the size_overflow plugin from Emese Revfy Many thanks to Emese for her hard work :) commit e4b05b65c645c412eceb9c950ee7b4771627e6b1 Merge: e55aa68 258c015 Author: Brad Spengler Date: Thu Mar 15 20:59:19 2012 -0400 Merge branch 'pax-test' into grsec-test commit 258c0159fa6dd5044ca984eeaad57bb6e21bacea Author: Brad Spengler Date: Thu Mar 15 20:59:05 2012 -0400 fix ARM compilation commit e55aa68f4bb20e75cd7423123aa612c2a69590c0 Merge: 8f95ea9 55b7573 Author: Brad Spengler Date: Wed Mar 14 19:33:41 2012 -0400 Merge branch 'pax-test' into grsec-test commit 55b7573f6c2f3be26fb39c7bd6a9d742d02811ca Author: Brad Spengler Date: Wed Mar 14 19:33:15 2012 -0400 Update to pax-linux-3.2.10-test28.patch commit 8f95ea9f718c293794a1f6bdd2a5f5f336f7bd64 Merge: c8786a2 886ac5e Author: Brad Spengler Date: Tue Mar 13 17:38:13 2012 -0400 Merge branch 'pax-test' into grsec-test Greets and thanks to snq for his assistance in testing/debugging REFCOUNT on ARM :) commit 886ac5eeb1835e87cf7398b8aae9e9ba6b36bf77 Author: Brad Spengler Date: Tue Mar 13 17:37:44 2012 -0400 Update to pax-linux-3.2.10-test26.patch commit c8786a2abed5e5327f68efa520c04db99bb6a63a Merge: 219c982 c061fcf Author: Brad Spengler Date: Tue Mar 13 17:25:06 2012 -0400 Merge branch 'pax-test' into grsec-test commit c061fcfa6b78f3774800821144d8ac2d94d7da3e Merge: 89373d2 3f4b3b2 Author: Brad Spengler Date: Tue Mar 13 17:25:02 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 219c982a05abe47be4ea7d749e1b408e0cb86f1f Merge: 54e19a3 89373d2 Author: Brad Spengler Date: Mon Mar 12 17:23:57 2012 -0400 Merge branch 'pax-test' into grsec-test commit 89373d2abafb9bda97f78bdb157d1d05cf21e008 Merge: a778588 7459f11 Author: Brad Spengler Date: Mon Mar 12 17:23:49 2012 -0400 Merge branch 'linux-3.2.y' into pax-test commit 54e19a3979978fca902b14ae25125f26fbbbc7a7 Merge: c4650f1 a778588 Author: Brad Spengler Date: Mon Mar 12 16:51:25 2012 -0400 Merge branch 'pax-test' into grsec-test commit a778588c9d1b75c48c1f09aac98c1b28bd87a749 Author: Brad Spengler Date: Mon Mar 12 16:51:12 2012 -0400 Update to pax-linux-3.2.9-test24.patch commit c4650f14b13f84735fe3de06a1f3ff5776473eff Merge: fb2abee 1015790 Author: Brad Spengler Date: Sun Mar 11 21:08:28 2012 -0400 Merge branch 'pax-test' into grsec-test Conflicts: security/Kconfig commit 101579028a736c224e590c7e12a7357018c424e1 Author: Brad Spengler Date: Sun Mar 11 21:07:27 2012 -0400 Update to pax-linux-3.2.9-test22.patch commit fb2abee4b9b49f5f18342a8cdf7aa3ba2b7c9100 Author: Brad Spengler Date: Sun Mar 11 11:02:17 2012 -0400 Allow 4096 CPUs commit 96bae28cbe6a41d48e3b56e5904814096e956000 Author: Brad Spengler Date: Sun Mar 11 10:25:58 2012 -0400 Use a per-cpu 48-bit counter instead of a global atomic64 Initialize each counter to have the cpu number in the lower 16 bits instead of incrementing the counter each time by 1, perform the increments above the cpu number so that wrapping/exhausting the counter doesn't corrupt any state idea from PaX Team commit b975688101da6e966aebb1bc6b8c5c5983974f9c Author: Brad Spengler Date: Sat Mar 10 20:33:12 2012 -0500 Special vnsec edition! :) Further reduce argv/env allowance for suid/sgid apps to 512KB Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap) Clear 3GB personality on suid/sgid binaries Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64) with the main purpose of throwing off program stack -> arg/env alignment Update documentation commit e5cfa902c4e891d11dd2086543d2555aa0c27d33 Author: Brad Spengler Date: Sat Mar 10 19:54:47 2012 -0500 Resolve skbuff.h warnings that turn into errors during compilation in the grsecurity directory with -Werror commit 2023210ad43a944033fcacc660ce410888f562ee Merge: ece4383 5f66adf Author: Brad Spengler Date: Fri Mar 9 19:48:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 5f66adf72f83730a07bc79a2fab56afed6dbbd0e Author: Brad Spengler Date: Fri Mar 9 19:47:06 2012 -0500 Add colorize plugin commit ece4383e5e91c92d138c4df84225a70b552f4d69 Merge: a366d0e ab4a5a1 Author: Brad Spengler Date: Fri Mar 9 17:56:46 2012 -0500 Merge branch 'pax-test' into grsec-test commit ab4a5a1a67289c3585e2ff8aa64ecece7bd17eea Author: Brad Spengler Date: Fri Mar 9 17:56:26 2012 -0500 Update to pax-linux-3.2.9-test21.patch commit a366d0ed963ce93fce10121c1100989d5f064e75 Author: Mikulas Patocka Date: Sun Mar 4 19:52:03 2012 -0500 mm: fix find_vma_prev Commit 6bd4837de96e ("mm: simplify find_vma_prev()") broke memory management on PA-RISC. After application of the patch, programs that allocate big arrays on the stack crash with segfault, for example, this will crash if compiled without optimization: int main() { char array[200000]; array[199999] = 0; return 0; } The reason is that PA-RISC has up-growing stack and the stack is usually the last memory area. In the above example, a page fault happens above the stack. Previously, if we passed too high address to find_vma_prev, it returned NULL and stored the last VMA in *pprev. After "simplify find_vma_prev" change, it stores NULL in *pprev. Consequently, the stack area is not found and it is not expanded, as it used to be before the change. This patch restores the old behavior and makes it return the last VMA in *pprev if the requested address is higher than address of any other VMA. Signed-off-by: Mikulas Patocka Acked-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds commit 9cd8dd4d56051099f11563f72fcd91cd0ce19604 Author: Hugh Dickins Date: Tue Mar 6 12:28:52 2012 -0800 mmap: EINVAL not ENOMEM when rejecting VM_GROWS Currently error is -ENOMEM when rejecting VM_GROWSDOWN|VM_GROWSUP from shared anonymous: hoist the file case's -EINVAL up for both. Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds commit 97745dce6c87f9d9ca5b4be9bd4c2fc1684ca04c Author: Al Viro Date: Mon Mar 5 06:38:42 2012 +0000 aout: move setup_arg_pages() prior to reading/mapping the binary Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 3b20ce55ae8cffee43cb4afdf5be438b5ac4fef0 Author: Jan Beulich Date: Mon Mar 5 16:49:24 2012 +0000 vsprintf: make %pV handling compatible with kasprintf() kasprintf() (and potentially other functions that I didn't run across so far) want to evaluate argument lists twice. Caring to do so for the primary list is obviously their job, but they can't reasonably be expected to check the format string for instances of %pV, which however need special handling too: On architectures like x86-64 (as opposed to e.g. ix86), using the same argument list twice doesn't produce the expected results, as an internally managed cursor gets updated during the first run. Fix the problem by always acting on a copy of the original list when handling %pV. Signed-off-by: Jan Beulich Signed-off-by: Linus Torvalds commit 4146896ab9674f51d4909f3a52bc7fe80f04e4cb Author: Al Viro Date: Mon Mar 5 06:39:47 2012 +0000 VM_GROWS{UP,DOWN} shouldn't be set on shmem VMAs Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit a831bd53764695ea680cc1fa3c98759a610ed2ac Author: Christian König Date: Tue Feb 28 23:19:20 2012 +0100 drm/radeon: fix uninitialized variable Without this fix the driver randomly treats textures as arrays and I'm really wondering why gcc isn't complaining about it. Signed-off-by: Christian König Reviewed-by: Jerome Glisse Signed-off-by: Dave Airlie commit aa2cd55f97f3cc03bdd895b6e8ba99619ee69dfc Author: H. Peter Anvin Date: Fri Mar 2 10:43:48 2012 -0800 regset: Prevent null pointer reference on readonly