commit 917a60c749d80121229a1752874ff8a606778fc5 Merge: 76fc822 77d474f Author: Brad Spengler Date: Wed Nov 18 19:58:31 2015 -0500 Merge branch 'pax-test' into grsec-test commit 77d474f0bcb2e5acafc78c66c456d1aebaac14b3 Author: Brad Spengler Date: Wed Nov 18 19:58:08 2015 -0500 Update to pax-linux-4.2.6-test20.patch: - constified some vdso/vsyscall related code/data arch/x86/entry/vdso/vdso2c.h | 4 ++-- arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +- arch/x86/mm/ioremap.c | 2 +- mm/debug.c | 3 +++ 4 files changed, 7 insertions(+), 4 deletions(-) commit 76fc8223b2e6b6c950702adfdb055dd5da90657c Author: Brad Spengler Date: Wed Nov 18 17:40:27 2015 -0500 Allow processes with CAP_SYS_PTRACE to ignore /proc/pid restrictions, as reported by Andrew fs/proc/base.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 708c2e025f8a05b76f319cfa5fa624d37d8ef6f3 Author: Brad Spengler Date: Tue Nov 17 18:43:24 2015 -0500 Fix multiple character encodings in patch, reported by IooNag on the forums grsecurity/Makefile | 2 +- net/netfilter/xt_gradm.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit d1f7534df8687fd05858fd45805b1185eafe38a7 Author: Hannes Frederic Sowa Date: Tue Nov 17 15:10:59 2015 +0100 af_unix: take receive queue lock while appending new skb While possibly in future we don't necessarily need to use sk_buff_head.lock this is a rather larger change, as it affects the af_unix fd garbage collector, diag and socket cleanups. This is too much for a stable patch. For the time being grab sk_buff_head.lock without disabling bh and irqs, so don't use locked skb_queue_tail. Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support") Cc: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Reported-by: Eric Dumazet Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 0df914e7a66a4807bac7762ab33ba3020944ef6b Author: Hannes Frederic Sowa Date: Mon Nov 16 16:25:56 2015 +0100 af_unix: don't append consumed skbs to sk_receive_queue In case multiple writes to a unix stream socket race we could end up in a situation where we pre-allocate a new skb for use in unix_stream_sendpage but have to free it again in the locked section because another skb has been appended meanwhile, which we must use. Accidentally we didn't clear the pointer after consuming it and so we touched freed memory while appending it to the sk_receive_queue. So, clear the pointer after consuming the skb. This bug has been found with syzkaller (http://github.com/google/syzkaller) by Dmitry Vyukov. Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support") Reported-by: Dmitry Vyukov Cc: Dmitry Vyukov Cc: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/unix/af_unix.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit ac8466abcd0ae871cd38d868e1a4e903b92ffc48 Author: Jason A. Donenfeld Date: Thu Nov 12 17:35:58 2015 +0100 ip_tunnel: disable preemption when updating per-cpu tstats Drivers like vxlan use the recently introduced udp_tunnel_xmit_skb/udp_tunnel6_xmit_skb APIs. udp_tunnel6_xmit_skb makes use of ip6tunnel_xmit, and ip6tunnel_xmit, after sending the packet, updates the struct stats using the usual u64_stats_update_begin/end calls on this_cpu_ptr(dev->tstats). udp_tunnel_xmit_skb makes use of iptunnel_xmit, which doesn't touch tstats, so drivers like vxlan, immediately after, call iptunnel_xmit_stats, which does the same thing - calls u64_stats_update_begin/end on this_cpu_ptr(dev->tstats). While vxlan is probably fine (I don't know?), calling a similar function from, say, an unbound workqueue, on a fully preemptable kernel causes real issues: [ 188.434537] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u8:0/6 [ 188.435579] caller is debug_smp_processor_id+0x17/0x20 [ 188.435583] CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.2.6 #2 [ 188.435607] Call Trace: [ 188.435611] [] dump_stack+0x4f/0x7b [ 188.435615] [] check_preemption_disabled+0x19d/0x1c0 [ 188.435619] [] debug_smp_processor_id+0x17/0x20 The solution would be to protect the whole this_cpu_ptr(dev->tstats)/u64_stats_update_begin/end blocks with disabling preemption and then reenabling