regsets The regset common infrastructure assumed that regsets would always have .get and .set methods, but not necessarily .active methods. Unfortunately people have since written regsets without .set methods. Rather than putting in stub functions everywhere, handle regsets with null .get or .set methods explicitly. Signed-off-by: H. Peter Anvin Reviewed-by: Oleg Nesterov Acked-by: Roland McGrath Cc: Signed-off-by: Linus Torvalds commit 072ddd99401c79b53c6bf6bff9deb93022124c79 Author: Brad Spengler Date: Mon Mar 5 18:12:57 2012 -0500 Fix compiler errors reported on forums commit 1606774b48af24e6f99d99c624c0e447d4b66474 Merge: 3127bd5 4ca2ffd Author: Brad Spengler Date: Mon Mar 5 17:31:35 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4ca2ffd9da024f4ba2d0cb6245ba1b2726169452 Author: Brad Spengler Date: Mon Mar 5 17:31:21 2012 -0500 Update to pax-linux-3.2.9-test20.patch commit 3127bd581a292966b1057c7433219dac188c3720 Author: Brad Spengler Date: Fri Mar 2 21:30:37 2012 -0500 Fix memory leak on logged exec_id check failure in /proc/pid/statm Thanks to Djalal Harouni for the report commit d9f1a3be0e97e0632f97379322712d8deeb3ce23 Merge: 0a56be8 9aa8288 Author: Brad Spengler Date: Fri Mar 2 18:38:22 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9aa8288a09e6e03ce37c08136b26bff17a093b5c Author: Brad Spengler Date: Fri Mar 2 18:37:43 2012 -0500 Update to pax-linux-3.2.9-test19.patch commit 0a56be884bbd7ce733cac0b879c45383494d73b0 Merge: 9e66745 3f5c52a Author: Brad Spengler Date: Thu Mar 1 20:18:01 2012 -0500 Merge branch 'pax-test' into grsec-test commit 3f5c52aba100b3bb252980f9d363aafde52da1a2 Author: Brad Spengler Date: Thu Mar 1 20:16:56 2012 -0500 Update to pax-linux-3.2.9-test18.patch commit ae53ec231d12719a36bf871f8c5841020ed692ee Merge: b255baf 44fb317 Author: Brad Spengler Date: Thu Mar 1 20:15:31 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 9e667456c03eadea2f305be761abe4de9a5877a3 Merge: 5e4e200 b255baf Author: Brad Spengler Date: Mon Feb 27 20:53:59 2012 -0500 Merge branch 'pax-test' into grsec-test commit b255baf50365d39b406f43aab2c64745607baaa2 Merge: 340ce90 1de504e Author: Brad Spengler Date: Mon Feb 27 20:53:29 2012 -0500 Merge branch 'linux-3.2.y' into pax-test Update to pax-linux-3.2.8-test17.patch Conflicts: arch/x86/include/asm/i387.h arch/x86/kernel/process_32.c arch/x86/kernel/traps.c commit 5e4e200ac530452884b625cb75de240e1e98c731 Merge: 44306d7 340ce90 Author: Brad Spengler Date: Mon Feb 27 18:02:13 2012 -0500 Merge branch 'pax-test' into grsec-test commit 340ce90d98a043fa8e4ed9ffc229d4c1f86e2fec Author: Brad Spengler Date: Mon Feb 27 18:01:48 2012 -0500 Update to pax-linux-3.2.7-test17.patch commit 44306d7b3097f77e73040dd25f4f6750751bae7a Merge: 29d0b07 521c411 Author: Brad Spengler Date: Sun Feb 26 19:04:15 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: Makefile commit 521c411bb4ca66ce01146fde8bac9dd22414076d Author: Brad Spengler Date: Sun Feb 26 19:03:33 2012 -0500 Update to pax-linux-3.2.7-test16.patch commit 29d0b07290bb9a10cdfcc3c30058e16265330dea Author: Brad Spengler Date: Sun Feb 26 17:12:44 2012 -0500 fix typo commit 344f6d84e5d3fdc6ec40a078fc2f5861d340b2ef Merge: f45b3be caa8f83 Author: Brad Spengler Date: Sat Feb 25 20:59:27 2012 -0500 Merge branch 'pax-test' into grsec-test commit caa8f83456c4d0b204beefffaa1d1993f2348d08 Author: Brad Spengler Date: Sat Feb 25 20:59:12 2012 -0500 Update to pax-linux-3.2.7-test15.patch commit f45b3be34a345502a302e736af9a65742ddef7cb Merge: 62f35fd 9f1309b Author: Brad Spengler Date: Sat Feb 25 11:40:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 9f1309b0b935e3b30fc87a9e3009b84cf943ef47 Author: Brad Spengler Date: Sat Feb 25 11:39:57 2012 -0500 Update to pax-linux-3.2.7-test14.patch commit 62f35fdbecc58f2988fe13638d907b87a15776bb Author: Brad Spengler Date: Sat Feb 25 09:08:55 2012 -0500 We could log on attempted exploits of writing /proc/self/mem, but the current log function declares the access a read, so just swap the ordering for now commit 066ee8f9c26f1549b4ad893508777b549c8d4b79 Author: Brad Spengler Date: Sat Feb 25 08:46:14 2012 -0500 Log /proc/pid/mem attempts commit 674471e581893a94d475acac3e3c4496209b3ac9 Author: Brad Spengler Date: Sat Feb 25 08:15:00 2012 -0500 Make use of f_version for protecting /proc file structs (fine since we're not a directory or seq_file) commit eab42cfdd237ffcdd8ec24bedecc275a3a9e987f Author: Brad Spengler Date: Fri Feb 24 20:02:19 2012 -0500 Fix ia64 compilation commit 50dfea412fd395e0183c2ade368efa525d38b267 Merge: 12db845 4c6f99b Author: Brad Spengler Date: Fri Feb 24 19:00:53 2012 -0500 Merge branch 'pax-test' into grsec-test commit 4c6f99bf338e03966356b147d0360cb3b522a44f Author: Brad Spengler Date: Fri Feb 24 19:00:36 2012 -0500 (6:57:09 PM) pipacs: but you can be proactive (Fix other-arch atomic64/REFCOUNT compilation failures) commit 12db8453f6bb0a756f369c9151668ba1249bc478 Author: Brad Spengler Date: Thu Feb 23 21:10:12 2012 -0500 Remove unnecessary copies, as suggested by solar commit cc02cab84368467ea03cb35f861a8a7092d91ab4 Author: Brad Spengler Date: Thu Feb 23 20:59:35 2012 -0500 Make global_exec_counter static, as suggested by solar commit e642091a475ebb3a30e81f85e7751233d0c2af43 Author: Brad Spengler Date: Thu Feb 23 19:00:26 2012 -0500 sync with stable tree commit 6df09c3d8e371905b7b8fe90c4188f23614c6be5 Author: Brad Spengler Date: Thu Feb 23 18:48:47 2012 -0500 Remove unneeded gr_acl_handle_fchmod, as the code is shared now by gr_acl_handle_chmod Remove handling of old kludge in chmod/fchmod commit 815cb62f2ca7b58efc39778b3a855feb675ab56c Author: Brad Spengler Date: Thu Feb 23 18:18:49 2012 -0500 Apply umask checks to chmod/fchmod as well, as requested by sponsor Union the enforced umask with the existing one to produce minimal privilege Change umask type to u16 commit 0e7668c6abbdbcd3f7f9759e3994d6f4bc9953f0 Author: Brad Spengler Date: Wed Feb 22 18:16:11 2012 -0500 Add per-role umask enforcement to RBAC, requested by a sponsor commit ad5ac943fe58199f1cc475912a39edb157acb77b Merge: dda0bb5 41722e3 Author: Brad Spengler Date: Mon Feb 20 20:04:42 2012 -0500 Merge branch 'pax-test' into grsec-test commit 41722e342e116d95f3d3556d66c97c888d752d39 Author: Brad Spengler Date: Mon Feb 20 20:04:00 2012 -0500 Merge changes from pax-linux-3.2.7-test12.patch, fixes KVM incompatibility with KERNEXEC plugin commit dda0bb57137846a476a866c60db2681aaf6052c0 Merge: 4fd554e d70927a Author: Brad Spengler Date: Mon Feb 20 20:01:41 2012 -0500 Merge branch 'pax-test' into grsec-test commit d70927afec977d489a54c106a3c3ddc32e953050 Merge: 1daebf1 9d0231c Author: Brad Spengler Date: Mon Feb 20 20:01:33 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 4fd554e3a097b22c5049fcdc423897477deff5ef Author: Brad Spengler Date: Mon Feb 20 09:17:57 2012 -0500 Fix wrong logic on capability checks for switching roles, broke policies Thanks to Richard Kojedzinszky for reporting commit 12f97d52ac603f24344f8d71569c412a307e9422 Author: Brad Spengler Date: Thu Feb 16 21:20:10 2012 -0500 sparc64 compile fix commit 07af3d8e76a6a47ce1836e5b20ed8c0f879c8201 Author: Brad Spengler Date: Thu Feb 16 18:38:32 2012 -0500 Update configuration help and name for GRKERNSEC_PROC_MEMMAP commit 5ced6f8def06c2176b40b5fa07345fc723dc4dcb Author: Brad Spengler Date: Thu Feb 16 18:18:01 2012 -0500 optimize the check a bit commit 03159050f64989be44ae03be769cbed62a7cd2e5 Author: Brad Spengler Date: Thu Feb 16 18:00:45 2012 -0500 smile VUPEN :D (limit argv+env to 1MB for suid/sgid binaries) commit dd759d8800d225a397e4de49fe729c7d601298d2 Author: Brad Spengler Date: Thu Feb 16 17:49:33 2012 -0500 Address Space Protection -> Memory Protections (suggested on IRC for consistency) commit 4de635bda8ebfb85312e3bf851bdbff93de400da Author: Brad Spengler Date: Thu Feb 16 17:45:06 2012 -0500 Change the long long type for exec_id to the proper u64 commit 4feb07e7cb64b3d0f0f8cca1aef70bc725cae6fa Author: Dan Carpenter Date: Thu Feb 9 00:46:47 2012 +0000 isdn: type bug in isdn_net_header() We use len to store the return value from eth_header(). eth_header() can return -ETH_HLEN (-14). We want to pass this back instead of truncating it to 65522 and returning that. Signed-off-by: Dan Carpenter Acked-by: Neil Horman Signed-off-by: David S. Miller commit 134ac8545b47f0f27d550ea6e1edb3a1ed7a9748 Author: Heiko Carstens Date: Sat Feb 4 10:47:10 2012 +0100 exec: fix use-after-free bug in setup_new_exec() Setting the task name is done within setup_new_exec() by accessing bprm->filename. However this happens after flush_old_exec(). This may result in a use after free bug, flush_old_exec() may "complete" vfork_done, which will wake up the parent which in turn may free the passed in filename. To fix this add a new tcomm field in struct linux_binprm which contains the now early generated task name until it is used. Fixes this bug on s390: Unable to handle kernel pointer dereference at virtual kernel address 0000000039768000 Process kworker/u:3 (pid: 245, task: 000000003a3dc840, ksp: 0000000039453818) Krnl PSW : 0704000180000000 0000000000282e94 (setup_new_exec+0xa0/0x374) Call Trace: ([<0000000000282e2c>] setup_new_exec+0x38/0x374) [<00000000002dd12e>] load_elf_binary+0x402/0x1bf4 [<0000000000280a42>] search_binary_handler+0x38e/0x5bc [<0000000000282b6c>] do_execve_common+0x410/0x514 [<0000000000282cb6>] do_execve+0x46/0x58 [<00000000005bce58>] kernel_execve+0x28/0x70 [<000000000014ba2e>] ____call_usermodehelper+0x102/0x140 [<00000000005bc8da>] kernel_thread_starter+0x6/0xc [<00000000005bc8d4>] kernel_thread_starter+0x0/0xc Last Breaking-Event-Address: [<00000000002830f0>] setup_new_exec+0x2fc/0x374 Kernel panic - not syncing: Fatal exception: panic_on_oops Reported-by: Sebastian Ott Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds commit d758ee9f5230893dabb5aab737b3109684bde196 Author: Dan Carpenter Date: Fri Feb 10 09:03:58 2012 +0100 relay: prevent integer overflow in relay_open() "subbuf_size" and "n_subbufs" come from the user and they need to be capped to prevent an integer overflow. Signed-off-by: Dan Carpenter Cc: stable@kernel.org Signed-off-by: Jens Axboe commit 40ed7b34848b8e0d7bf9a3fc21a7c75ce1ae507c Merge: b1baadf 1daebf1 Author: Brad Spengler Date: Mon Feb 13 17:47:04 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/proc/base.c commit 1daebf1d623fe5b0efdd329f78562eb7078bc772 Merge: 1413df2 c2db2e2 Author: Brad Spengler Date: Mon Feb 13 17:45:54 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit b1baadf5047ab67cf61cd20bf58c6afb09c37c7d Author: Brad Spengler Date: Sun Feb 12 16:44:05 2012 -0500 add missing declaration commit 3981059c35e8463002517935c28f3d74b8e3703c Author: Brad Spengler Date: Sun Feb 12 16:36:04 2012 -0500 Require CAP_SETUID/CAP_SETGID in a subject in order to change roles in addition to existing checks (this handles the setresuid ruid = euid case) commit 0beab03263c773f463412c350ad9064b44b6ede0 Author: Brad Spengler Date: Sun Feb 12 16:13:40 2012 -0500 Revert setreuid changes when RBAC is enabled, breaks freeradius I'll fix the learning issue Lavish reported a different way through gradm modifications This reverts commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111. commit 0c61cb1cfbbfec7d07647268c922d51434d22621 Author: Brad Spengler Date: Sat Feb 11 14:22:46 2012 -0500 copy exec_id on fork commit 000c08e0890630086b2ed04084050ed856a7ec31 Author: Brad Spengler Date: Fri Feb 10 20:00:36 2012 -0500 compile fix commit 54b8c8f54484e5ee18040657827158bc4b63bccc Author: Brad Spengler Date: Fri Feb 10 19:19:52 2012 -0500 Introduce enhancement to CONFIG_GRKERNSEC_PROC_MEMMAP denies reading of sensitive /proc/pid entries where the file descriptor was opened in a different task than the one performing the read commit dd19579049186e2648b9ae5e42af04cfda7ab2dc Author: Brad Spengler Date: Fri Feb 10 17:43:24 2012 -0500 Remove duplicate signal check commit 6ff60c34155bb73a4eec7bbfe6f59e9d35e1c0c6 Merge: 4eba97e 1413df2 Author: Brad Spengler Date: Wed Feb 8 19:24:34 2012 -0500 Merge branch 'pax-test' into grsec-test commit 1413df258d4664d928b876ffb57e1bdc1ccd06f6 Author: Brad Spengler Date: Wed Feb 8 19:24:08 2012 -0500 Merge changes from pax-linux-3.2.4-test11.patch commit 4eba97eda7f7d25b7ab6ad5c9de094545e749044 Merge: 0e058dd 8dd90a2 Author: Brad Spengler Date: Mon Feb 6 17:50:12 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8dd90a21adfeefd86134d1fedf77b958bc59eaa3 Author: Brad Spengler Date: Mon Feb 6 17:49:07 2012 -0500 Merge changes from pax-linux-3.2.4-test10.patch, fixes BPF JIT double-free commit a6b5dfed0937a0eb386b4b519a387f8e8177ffdc Merge: 7e4169c 6133971 Author: Brad Spengler Date: Mon Feb 6 17:48:57 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 0e058dd6d14e0c67c44dd332a871f1fe1bb06095 Author: Brad Spengler Date: Sun Feb 5 19:24:45 2012 -0500 We now allow configurations with no PaX markings, giving the system no way to override the defaults commit 9afb0110287e31c3c56d861b4927f64f8dbd7857 Author: Brad Spengler Date: Sun Feb 5 10:01:23 2012 -0500 Increase the buffer size of logged TPE reason, otherwise we could truncate the "y" in directory commit a6a0ad24a5f7bef90236d94c1bdfe21d291fc834 Author: Brad Spengler Date: Sat Feb 4 21:01:16 2012 -0500 Improve security of ptrace-based monitoring/sandboxing See: http://article.gmane.org/gmane.linux.kernel.lsm/15156 commit ca4ca5a1027b41f9528794e52a53ce9c47926101 Author: Brad Spengler Date: Fri Feb 3 20:42:55 2012 -0500 fix typo commit d54ec64b7078f1dcb71b5d8a29e47d4a0f46c111 Author: Brad Spengler Date: Fri Feb 3 20:25:38 2012 -0500 Reported by lavish on IRC: If a suid/sgid binary did not learn any setuid/setgid call during learning, we would not any CAP_SETUID/CAP_SETGID capability to the task, nor any restrictions on uid/gid changes. uid and gid can however be changed within a suid/sgid binary via setresuid/setresgid with ruid/rgid set to euid/egid. My fix: POSIX doesn't specify whether unprivileged users can perform the above setresuid/setresgid as an unprivileged user, though Linux has historically permitted them. Modify this behavior when RBAC is enabled to require CAP_SETUID/CAP_SETGID for these operations. Thanks to Lavish for the report! Conflicts: kernel/sys.c commit e55be1f30908f1ad4450cb0558cde71ff5c7247f Merge: ba586eb 7e4169c Author: Brad Spengler Date: Fri Feb 3 20:10:21 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e4169c6c880ec9641f1178c88545913c8a21e1f Author: Brad Spengler Date: Fri Feb 3 20:10:05 2012 -0500 Merge changes from pax-linux-3.2.4-test9.patch commit ba586ebbcd0ed781e38a99c580a757a00347c6eb Author: Christopher Yeoh Date: Thu Feb 2 11:34:09 2012 +1030 Fix race in process_vm_rw_core This fixes the race in process_vm_core found by Oleg (see http://article.gmane.org/gmane.linux.kernel/1235667/ for details). This has been updated since I last sent it as the creation