it. Signed-off-by: Jason A. Donenfeld Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/ip6_tunnel.h | 3 ++- include/net/ip_tunnels.h | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 44665148f06b73ea0c253a1a34d15689674d7421 Author: Mathias Krause Date: Fri Nov 6 16:30:38 2015 -0800 printk: prevent userland from spoofing kernel messages The following statement of ABI/testing/dev-kmsg is not quite right: It is not possible to inject messages from userspace with the facility number LOG_KERN (0), to make sure that the origin of the messages can always be reliably determined. Userland actually can inject messages with a facility of 0 by abusing the fact that the facility is stored in a u8 data type. By using a facility which is a multiple of 256 the assignment of msg->facility in log_store() implicitly truncates it to 0, i.e. LOG_KERN, allowing users of /dev/kmsg to spoof kernel messages as shown below: The following call... # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg ...leads to the following log entry (dmesg -x | tail -n 1): user :emerg : [ 66.137758] Kernel panic - not syncing: beer empty However, this call... # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg ...leads to the slightly different log entry (note the kernel facility): kern :emerg : [ 74.177343] Kernel panic - not syncing: beer empty Fix that by limiting the user provided facility to 8 bit right from the beginning and catch the truncation early. Fixes: 7ff9554bb578 ("printk: convert byte-buffer to variable-length...") Signed-off-by: Mathias Krause Cc: Greg Kroah-Hartman Cc: Petr Mladek Cc: Alex Elder Cc: Joe Perches Cc: Kay Sievers Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/printk/printk.c | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) commit bef8fb168317597f02c00ab4075ff094dcdfd2c6 Author: Borislav Petkov Date: Thu Nov 5 16:57:56 2015 +0100 x86/cpu: Call verify_cpu() after having entered long mode too When we get loaded by a 64-bit bootloader, kernel entry point is startup_64 in head_64.S. We don't trust any and all bootloaders because some will fiddle with CPU configuration so we go ahead and massage each CPU into sanity again. For example, some dell BIOSes have this XD disable feature which set IA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround for other OSes but Linux sure doesn't need it. A similar thing is present in the Surface 3 firmware - see https://bugzilla.kernel.org/show_bug.cgi?id=106051 - which sets this bit only on the BSP: # rdmsr -a 0x1a0 400850089 850089 850089 850089 I know, right?! There's not even an off switch in there. So fix all those cases by sanitizing the 64-bit entry point too. For that, make verify_cpu() callable in 64-bit mode also. Requested-and-debugged-by: "H. Peter Anvin" Reported-and-tested-by: Bastien Nocera Signed-off-by: Borislav Petkov Cc: Matt Fleming Cc: Peter Zijlstra Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de Signed-off-by: Thomas Gleixner Conflicts: arch/x86/kernel/head_64.S arch/x86/kernel/head_64.S | 9 +++++++++ arch/x86/kernel/verify_cpu.S | 12 +++++++----- 2 files changed, 16 insertions(+), 5 deletions(-) commit 9cb084208a9589a6a5be01d2b7df88843f4b01a4 Author: Hannes Frederic Sowa Date: Tue Nov 10 16:23:15 2015 +0100 af-unix: fix use-after-free with concurrent readers while splicing During splicing an af-unix socket to a pipe we have to drop all af-unix socket locks. While doing so we allow another reader to enter unix_stream_read_generic which can read, copy and finally free another skb. If exactly this skb is just in process of being spliced we get a use-after-free report by kasan. First, we must make sure to not have a free while the skb is used during the splice operation. We simply increment its use counter before unlocking the reader lock. Stream sockets have the nice characteristic that we don't care about zero length writes and they never reach the peer socket's queue. That said, we can take the UNIXCB.consumed field as the indicator if the skb was already freed from the socket's receive queue. If the skb was fully consumed after we locked the reader side again we know it has been dropped by a second reader. We indicate a short read to user space and abort the current splice operation. This bug has been found with syzkaller (http://github.com/google/syzkaller) by Dmitry Vyukov. Fixes: 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets") Reported-by: Dmitry Vyukov Cc: Dmitry Vyukov Cc: Eric Dumazet Acked-by: Eric Dumazet Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/unix/af_unix.c | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) commit 4e75d2b7d6546add44f0951e78410b131a1e660d Author: Brad Spengler Date: Sat Nov 14 15:08:46 2015 -0500 switch the default for SIZE_OVERFLOW_KILL to n, later we'll remove the option entirely Distros should make sure their users report all overflows printed to the kernel logs so the underlying issues can be fixed security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 2e37eb35e0f1ba5a0feac5264a7b24d89376d0a2 Author: Brad Spengler Date: Sat Nov 14 15:07:51 2015 -0500 Resync with PaX fs/btrfs/inode.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) commit 2f63d2552f38c700902d17bf9b591d82f39a3fb5 Merge: 5e0ec21 823b1bc Author: Brad Spengler Date: Sat Nov 14 14:29:16 2015 -0500 Merge branch 'pax-test' into grsec-test commit 823b1bc5a8e670f7ddfa98ee0d83762bffab28fb Author: Brad Spengler Date: Sat Nov 14 14:28:35 2015 -0500 Update to pax-linux-4.2.6-test19.patch: - David Sterba updated the fix for one of the previous btrfs problems - Emese and Rasmus Villemoes fixed a few bugs in the initify plugin - fixed debian package generation to support building out-of-tree modules with plugins, reported by Elie Roudninski fs/btrfs/delayed-inode.c | 3 +- fs/btrfs/delayed-inode.h | 2 +- fs/btrfs/inode.c | 2 +- scripts/package/builddeb | 2 +- tools/gcc/initify_plugin.c | 264 ++++++++++++++++++++++++++++++-------------- 5 files changed, 188 insertions(+), 85 deletions(-) commit 5e0ec21349bb3aeead0701ef51df3086ad377979 Author: Brad Spengler Date: Thu Nov 12 19:54:21 2015 -0500 Revert https://patchwork.kernel.org/patch/7585611/ for now as it's been reported to cause userland hangs, similar to previous bugs seen in the past fs/btrfs/inode.c | 12 ------------ 1 files changed, 0 insertions(+), 12 deletions(-) commit 65402b5a6125cc95c3223a0da8f2817e13bf18ec Author: françois romieu Date: Wed Nov 11 23:35:18 2015 +0100 r8169: fix kasan reported skb use-after-free. Signed-off-by: Francois Romieu Reported-by: Dave Jones Fixes: d7d2d89d4b0af ("r8169: Add software counter for multicast packages") Acked-by: Eric Dumazet Acked-by: Corinna Vinschen Signed-off-by: David S. Miller drivers/net/ethernet/realtek/r8169.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit bbfcbb7b1e086062aa17358927e14e394830b8a3 Author: Anthony Lineham Date: Thu Oct 22 11:17:03 2015 +1300 netfilter: Fix removal of GRE expectation entries created by PPTP The uninitialized tuple structure caused incorrect hash calculation and the lookup failed. Link: https://bugzilla.kernel.org/show_bug.cgi?id=106441 Signed-off-by: Anthony Lineham Signed-off-by: Pablo Neira Ayuso net/ipv4/netfilter/nf_nat_pptp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit d7cb19f37a91603021e2bed6417766ecca315bd0 Author: Paolo Bonzini Date: Tue Nov 10 09:14:39 2015 +0100 KVM: svm: unconditionally intercept #DB This is needed to avoid the possibility that the guest triggers an infinite stream of #DB exceptions (CVE-2015-8104). VMX is not affected: because it does not save DR6 in the VMCS, it already intercepts #DB unconditionally. Reported-by: Jan Beulich Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini arch/x86/kvm/svm.c | 14 +++----------- 1 files changed, 3 insertions(+), 11 deletions(-) commit 5b241ac6551e1675e1cbbc4a74fa1c698ada28f4 Author: Eric Northup Date: Tue Nov 3 18:03:53 2015 +0100 KVM: x86: work around infinite loop in microcode when #AC is delivered It was found that a guest can DoS a host by triggering an infinite stream of "alignment check" (#AC) exceptions. This causes the microcode to enter an infinite loop where the core never receives another interrupt. The host kernel panics pretty