of the new mm_access() function did almost exactly the same thing as parts of the previous version of this patch did. In order to use mm_access() even when /proc isn't enabled, we move it to kernel/fork.c where other related process mm access functions already are. Signed-off-by: Chris Yeoh Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c mm/process_vm_access.c commit b9194d60fb9fe579f5c34817ed822abde18939a0 Author: Oleg Nesterov Date: Tue Jan 31 17:15:11 2012 +0100 proc: make sure mem_open() doesn't pin the target's memory Once /proc/pid/mem is opened, the memory can't be released until mem_release() even if its owner exits. Change mem_open() to do atomic_inc(mm_count) + mmput(), this only pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) before access_remote_vm(), this verifies that this mm is still alive. I am not sure what should mem_rw() return if atomic_inc_not_zero() fails. With this patch it returns zero to match the "mm == NULL" case, may be it should return -EINVAL like it did before e268337d. Perhaps it makes sense to add the additional fatal_signal_pending() check into the main loop, to ensure we do not hold this memory if the target task was oom-killed. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d4500134f9363bc79556e0e7a1fd811cd8552cc4 Author: Oleg Nesterov Date: Tue Jan 31 17:14:38 2012 +0100 proc: mem_release() should check mm != NULL mem_release() can hit mm == NULL, add the necessary check. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit 5d1c11221a86f233fdbb232312a561f85d0a3a05 Author: Oleg Nesterov Date: Tue Jan 31 17:14:54 2012 +0100 note: redisabled mem_write proc: unify mem_read() and mem_write() No functional changes, cleanup and preparation. mem_read() and mem_write() are very similar. Move this code into the new common helper, mem_rw(), which takes the additional "int write" argument. Cc: stable@kernel.org Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Conflicts: fs/proc/base.c commit af966b421d9f55ab7e1a8b2741beba44b22bc2e0 Merge: 3903f01 01fee18 Author: Brad Spengler Date: Fri Feb 3 19:50:40 2012 -0500 Merge branch 'pax-test' into grsec-test commit 01fee1851aef26b898ccba5312cabf1f919b74cb Author: Brad Spengler Date: Fri Feb 3 19:49:46 2012 -0500 Merge changes from pax-linux-3.2.4-test8.patch commit c2490ddbfc3f5dd664dd0e1b8575856c3be01879 Merge: 201c0db 141936c Author: Brad Spengler Date: Fri Feb 3 19:49:01 2012 -0500 Merge branch 'linux-3.2.y' into pax-test commit 3903f0172ecadf7a575ba3535402a1506133640a Author: Brad Spengler Date: Mon Jan 30 23:26:44 2012 -0500 Implement new version of CONFIG_GRKERNSEC_SYSFS_RESTRICT We'll whitelist required directories for compatibility instead of requiring that people disable the feature entirely if they use SELinux, fuse, etc Conflicts: fs/sysfs/mount.c commit e3618feaa7e63807f1b88c199882075b3ec9bd05 Author: Brad Spengler Date: Sun Jan 29 01:12:19 2012 -0500 perform RBAC check if TPE is on but match fails, matches previous behavior commit 627b7fe22799a86e2f81a74f0e0c53474bec3100 Author: Brad Spengler Date: Sat Jan 28 13:17:06 2012 -0500 log more information about the reason for a TPE denial for novice users, requested by a sponsor commit efefd67008cbad8a8591e2484410966a300a39a5 Author: Brad Spengler Date: Fri Jan 27 19:58:53 2012 -0500 merge upstream sha512 changes commit 8a79280377db78fb2091fe01eddb9e24f75d9fe1 Author: Brad Spengler Date: Fri Jan 27 19:49:07 2012 -0500 drop lock on error in xfs_readlink http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=aaad641eadfd3e74b0fbb68fcf539b9cef0415d0 commit aa5f2f63e37f426bf2211c5fb8f7bc70de14f08a Author: Li Wang Date: Thu Jan 19 09:44:36 2012 +0800 eCryptfs: Infinite loop due to overflow in ecryptfs_write() ecryptfs_write() can enter an infinite loop when truncating a file to a size larger than 4G. This only happens on architectures where size_t is represented by 32 bits. This was caused by a size_t overflow due to it incorrectly being used to store the result of a calculation which uses potentially large values of type loff_t. [tyhicks@canonical.com: rewrite subject and commit message] Signed-off-by: Li Wang Signed-off-by: Yunchuan Wen Reviewed-by: Cong Wang Cc: Signed-off-by: Tyler Hicks commit a7607747d0f74f357d78bb796d70635dd05f46e8 Author: Tyler Hicks Date: Thu Jan 19 20:33:44 2012 -0600 eCryptfs: Check inode changes in setattr Most filesystems call inode_change_ok() very early in ->setattr(), but eCryptfs didn't call it at all. It allowed the lower filesystem to make the call in its ->setattr() function. Then, eCryptfs would copy the appropriate inode attributes from the lower inode to the eCryptfs inode. This patch changes that and actually calls inode_change_ok() on the eCryptfs inode, fairly early in ecryptfs_setattr(). Ideally, the call would happen earlier in ecryptfs_setattr(), but there are some possible inode initialization steps that must happen first. Since the call was already being made on the lower inode, the change in functionality should be minimal, except for the case of a file extending truncate call. In that case, inode_newsize_ok() was never being called on the eCryptfs inode. Rather than inode_newsize_ok() catching maximum file size errors early on, eCryptfs would encrypt zeroed pages and write them to the lower filesystem until the lower filesystem's write path caught the error in generic_write_checks(). This patch introduces a new function, called ecryptfs_inode_newsize_ok(), which checks if the new lower file size is within the appropriate limits when the truncate operation will be growing the lower file. In summary this change prevents eCryptfs truncate operations (and the resulting page encryptions), which would exceed the lower filesystem limits or FSIZE rlimits, from ever starting. Signed-off-by: Tyler Hicks Reviewed-by: Li Wang Cc: commit 0d96f190a39505254ace4e9330219aaeda9b64e3 Author: Tyler Hicks Date: Wed Jan 18 18:30:04 2012 -0600 eCryptfs: Make truncate path killable ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a page, zeroes out the appropriate portions, and then encrypts the page before writing it to the lower filesystem. It was unkillable and due to the lack of sparse file support could result in tying up a large portion of system resources, while encrypting pages of zeros, with no way for the truncate operation to be stopped from userspace. This patch adds the ability for ecryptfs_write() to detect a pending fatal signal and return as gracefully as possible. The intent is to leave the lower file in a useable state, while still allowing a user to break out of the encryption loop. If a pending fatal signal is detected, the eCryptfs inode size is updated to reflect the modified inode size and then -EINTR is returned. Signed-off-by: Tyler Hicks Cc: commit a02d0d2516b9e92edffeb8fca87462bca49c1f6f Author: Tyler Hicks Date: Tue Jan 24 10:02:22 2012 -0600 eCryptfs: Fix oops when printing debug info in extent crypto functions If pages passed to the eCryptfs extent-based crypto functions are not mapped and the module parameter ecryptfs_verbosity=1 was specified at loading time, a NULL pointer dereference will occur. Note that this wouldn't happen on a production system, as you wouldn't pass ecryptfs_verbosity=1 on a production system. It leaks private information to the system logs and is for debugging only. The debugging info printed in these messages is no longer very useful and rather than