quickly due to the effects (CVE-2015-5307). Signed-off-by: Eric Northup Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini arch/x86/include/uapi/asm/svm.h | 1 + arch/x86/kvm/svm.c | 8 ++++++++ arch/x86/kvm/vmx.c | 5 ++++- 3 files changed, 13 insertions(+), 1 deletions(-) commit 6113725aaaf6626522b93732f29dd36370695a89 Author: Daniel Borkmann Date: Thu Nov 5 00:01:51 2015 +0100 debugfs: fix refcount imbalance in start_creating In debugfs' start_creating(), we pin the file system to safely access its root. When we failed to create a file, we unpin the file system via failed_creating() to release the mount count and eventually the reference of the vfsmount. However, when we run into an error during lookup_one_len() when still in start_creating(), we only release the parent's mutex but not so the reference on the mount. Looks like it was done in the past, but after splitting portions of __create_file() into start_creating() and end_creating() via 190afd81e4a5 ("debugfs: split the beginning and the end of __create_file() off"), this seemed missed. Noticed during code review. Fixes: 190afd81e4a5 ("debugfs: split the beginning and the end of __create_file() off") Cc: stable@vger.kernel.org # v4.0+ Signed-off-by: Daniel Borkmann Signed-off-by: Al Viro fs/debugfs/inode.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit e91f8a6717837a8a64b6e86317a1373ec9cd6c04 Author: Maciej W. Rozycki Date: Mon Oct 26 15:48:19 2015 +0000 binfmt_elf: Don't clobber passed executable's file header Do not clobber the buffer space passed from `search_binary_handler' and originally preloaded by `prepare_binprm' with the executable's file header by overwriting it with its interpreter's file header. Instead keep the buffer space intact and directly use the data structure locally allocated for the interpreter's file header, fixing a bug introduced in 2.1.14 with loadable module support (linux-mips.org commit beb11695 [Import of Linux/MIPS 2.1.14], predating kernel.org repo's history). Adjust the amount of data read from the interpreter's file accordingly. This was not an issue before loadable module support, because back then `load_elf_binary' was executed only once for a given ELF executable, whether the function succeeded or failed. With loadable module support supported and enabled, upon a failure of `load_elf_binary' -- which may for example be caused by architecture code rejecting an executable due to a missing hardware feature requested in the file header -- a module load is attempted and then the function reexecuted by `search_binary_handler'. With the executable's file header replaced with its interpreter's file header the executable can then be erroneously accepted in this subsequent attempt. Cc: stable@vger.kernel.org # all the way back Signed-off-by: Maciej W. Rozycki Signed-off-by: Al Viro fs/binfmt_elf.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) commit 9c49029fe4cb9a52cb174aebfd5946a9d26b9956 Merge: 5482e7e 7033393 Author: Brad Spengler Date: Mon Nov 9 19:51:58 2015 -0500 Merge branch 'pax-test' into grsec-test commit 70333935932c9f3eb333a354dd760b4233efcc37 Author: Brad Spengler Date: Mon Nov 9 19:51:19 2015 -0500 Update to pax-linux-4.2.6-test18.patch: - cleaned up the last of the FPU changes, by spender - fixed a few KERNEXEC regressions (backported from 4.3) - Emese fixed a few size overflow false positives in kvm, reported by Christian Roessner (https://bugs.gentoo.org/show_bug.cgi?id=558138#c23) - David Sterba fixed a few integer overflows in btrfs caught by the size overflow plugin (https://patchwork.kernel.org/patch/7585611/ and https://patchwork.kernel.org/patch/7582351/), reported by Victor, Stebalien and alan.d (https://forums.grsecurity.net/viewtopic.php?f=1&t=4284) arch/x86/include/asm/fpu/internal.h | 2 +- arch/x86/include/asm/fpu/types.h | 1 - arch/x86/kernel/apic/apic.c | 4 ++- arch/x86/kernel/fpu/init.c | 36 -------------------- arch/x86/kernel/process_64.c | 6 +-- arch/x86/kernel/vsmp_64.c | 13 +++++-- drivers/acpi/video_detect.c | 2 +- drivers/lguest/core.c | 2 +- fs/btrfs/file.c | 10 ++++-- fs/btrfs/inode.c | 12 ++++++ .../disable_size_overflow_hash.data | 5 ++- .../size_overflow_plugin/size_overflow_hash.data | 7 +--- 12 files changed, 42 insertions(+), 58 deletions(-) commit 5482e7eb4ba3c5cc90472ccdb1bfe2cec64413e2 Merge: 81e2642 682ba19 Author: Brad Spengler Date: Mon Nov 9 18:19:48 2015 -0500 Merge branch 'pax-test' into grsec-test Conflicts: drivers/pci/pci-sysfs.c commit 682ba19ce305f501c9bc5c42a76f2c7442aa22fc Merge: 7755256 1c02865 Author: Brad Spengler Date: Mon Nov 9 18:18:24 2015 -0500 Merge branch 'linux-4.2.y' into pax-test commit 81e26429b7a36f0c75de3ab42754256720c0a159 Author: Brad Spengler Date: Mon Nov 9 07:37:30 2015 -0500 btrfs: fix signed overflow in btrfs_sync_file The calculation of range length in btrfs_sync_file leads to signed overflow. This was caught by PaX gcc SIZE_OVERFLOW plugin. https://forums.grsecurity.net/viewtopic.php?f=1&t=4284 The fsync call passes 0 and LLONG_MAX, the range length does not fit to loff_t and overflows, but the value is converted to u64 so it silently works as expected. The minimal fix is a typecast to u64, switching functions to take (start, end) instead of (start, len) would be more intrusive. Coccinelle script found that there's one more opencoded calculation of the length. @@ loff_t start, end; @@ * end - start CC: stable@vger.kernel.org Signed-off-by: David Sterba fs/btrfs/file.c | 10 +++++++--- 1 files changed, 7 insertions(+), 3 deletions(-) commit 07fd498a96e2d589ad743851c0dec482a92e0429 Author: Brad Spengler Date: Sun Nov 8 17:04:31 2015 -0500 Fix an upstream type confusion bug exposed by RANDSTRUCT: at the beginning of each sem_array/shmid_kernel/msg_queue struct is an kern_ipc_perm struct. Unlike every other place in the kernel where some field must be at an explicit location, there's no documentation at all that the kern_ipc_perm must be at the beginning of these structs. Previously, shmid_kernel and kern_ipc_perm were both randomized with RANDSTRUCT. The problem arises due to the show() handler for /proc for msg/sem/shm -- what it is provided is a pointer to a kern_ipc_perm struct (as a void *) which each show() handler then assumes can be implicitly cast to its own particular struct type without any kind of container_of being performed. Fix this by doing the proper type conversions for each via container_of, and randomize the sem and msg structs while we're at it. include/linux/msg.h | 2 +- include/linux/sem.h | 2 +- ipc/msg.c | 3 ++- ipc/sem.c | 3 ++- ipc/shm.c | 3 ++- 5 files changed, 8 insertions(+), 5 deletions(-) commit 6591e1a526c544936975cd3515d8def09e8026f0 Author: Brad Spengler Date: Tue Nov 3 19:36:05 2015 -0500 Properly fix the PCI sysfs node check that was recently improperly fixed upstream (it's under CAP_SYS_ADMIN so it's not really serious) Reported by Mathias Krause drivers/pci/pci-sysfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit ece03d4d07f29634687b2ea5edb7cab23888cff3 Merge: 715e674 7755256 Author: Brad Spengler Date: Mon Nov 2 21:32:10 2015 -0500 Merge branch 'pax-test' into grsec-test commit 775525660a6353feb261ad6232f6acbc23826bf4 Author: Brad Spengler Date: Mon Nov 2 21:31:21 2015 -0500 Update to pax-linux-4.2.5-test17.patch: - Emese fixed a bunch of size overflow reports: - https://forums.grsecurity.net/viewtopic.php?f=3&t=4290 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4291 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4288 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4285 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4283 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4287 - https://forums.grsecurity.net/viewtopic.php?f=3&t=4289 - https://bugs.archlinux.org/task/46798 - fixed the x86 fpu code some more, reported by spender and others (https://bugs.gentoo.org/show_bug.cgi?id=563804, https://bugs.archlinux.org/task/46764) arch/x86/include/asm/fpu/internal.h | 4 +- arch/x86/kernel/fpu/core.c | 2 +- arch/x86/kernel/process.c | 3 +- arch/x86/kernel/process_64.c | 6 +- drivers/usb/class/cdc-acm.h | 2 +- drivers/video/console/fbcon.c | 2 +- fs/dlm/lowcomms.c | 2 +- include/linux/usb.h | 8 +- .../disable_size_overflow_hash.data | 15 +- .../size_overflow_plugin/intentional_overflow.c | 3 + .../size_overflow_plugin/size_overflow_hash.data | 373 ++++++++++++++++---- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 3 +- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 13 files changed, 329 insertions(+), 96 deletions(-) commit 715e674a838f08748044bce459380762e9c1cd29 Author: Sasha Levin Date: Wed Oct 7 11:03:28 2015 -0500 PCI: Prevent out of bounds access in numa_node override 63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that the numa node provided by userspace is valid. Passing a node number too high would attempt to access invalid memory and trigger a kernel panic. Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs") Signed-off-by: Sasha Levin Signed-off-by: Bjorn Helgaas CC: stable@vger.kernel.org # v3.19+ drivers/pci/pci-sysfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 6abe1bb892fe394df80dd4267a8bd2874d537e4e Author: David Howells Date: Fri Sep 18 11:45:12 2015 +0100 ovl: use O_LARGEFILE in ovl_copy_up() Open the lower file with O_LARGEFILE in ovl_copy_up(). Pass O_LARGEFILE unconditionally in ovl_copy_up_data() as it's purely for catching 32-bit userspace dealing with a file large enough that it'll be mishandled if the application isn't aware that there might be an integer overflow. Inside the kernel, there shouldn't be any problems. Reported-by: Ulrich Obergfell Signed-off-by: David Howells Signed-off-by: Miklos Szeredi Cc: # v3.18+ fs/overlayfs/copy_up.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit bf5e23398e4a82e28fe0801337a4b78ca951a1d9 Author: David Howells Date: Fri Sep 18 11:45:22 2015 +0100 ovl: fix dentry reference leak In ovl_copy_up_locked(), newdentry is leaked if the function exits through out_cleanup as this just to out after calling ovl_cleanup() - which doesn't actually release the ref on newdentry. The out_cleanup segment should instead exit through out2 as certainly newdentry leaks - and possibly upper does also, though this isn't caught given the catch of newdentry. Without this fix, something like the following is seen: BUG: Dentry ffff880023e9eb20{i=f861,n=#ffff880023e82d90} still in use (1) [unmount of tmpfs tmpfs] BUG: Dentry ffff880023ece640{i=0,n=bigfile} still in use (1) [unmount of tmpfs tmpfs] when unmounting the upper layer after an error occurred in copyup. An error can be induced by creating a big file in a lower layer with something like: dd if=/dev/zero of=/lower/a/bigfile bs=65536 count=1 seek=$((0xf000)) to create a large file (4.1G). Overlay an upper layer that is too small (on tmpfs might do) and then induce a copy up by opening it writably. Reported-by: Ulrich Obergfell Signed-off-by: David Howells Signed-off-by: Miklos Szeredi Cc: # v3.18+ fs/overlayfs/copy_up.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit da93976d3355abae09d9fd6a68e7dea77ed619d1 Author: Miklos Szeredi Date: Mon Oct 12 15:56:20 2015 +0200 ovl: fix open in stacked overlay If two overlayfs filesystems are stacked on top of each other, then we need recursion in ovl_d_select_inode(). I guess d_backing_inode() is supposed to do that. But currently it doesn't and that functionality is open coded in vfs_open(). This is now copied into ovl_d_select_inode() to fix this regression. Reported-by: Alban Crequy Signed-off-by: Miklos Szeredi Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay...") Cc: David Howells Cc: # v4.2+ fs/overlayfs/inode.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 0ddd9cf6149717882b81c946149bf55332d763ae Author: Konstantin Khlebnikov Date: Mon Aug 24 15:57:18 2015 +0300 ovl: free stack of paths in ovl_fill_super This fixes small memory leak after mount. Kmemleak report: unreferenced object 0xffff88003683fe00 (size 16): comm "mount", pid 2029, jiffies 4294909563 (age 33.380s) hex dump (first 16 bytes): 20 27 1f bb 00 88 ff ff 40 4b 0f 36 02 88 ff ff '......