doing a kmap() in these debugging paths, it will be better to simply remove the debugging paths completely. https://launchpad.net/bugs/913651 Signed-off-by: Tyler Hicks Reported-by: Daniel DeFreez Cc: commit b1c44d3054dc7f293b2e0a98c0e9e5e03e01f04c Author: Tyler Hicks Date: Thu Jan 12 11:30:44 2012 +0100 eCryptfs: Sanitize write counts of /dev/ecryptfs A malicious count value specified when writing to /dev/ecryptfs may result in a a very large kernel memory allocation. This patch peeks at the specified packet payload size, adds that to the size of the packet headers and compares the result with the write count value. The resulting maximum memory allocation size is approximately 532 bytes. Signed-off-by: Tyler Hicks Reported-by: Sasha Levin Cc: commit 96dcb7282d323813181a1791f51c0ab7696b675b Merge: 6c09fa5 201c0db Author: Brad Spengler Date: Fri Jan 27 19:44:15 2012 -0500 Merge branch 'pax-test' into grsec-test commit 201c0dbf177527367676028151e36d340923f033 Author: Brad Spengler Date: Fri Jan 27 19:43:24 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch, fixes 0 order vmalloc allocation errors on loading modules with empty sections commit 6c09fa566a7c29f00556ca12f343f2db91c4f42b Author: Brad Spengler Date: Fri Jan 27 19:42:13 2012 -0500 compile fix commit 917ae526b4fcec2b3e1afefa13de9dff7d8a5423 Author: Brad Spengler Date: Fri Jan 27 19:39:28 2012 -0500 use LSM flags instead of duplicating checks commit 0cf3be2ea2ae43c9dd4933fb26c0429041b8acb8 Merge: 44b9f11 558718b Author: Brad Spengler Date: Fri Jan 27 18:56:23 2012 -0500 Merge branch 'pax-test' into grsec-test commit 558718b2217beff69edf60f34a6f9893d910e9ac Author: Brad Spengler Date: Fri Jan 27 18:56:04 2012 -0500 Merge changes from pax-linux-3.2.2-test6.patch commit 44b9f1132b2de7cbf5f57525fe0f7f9fb0a76507 Author: Brad Spengler Date: Fri Jan 27 18:53:55 2012 -0500 don't increase the size of task_struct when unnecessary change ptrace_readexec log message commit a9c9626e054adb885883aa64f85506852894dd33 Author: Brad Spengler Date: Fri Jan 27 18:16:28 2012 -0500 Update documentation for CONFIG_GRKERNSEC_PTRACE_READEXEC -- the protection applies to all unreadable binaries. commit 98fdf4ab69eba7a72efb2054295daafdbbc2fb8f Merge: 7b3f3af 05a1349 Author: Brad Spengler Date: Wed Jan 25 20:52:09 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: block/scsi_ioctl.c drivers/scsi/sd.c fs/proc/base.c commit 05a134966efb9cb9346ad3422888969ffc79ac1d Author: Brad Spengler Date: Wed Jan 25 20:47:36 2012 -0500 Resync with pax-linux-3.2.2-test5.patch commit 5ecaafd81b229aeeb5656df36f9c8da86307f82a Merge: c6d443d 3499d64 Author: Brad Spengler Date: Wed Jan 25 20:45:16 2012 -0500 Merge branch 'linux-3.2.y' into pax-test (and pax-linux-3.2.2-test5.patch) Conflicts: ipc/shm.c commit 7b3f3afd7444613c759d68ff8c2efaebfae3bab1 Author: Brad Spengler Date: Tue Jan 24 19:42:01 2012 -0500 Add two new features, one is automatic by enabling CONFIG_GRKERNSEC (may be changed if it breaks some userland), the other has its own config option First feature requires CAP_SYS_ADMIN to write to any sysctl entry via the syscall or /proc/sys. Second feature requires read access to a suid/sgid binary in order to ptrace it, preventing infoleaking of binaries in situations where the admin has specified 4711 or 2711 perms. Feature has been given the config option CONFIG_GRKERNSEC_PTRACE_READEXEC and a sysctl entry of ptrace_readexec commit 11a7bb25c411c9dccfdca5718639b4becdffd388 Author: Brad Spengler Date: Sun Jan 22 14:37:10 2012 -0500 Compilation fixes commit cd400e21c7c352baba47d6f375297a7847afb33a Author: Brad Spengler Date: Sun Jan 22 14:20:27 2012 -0500 Initial port of grsecurity 2.2.2 for Linux 3.2.1 Note that the new syscalls added to this kernel for remote process read/write are subject to ptrace hardening/other relevant RBAC features /proc/slabinfo is S_IRUSR via mainline now, so I made slab_allocators S_IRUSR by default as well pax_track_stack has been removed from support for this kernel -- if you're running this kernel you should be using a version of gcc with plugin support commit c6d443d1270f455c56a4ffe0f1dd3d3e7ec12a2f Author: Brad Spengler Date: Sun Jan 22 11:47:31 2012 -0500 Import pax-linux-3.2.1-test5.patch commit bfd7db842f835f9837cd43644459b3a95b0b488d Author: Brad Spengler Date: Sun Jan 22 11:02:02 2012 -0500 Allow processes to access others' /proc/pid/maps files (subject to the normal modification of data) instead of returning -EACCES thanks to Wraith from irc for the report commit 873ac13576506cd48ddb527c2540f274e249da50 Merge: 34083dd 8a44fcc Author: Brad Spengler Date: Fri Jan 20 18:04:02 2012 -0500 Merge branch 'pax-test' into grsec-test commit 8a44fcc90cf3368003dc84e1ed013b2e4248c9b2 Author: Brad Spengler Date: Fri Jan 20 18:02:15 2012 -0500 Merge the diff between pax-linux-3.2.1-test4.patch and pax-linux-3.2.1-test5.patch Denies executable shared memory when MPROTECT is active Fixes ia32 emulation crash on 64bit host introduced in a recent patch commit 34083ddf5c0b2b1c0f5e9f7d9e32ddcba223446b Author: Brad Spengler Date: Thu Jan 19 20:23:14 2012 -0500 Introduce new GRKERNSEC_SETXID implementation We're not able to change the credentials of other threads in the process until at most one syscall after the first thread does it, since we mark the threads as needing rescheduling and such work occurs on syscall exit. This does however ensure that we're only modifying the current task's credentials which upholds RCU expectations Many thanks to corsac for testing commit 5f900ad54d3992a4e1cda88273acc2f897a42e71 Author: Brad Spengler Date: Thu Jan 19 17:42:48 2012 -0500 Simplify backport commit f02e444f7b2fb286f99d3b4031ff4e44a4606c37 Author: Brad Spengler Date: Thu Jan 19 17:08:16 2012 -0500 Commit the latest silent fix for a local privilege escalation from Linus Also disable writing to /proc/pid/mem http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc commit 814d38c72b1ee3338294576a05af4f6ca9cffa6c Merge: 0394a3f 7e6299b Author: Brad Spengler Date: Wed Jan 18 20:22:09 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7e6299b4733c082dde930375dd207b63237751ec Merge: 83555fb 9bb1282 Author: Brad Spengler Date: Wed Jan 18 20:21:37 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 0394a3f36c6195dcaf22e265c94d11bb7338c6f7 Author: Jesper Juhl Date: Sun Jan 8 22:44:29 2012 +0100 audit: always follow va_copy() with va_end() A call to va_copy() should always be followed by a call to va_end() in the same function. In kernel/autit.c::audit_log_vformat() this is not always done. This patch makes sure va_end() is always called. Signed-off-by: Jesper Juhl Cc: Al Viro Cc: Eric Paris Cc: Andrew Morton Signed-off-by: Linus Torvalds commit fcbb39319e88bfdf70efe3931cf80a9f23b1a4d9 Author: Andi Kleen Date: Thu Jan 12 17:20:30 2012 -0800 panic: don't print redundant backtraces on oops When an oops causes a panic and panic prints another backtrace it's pretty common to have the original oops data be scrolled away on a 80x50 screen. The second backtrace is quite redundant and not needed anyways. So don't print the panic backtrace when oops_in_progress is true. [akpm@linux-foundation.org: add comment] Signed-off-by: Andi Kleen Cc: Michael Holzheu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 22e4717d04333e2aff6d5d1b2c1b16045f367a1f Author: Miklos Szeredi Date: Thu Jan 12 17:59:46 2012 +0100 fsnotify: don't BUG in fsnotify_destroy_mark() Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139". To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Fix by removing the BUG_ON and adding a comment about not accessing mark after the iput. Signed-off-by: Miklos Szeredi CC: stable@vger.kernel.org Signed-off-by: Linus Torvalds commit 1a90cff66ed00cd57bf00a990d13e95060fa362c Author: Paolo Bonzini Date: Thu Jan 12 16:01:28 2012 +0100 block: fail SCSI passthrough ioctls on partition devices Linux allows executing the SG_IO ioctl on a partition or LVM volume, and will pass the command to the underlying block device. This is well-known, but it is also a large security problem when (via Unix permissions, ACLs, SELinux or a combination thereof) a program or user needs to be granted access only to part of the disk. This patch lets partitions forward a small set of harmless ioctls; others are logged with printk so that we can see which ioctls are actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. Of course it was being sent to a (partition on a) hard disk, so it would have failed with ENOTTY and the patch isn't changing anything in practice. Still, I'm treating it specially to avoid spamming the logs. In principle, this restriction should include programs running with CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and /dev/sdb, it still should not be able to read/write outside the boundaries of /dev/sda2 independent of the capabilities. However, for now programs with CAP_SYS_RAWIO will still be allowed to send the ioctls. Their actions will still be logged. This patch does not affect the non-libata IDE driver. That driver however already tests for bd != bd->bd_contains before issuing some ioctl; it could be restricted further to forbid these ioctls even for programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini [ Make it also print the command name when warning - Linus ] Signed-off-by: Linus Torvalds commit b41a1178caa15bd7d6d5b36c04c7b1ead05717e2 Author: Paolo Bonzini Date: Thu Jan 12 16:01:27 2012 +0100 block: add and use scsi_blk_cmd_ioctl Introduce a wrapper around scsi_cmd_ioctl that takes a block device. The function will then be enhanced to detect partition block devices and, in that case, subject the ioctls to whitelisting. Cc: linux-scsi@vger.kernel.org Cc: Jens Axboe Cc: James Bottomley Signed-off-by: Paolo Bonzini Signed-off-by: Linus Torvalds commit 97a79814903fc350e1d13704ea31528a42705401 Author: Kees Cook Date: Sat Jan 7 10:41:04 2012 -0800 audit: treat s_id as an untrusted string The use of s_id should go through the untrusted string path, just to be extra careful. Signed-off-by: Kees Cook Acked-by: Mimi Zohar Signed-off-by: Eric Paris commit 2d3f39e9dd73f26a8248fd4442f110d983c5b419 Author: Xi Wang Date: Tue Dec 20 18:39:41 2011 -0500 audit: fix signedness bug in audit_log_execve_info() In the loop, a size_t "len" is used to hold the return value of audit_log_single_execve_arg(), which returns -1 on error. In that case the error handling (len <= 0) will be bypassed since "len" is unsigned, and the loop continues with (p += len) being wrapped. Change the type of "len" to signed int to fix the error handling. size_t len; ... for (...) { len = audit_log_single_execve_arg(...); if (len <= 0) break; p += len; } Signed-off-by: Xi Wang Signed-off-by: Eric Paris commit 1b3dc2ea3204fb22b9d0d30b2b7953991f5be594 Author: Dan Carpenter Date: Tue Jan 17 03:28:51 2012 -0300 [media] ds3000: using logical && instead of bitwise & The intent here was to test if the FE_HAS_LOCK was set. The current test is equivalent to "if (status) { ..." Signed-off-by: Dan Carpenter Signed-off-by: Mauro Carvalho Chehab commit 36522330dc59d2fc70c042f3f081d75c32b6259a Author: Brad Spengler Date: Mon Jan 16 13:10:38 2012 -0500 Ignore the 0 signal for protected task RBAC checks commit d513acd55f7a683f6e146a4f570cdb63300479ab Author: Brad Spengler Date: Mon Jan 16 11:56:13 2012 -0500 whitespace cleanup commit ced261c4b82818c700aff8487f647f6f3e5b5122 Merge: d48751f 83555fb Author: Brad Spengler Date: Fri Jan 13 20:12:54 2012 -0500 Merge branch 'pax-test' into grsec-test commit 83555fb431e5be6c0e09687ff3bdc583f0caf9d9 Merge: fcd8129 93dad39 Author: Brad Spengler Date: Fri Jan 13 20:12:43 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit d48751f3919ae855fda0ff6c149db82442329253 Author: Brad Spengler Date: Wed Jan 11 19:05:47 2012 -0500 Call our own set_user when forcing change to new id commit 26d9d497f6b926bc1699980aa18c360a3d3c52a0 Merge: e6578ff fcd8129 Author: Brad Spengler Date: Tue Jan 10 16:00:10 2012 -0500 Merge branch 'pax-test' into grsec-test commit fcd8129277601f2e2d5a2066120cf8b2472d7d1f Author: Brad Spengler Date: Tue Jan 10 15:58:43 2012 -0500 Merge changes from pax-linux-3.1.8-test23.patch commit e6578ff3e7629c432ed9b99bde6af2a1c00279b5 Merge: 8859ec3 a120549 Author: Brad Spengler Date: Fri Jan 6 21:45:56 2012 -0500 Merge branch 'pax-test' into grsec-test commit a12054967a77090de1caa07c41e694a77db4e237 Author: Brad Spengler Date: Fri Jan 6 21:45:30 2012 -0500 Merge changes from pax-linux-3.1.8-test22.patch commit 8859ec32f9815c274df65448f9f2960176c380d3 Merge: a5016b4 ddd4114 Author: Brad Spengler Date: Fri Jan 6 21:26:08 2012 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/binfmt_elf.c security/Kconfig commit ddd41147e158a79704983a409b7433eba797cf66 Author: Brad Spengler Date: Fri Jan 6 21:12:42 2012 -0500 Resync with PaX patch (whitespace difference) commit 29e569df8205c5f0e043fe4803aa984406c8b118 Author: Brad Spengler Date: Fri Jan 6 21:09:47 2012 -0500 Merge changes from pax-linux-3.1.8-test21.patch commit a5016b4f9c09c337b17e063a7f369af1e86d944d Merge: 0124c92 04231d5 Author: Brad Spengler Date: Fri Jan 6 18:52:20 2012 -0500 Merge branch 'pax-test' into grsec-test commit 04231d52dc8d0d6788a6bc6709dc046d3eb37097 Merge: 7bdddeb a919904 Author: Brad Spengler Date: Fri Jan 6 18:51:50 2012 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: include/net/flow.h commit 0124c9264234c450904a0a5fa2f8c608ab8e3796 Author: Brad Spengler Date: Fri Jan 6 18:33:05 2012 -0500 Make GRKERNSEC_SETXID option compatible with credential debugging commit 69919c6da7cf8a781439da15b597a7d6bc9b3abe Author: KOSAKI Motohiro Date: Wed Dec 28 15:57:11 2011 -0800 mm/mempolicy.c: refix mbind_range() vma issue commit 8aacc9f550 ("mm/mempolicy.c: fix pgoff in mbind vma merge") is the slightly incorrect fix. Why? Think following case. 1. map 4 pages of a file at offset 0 [0123] 2. map 2 pages just after the first mapping of the same file but with page offset 2 [0123][23] 3. mbind() 2 pages from the first mapping at offset 2. mbind_range() should treat new vma is, [0123][23] |23| mbind vma but it does [0123][23] |01| mbind vma Oops. then, it makes wrong vma merge and splitting ([01][0123] or similar). This patch fixes it. [testcase] test result - before the patch case4: 126: test failed. expect '2,4', actual '2,2,2' case5: passed case6: passed case7: passed case8: passed case_n: 246: test failed. expect '4,2', actual '1,4' ------------[ cut here ]------------ kernel BUG at mm/filemap.c:135! invalid opcode: 0000 [#4] SMP DEBUG_PAGEALLOC (snip long bug on messages) test result - after the patch case4: passed case5: passed case6: passed case7: passed case8: passed case_n: passed source: mbind_vma_test.c ============================================================ #include #include #include #include #include #include #include static unsigned long