@K.6.... backtrace: [] create_object+0x124/0x2c0 [] kmemleak_alloc+0x7b/0xc0 [] __kmalloc+0x106/0x340 [] ovl_fill_super+0x389/0x9a0 [overlay] [] mount_nodev+0x54/0xa0 [] ovl_mount+0x18/0x20 [overlay] [] mount_fs+0x43/0x170 [] vfs_kern_mount+0x74/0x170 [] do_mount+0x22d/0xdf0 [] SyS_mount+0x7b/0xc0 [] entry_SYSCALL_64_fastpath+0x12/0x76 [] 0xffffffffffffffff Signed-off-by: Konstantin Khlebnikov Signed-off-by: Miklos Szeredi Fixes: a78d9f0d5d5c ("ovl: support multiple lower layers") Cc: # v4.0+ fs/overlayfs/super.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit b86575c9973b9ad55d659fd8a6be8f864435ad0e Author: Konstantin Khlebnikov Date: Mon Aug 24 15:57:19 2015 +0300 ovl: free lower_mnt array in ovl_put_super This fixes memory leak after umount. Kmemleak report: unreferenced object 0xffff8800ba791010 (size 8): comm "mount", pid 2394, jiffies 4294996294 (age 53.920s) hex dump (first 8 bytes): 20 1c 13 02 00 88 ff ff ....... backtrace: [] create_object+0x124/0x2c0 [] kmemleak_alloc+0x7b/0xc0 [] __kmalloc+0x106/0x340 [] ovl_fill_super+0x55c/0x9b0 [overlay] [] mount_nodev+0x54/0xa0 [] ovl_mount+0x18/0x20 [overlay] [] mount_fs+0x43/0x170 [] vfs_kern_mount+0x74/0x170 [] do_mount+0x22d/0xdf0 [] SyS_mount+0x7b/0xc0 [] entry_SYSCALL_64_fastpath+0x12/0x76 [] 0xffffffffffffffff Signed-off-by: Konstantin Khlebnikov Signed-off-by: Miklos Szeredi Fixes: dd662667e6d3 ("ovl: add mutli-layer infrastructure") Cc: # v4.0+ fs/overlayfs/super.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 9f49b5376fae99cd590d13726e2633bc0a53b6db Author: Linus Torvalds Date: Sun Nov 1 17:09:15 2015 -0800 mm: get rid of 'vmalloc_info' from /proc/meminfo It turns out that at least some versions of glibc end up reading /proc/meminfo at every single startup, because glibc wants to know the amount of memory the machine has. And while that's arguably insane, it's just how things are. And it turns out that it's not all that expensive most of the time, but the vmalloc information statistics (amount of virtual memory used in the vmalloc space, and the biggest remaining chunk) can be rather expensive to compute. The 'get_vmalloc_info()' function actually showed up on my profiles as 4% of the CPU usage of "make test" in the git source repository, because the git tests are lots of very short-lived shell-scripts etc. It turns out that apparently this same silly vmalloc info gathering shows up on the facebook servers too, according to Dave Jones. So it's not just "make test" for git. We had two patches to just cache the information (one by me, one by Ingo) to mitigate this issue, but the whole vmalloc information of of rather dubious value to begin with, and people who *actually* want to know what the situation is wrt the vmalloc area should just look at the much more complete /proc/vmallocinfo instead. In fact, according to my testing - and perhaps more importantly, according to that big search engine in the sky: Google - there is nothing out there that actually cares about those two expensive fields: VmallocUsed and VmallocChunk. So let's try to just remove them entirely. Actually, this just removes the computation and reports the numbers as zero for now, just to try to be minimally intrusive. If this breaks anything, we'll obviously have to re-introduce the code to compute this all and add the caching patches on top. But if given the option, I'd really prefer to just remove this bad idea entirely rather than add even more code to work around our historical mistake that likely nobody really cares about. Signed-off-by: Linus Torvalds fs/proc/meminfo.c | 7 ++----- include/linux/vmalloc.h | 12 ------------ mm/vmalloc.c | 47 ----------------------------------------------- 3 files changed, 2 insertions(+), 64 deletions(-) commit 66425129a550275398f886498d957284539bb331 Author: Marek Vasut Date: Fri Oct 30 13:48:19 2015 +0100 can: Use correct type in sizeof() in nla_put() The sizeof() is invoked on an incorrect variable, likely due to some copy-paste error, and this might result in memory corruption. Fix this. Signed-off-by: Marek Vasut Cc: Wolfgang Grandegger Cc: netdev@vger.kernel.org Cc: linux-stable Signed-off-by: Marc Kleine-Budde drivers/net/can/dev.