pagesize; void* mmap_addr; struct bitmask *nmask; char buf[1024]; FILE *file; char retbuf[10240] = ""; int mapped_fd; char *rubysrc = "ruby -e '\ pid = %d; \ vstart = 0x%llx; \ vend = 0x%llx; \ s = `pmap -q #{pid}`; \ rary = []; \ s.each_line {|line|; \ ary=line.split(\" \"); \ addr = ary[0].to_i(16); \ if(vstart <= addr && addr < vend) then \ rary.push(ary[1].to_i()/4); \ end; \ }; \ print rary.join(\",\"); \ '"; void init(void) { void* addr; char buf[128]; nmask = numa_allocate_nodemask(); numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); sprintf(buf, "%s", "mbind_vma_XXXXXX"); mapped_fd = mkstemp(buf); if (mapped_fd == -1) perror("mkstemp "), exit(1); unlink(buf); if (lseek(mapped_fd, pagesize*8, SEEK_SET) < 0) perror("lseek "), exit(1); if (write(mapped_fd, "\0", 1) < 0) perror("write "), exit(1); addr = mmap(NULL, pagesize*8, PROT_NONE, MAP_SHARED, mapped_fd, 0); if (addr == MAP_FAILED) perror("mmap "), exit(1); if (mprotect(addr+pagesize, pagesize*6, PROT_READ|PROT_WRITE) < 0) perror("mprotect "), exit(1); mmap_addr = addr + pagesize; /* make page populate */ memset(mmap_addr, 0, pagesize*6); } void fin(void) { void* addr = mmap_addr - pagesize; munmap(addr, pagesize*8); memset(buf, 0, sizeof(buf)); memset(retbuf, 0, sizeof(retbuf)); } void mem_bind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_BIND, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_interleave(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_INTERLEAVE, nmask->maskp, nmask->size, 0); if (err) perror("mbind "), exit(err); } void mem_unbind(int index, int len) { int err; err = mbind(mmap_addr+pagesize*index, pagesize*len, MPOL_DEFAULT, NULL, 0, 0); if (err) perror("mbind "), exit(err); } void Assert(char *expected, char *value, char *name, int line) { if (strcmp(expected, value) == 0) { fprintf(stderr, "%s: passed\n", name); return; } else { fprintf(stderr, "%s: %d: test failed. expect '%s', actual '%s'\n", name, line, expected, value); // exit(1); } } /* AAAA PPPPPPNNNNNN might become PPNNNNNNNNNN case 4 below */ void case4(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 4); mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case4", __LINE__); fin(); } /* AAAA PPPPPPNNNNNN might become PPPPPPPPPPNN case 5 below */ void case5(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case5", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPPPPP 6 */ void case6(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_bind(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("6", retbuf, "case6", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPPPPPXXXX 7 */ void case7(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_bind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case7", __LINE__); fin(); } /* AAAA PPPPNNNNXXXX might become PPPPNNNNNNNN 8 */ void case8(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); mem_bind(0, 2); mem_interleave(4, 2); mem_interleave(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("2,4", retbuf, "case8", __LINE__); fin(); } void case_n(void) { init(); sprintf(buf, rubysrc, getpid(), mmap_addr, mmap_addr+pagesize*6); /* make redundunt mappings [0][1234][34][7] */ mmap(mmap_addr + pagesize*4, pagesize*2, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_SHARED, mapped_fd, pagesize*3); /* Expect to do nothing. */ mem_unbind(2, 2); file = popen(buf, "r"); fread(retbuf, sizeof(retbuf), 1, file); Assert("4,2", retbuf, "case_n", __LINE__); fin(); } int main(int argc, char** argv) { case4(); case5(); case6(); case7(); case8(); case_n(); return 0; } ============================================================= Signed-off-by: KOSAKI Motohiro Acked-by: Johannes Weiner Cc: Minchan Kim Cc: Caspar Zhang Cc: KOSAKI Motohiro Cc: Christoph Lameter Cc: Hugh Dickins Cc: Mel Gorman Cc: Lee Schermerhorn Cc: [3.1.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f3a1082005781777086df235049f8c0b7efe524e Author: Wei Yongjun Date: Tue Dec 27 22:32:41 2011 -0500 packet: fix possible dev refcnt leak when bind fail If bind is fail when bind is called after set PACKET_FANOUT sock option, the dev refcnt will leak. Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 915f8b08dac68839dc7204ee81cf9852fda16d24 Author: Haogang Chen Date: Mon Dec 19 17:11:56 2011 -0800 nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 006afb6eb7a7398edc0068c3a7b9510ffaf80f72 Author: Kautuk Consul Date: Mon Dec 19 17:12:04 2011 -0800 mm/vmalloc.c: remove static declaration of va from __get_vm_area_node Static storage is not required for the struct vmap_area in __get_vm_area_node. Removing "static" to store this variable on the stack instead. Signed-off-by: Kautuk Consul Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 461ecdf221edb089e5fa0d5563e1688cd0a36f66 Author: Michel Lespinasse Date: Mon Dec 19 17:12:06 2011 -0800 binary_sysctl(): fix memory leak binary_sysctl() calls sysctl_getname() which allocates from names_cache slab usin __getname() The matching function to free the name is __putname(), and not putname() which should be used only to match getname() allocations. This is because when auditing is enabled, putname() calls audit_putname *instead* (not in addition) to __putname(). Then, if a syscall is in progress, audit_putname does not release the name - instead, it expects the name to get released when the syscall completes, but that will happen only if audit_getname() was called previously, i.e. if the name was allocated with getname() rather than the naked __getname(). So, __getname() followed by putname() ends up leaking memory. Signed-off-by: Michel Lespinasse Acked-by: Al Viro Cc: Christoph Hellwig Cc: Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 0a2cd3ef50c0bae70d59c74a77db0455d26fde56 Author: Sean Hefty Date: Tue Dec 6 21:17:11 2011 +0000 RDMA/cma: Verify private data length private_data_len is defined as a u8. If the user specifies a large private_data size (> 220 bytes), we will calculate a total length that exceeds 255, resulting in private_data_len wrapping back to 0. This can lead to overwriting random kernel memory. Avoid this by verifying that the resulting size fits into a u8. Reported-by: B. Thery Addresses: Signed-off-by: Sean Hefty Signed-off-by: Roland Dreier commit 6b618c54aaec99078629ec5b9575cb7d6fc31176 Author: Xi Wang Date: Sun Dec 11 23:40:56 2011 -0800 Input: cma3000_d0x - fix signedness bug in cma3000_thread_irq() The error check (intr_status < 0) didn't work because intr_status is a u8. Change its type to signed int. Signed-off-by: Xi Wang Signed-off-by: Dmitry Torokhov commit e27f34e383d7863b2528a63b81b23db09781f6b6 Author: Xi Wang Date: Fri Dec 16 12:44:15 2011 +0000 sctp: fix incorrect overflow check on autoclose Commit 8ffd3208 voids the previous patches f6778aab and 810c0719 for limiting the autoclose value. If userspace passes in -1 on 32-bit platform, the overflow check didn't work and autoclose would be set to 0xffffffff. This patch defines a max_autoclose (in seconds) for limiting the value and exposes it through sysctl, with the following intentions. 1) Avoid overflowing autoclose * HZ. 2) Keep the default autoclose bound consistent across 32- and 64-bit platforms (INT_MAX / HZ in this patch). 3) Keep the autoclose value consistent between setsockopt() and getsockopt() calls. Suggested-by: Vlad Yasevich Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 8ebdfaad2f46ff0ac9fef9858e436bcc712a1ac8 Author: Xi Wang Date: Wed Dec 21 05:18:33 2011 -0500 vmwgfx: fix incorrect VRAM size check in vmw_kms_fb_create() Commit e133e737 didn't correctly fix the integer overflow issue. - unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) { Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication. required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height; This patch calls the existing vmw_kms_validate_mode_vram() for validation. Signed-off-by: Xi Wang Reviewed-and-tested-by: Thomas Hellstrom Signed-off-by: Dave Airlie Conflicts: drivers/gpu/drm/vmwgfx/vmwgfx_kms.c commit eb8f0bd01fb994c9abc77dc84729794cd841753d Author: Xi Wang Date: Thu Dec 22 13:35:22 2011 +0000 rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Setting a large rps_flow_cnt like (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch replaces the magic number (1 << 30) with a symbolic bound. Suggested-by: Eric Dumazet Signed-off-by: Xi Wang Signed-off-by: David S. Miller commit 648188958672024b616c42c1f6c98c8cfc85619d Author: Xi Wang Date: Fri Dec 30 10:40:17 2011 -0500 netfilter: ctnetlink: fix timeout calculation The sanity check (timeout < 0) never works; the dividend is unsigned and so is the division, which should have been a signed division. long timeout = (ct->timeout.expires - jiffies) / HZ; if (timeout < 0) timeout = 0; This patch converts the time values to signed for the division. Signed-off-by: Xi Wang Signed-off-by: Pablo Neira Ayuso commit ab03a0973cee73f88655ff4981812ad316a6cd59 Merge: 76f82df 7bdddeb Author: Brad Spengler Date: Tue Jan 3 17:42:50 2012 -0500 Merge branch 'pax-test' into grsec-test commit 7bdddebd9d274a344a1c57a561152160c9e9a32a Merge: 3e59cb5 55cc81a Author: Brad Spengler Date: Tue Jan 3 17:42:36 2012 -0500 Merge branch 'linux-3.1.y' into pax-test commit 76f82df18ba181687f454426fa9ced7a92b2ac1f Author: Brad Spengler Date: Thu Dec 22 20:15:02 2011 -0500 Only further restrict futex targeting another process -- our modified permission check also happened to allow a case where a process retaining uid 0 could issue futex syscalls against other uid 0 tasks, despite the euid being non-zero (reported on forums by ben_w) commit 6b235a4450a5fea41663ec35fa0608988b6078c6 Merge: 97c16f0 3e59cb5 Author: Brad Spengler Date: Thu Dec 22 19:11:06 2011 -0500 Merge branch 'pax-test' into grsec-test Conflicts: fs/hfs/btree.c commit 3e59cb503d4ca6ce0954b8d3eb508cf7d1a31f50 Merge: 285eb4e c26f60b Author: Brad Spengler Date: Thu Dec 22 19:09:57 2011 -0500 Merge branch 'linux-3.1.y' into pax-test Conflicts: arch/x86/kernel/process.c commit 97c16f0fcff592160c1787bd1c56ae7ad070ac17 Author: Brad Spengler Date: Mon Dec 19 21:54:01 2011 -0500 Add new option: "Enforce consistent multithreaded privileges" commit 7d125a16a5245b2bafc9184b8f93e864394ba1cb Author: Brad Spengler Date: Wed Dec 7 19:58:31 2011 -0500 Remove harmless duplicate code -- exec_file would be null already so the second check would never pass. commit 4e3304e94aa72737810bc50169519af157dce4ce Author: Brad Spengler Date: Wed Dec 7 19:50:39 2011 -0500 Revert back to (possibly?) undocumented /proc/pid behavior that gdb depended on for attaching to a thread. Entries exist in /proc for threads, but are not visible in a readdir. commit 1bd899335f23815cfe8deac44c6b346398f3b95e Author: Brad Spengler Date: Sun Dec 4 18:03:28 2011 -0500 Put the already-walked path if in RCU-walk mode commit ec7ae36b7159f10649709779443a988662965d66 Author: Brad Spengler Date: Sun Dec 4 17:35:21 2011 -0500 Fix memory leak introduced by recent (unpublished) commit 75ab998b94a29d464518d6d501bdde3fbfcbfa14 commit 1e2318a8ea2e67eaf17236be374b5da8a5ba5e04 Author: Brad Spengler Date: Sun Dec 4 13:56:10 2011 -0500 Explicitly check size copied to userland in override_release to silence gcc commit c30a85d0fff67e0724e726febb934c0b6fa01c6c Author: Brad Spengler Date: Sun Dec 4 13:54:02 2011 -0500 Initialize variable to silence erroneous gcc warning commit 2cf8e7a3bf4e97b2cd3de9ebc453bc505dc7eb78 Author: Brad Spengler Date: Sun Dec 4 13:47:47 2011 -0500 Future-proof other potential RCU-aware locations where we can log. commit 0c904e8c7ea0338c47c7ae825e093a152dc8f8a8 Author: Brad Spengler Date: Sun Dec 4 13:02:54 2011 -0500 Fix freeze reported by 'vs' on the forums. Bug occurred due to MAY_NOT_BLOCK added to Linux 3.1. Our logging code, when a capability used in generic_permission() was in the task's effective set but disallowed by RBAC, would block when acquiring locks resulting in the freeze. Also update the ordering of checks so that CAP_DAC_READ_SEARCH isn't logged as being required when CAP_DAC_OVERRIDE is present (consistent with older patches). commit ab694e5eccfbc369baa593ebc1269d1908cf16dc Author: Xi Wang Date: Tue Nov 29 09:26:30 2011 +0000 sctp: better integer overflow check in sctp_auth_create_key() The check from commit 30c2235c is incomplete and cannot prevent cases like key_len = 0x80000000 (INT_MAX + 1). In that case, the left-hand side of the check (INT_MAX - key_len), which is unsigned, becomes 0xffffffff (UINT_MAX) and bypasses the check. However this shouldn't be a security issue. The function is called from the following two code paths: 1) setsockopt() 2) sctp_auth_asoc_set_secret() In case (1), sca_keylength is never going to exceed 65535 since it's bounded by a u16 from the user API. As such, the key length will never overflow. In case (2), sca_keylength is computed based on the user key (1 short) and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still will not overflow. In other words, this overflow check is not really necessary. Just make it more correct. Signed-off-by: Xi Wang Cc: Vlad Yasevich Signed-off-by: David S. Miller commit e565e28c3635a1d50f80541fbf6b606d742fec76 Author: Josh Boyer Date: Fri Aug 19 14:50:26 2011 -0400 fs/minix: Verify bitmap block counts before mounting Newer versions of MINIX can create filesystems that allocate an extra bitmap block. Mounting of this succeeds, but doing a statfs call will result in an oops in count_free because of a negative number being used for the bh index. Avoid this by verifying the number of allocated blocks at mount time, erroring out if there are not enough and make statfs ignore the extras if there are too many. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=18792 Signed-off-by: Josh Boyer Signed-off-by: Al Viro commit 6e134e398ec1a3f428261680e83df4319e64bed9 Author: Julia Lawall Date: Tue Nov 15 14:53:11 2011 -0800 drivers/gpu/vga/vgaarb.c: add missing kfree kbuf is a buffer that is local to this function, so all of the error paths leaving the function should release it. Signed-off-by: Julia Lawall Cc: Jesper Juhl Signed-off-by: Andrew Morton Signed-off-by: Dave Airlie commit 2b9057b321e36860e8d63985b5c4e496f254b717 Author: Brad Spengler Date: Sat Dec 3 21:33:28 2011 -0500 Import changes between pax-linux-3.1.4-test18.patch and grsecurity-2.2.2-3.1.4-201112021740.patch commit 5dfe6091dca281a456eaff5e7b4692d768a05cfd Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch commit 285eb4ea45d853ae00426b3315a61c1368080dad Author: Brad Spengler Date: Sat Dec 10 18:33:46 2011 -0500 Import changes from pax-linux-3.1.5-test20.patch commit a6bda918fc90ec1d5c387e978d147ad2044153f1 Author: Brad Spengler Date: Thu Dec 8 20:55:54 2011 -0500 Import changes from pax-linux-3.1.4-test19.patch commit e6d987bdb782b280f882cc20055e3d9cb28ad3a5 Author: Brad Spengler Date: Sat Dec 3 21:29:37 2011 -0500 Import pax-linux-3.1.4-test18.patch