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 8c8e802a86f8faf2519710db043339e1cc953bc4 Author: Brad Spengler Date: Mon Nov 2 17:20:52 2015 -0500 Fix the FPU code properly by copying the dynamically-sized FPU state on each clone of the task struct, making it equivalent to the new FPU-in-task-struct code Fix is from the PaX Team arch/x86/kernel/process.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 036bc2e2231c76f7eb470bfef67b6bc26187aeae Author: Brad Spengler Date: Mon Nov 2 17:19:43 2015 -0500 Revert the forced eagerfpu since it's now fixed properly arch/x86/kernel/fpu/init.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) commit a08ab82bcf321704f6a228c7924b860510c6d610 Author: Carol L Soto Date: Tue Oct 27 17:36:20 2015 +0200 net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes When doing memcpy/memset of EQEs, we should use sizeof struct mlx4_eqe as the base size and not caps.eqe_size which could be bigger. If caps.eqe_size is bigger than the struct mlx4_eqe then we corrupt data in the master context. When using a 64 byte stride, the memcpy copied over 63 bytes to the slave_eq structure. This resulted in copying over the entire eqe of interest, including its ownership bit -- and also 31 bytes of garbage into the next WQE in the slave EQ -- which did NOT include the ownership bit (and therefore had no impact). However, once the stride is increased to 128, we are overwriting the ownership bits of *three* eqes in the slave_eq struct. This results in an incorrect ownership bit for those eqes, which causes the eq to seem to be full. The issue therefore surfaced only once 128-byte EQEs started being used in SRIOV and (overarchitectures that have 128/256 byte cache-lines such as PPC) - e.g after commit 77507aa249ae "net/mlx4_core: Enable CQE/EQE stride support". Fixes: 08ff32352d6f ('mlx4: 64-byte CQE/EQE support') Signed-off-by: Carol L Soto Signed-off-by: Jack Morgenstein Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/cmd.c | 2 +- drivers/net/ethernet/mellanox/mlx4/eq.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 811ab3b52935612def289efa5e9e2aa973f16f26 Author: Hannes Frederic Sowa Date: Wed Oct 28 13:21:04 2015 +0100 ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues Raw sockets with hdrincl enabled can insert ipv6 extension headers right into the data stream. In case we need to fragment those packets, we reparse the options header to find the place where we can insert the fragment header. If the extension headers exceed the link's MTU we actually cannot make progress in such a case. Instead of ending up in broken arithmetic or rounding towards 0 and entering an endless loop in ip6_fragment, just prevent those cases by aborting early and signal -EMSGSIZE to user space. This is the second version of the patch which doesn't use the overflow_usub function, which got reverted for now. Suggested-by: Linus Torvalds Cc: Linus Torvalds Reported-by: Dmitry Vyukov Cc: Dmitry Vyukov Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit f074980442c7c3ff4a75c711ff18204dfb4131b8 Author: Brad Spengler Date: Thu Oct 29 18:19:02 2015 -0400 Revert "ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues" This reverts commit 18d5034650b637ec479f41d98e3912398b3e3efc. net/ipv6/ip6_output.c | 6 +----- 1 files changed, 1 insertions(+), 5 deletions(-) commit 53e629c2d13ed09f4c889925482606f82a65bd1d Author: Brad Spengler Date: Thu Oct 29 18:18:55 2015 -0400 Revert "overflow-arith: begin to add support for overflow builtin functions" This reverts commit cfd0008de8db38841f7f06b979482900994717b9. Conflicts: include/linux/compiler-gcc.h include/linux/compiler-gcc.h | 4 ---- include/linux/overflow-arith.h | 18 ------------------ 2 files changed, 0 insertions(+), 22 deletions(-) commit 225122602b5b7fd58ec5c2a4a1a4a9a29fe7a02a Author: Brad Spengler Date: Thu Oct 29 09:00:11 2015 -0400 Update size_overflow plugin .../size_overflow_plugin/intentional_overflow.c | 3 +++ .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 2 files changed, 4 insertions(+), 1 deletions(-) commit 2bf85cb1c3df45d59d8b59aeacf63cbbee360175 Author: Brad Spengler Date: Thu Oct 29 08:52:07 2015 -0400 Temporarily disable the builtin_overflow again as the kernexec plugin also has problems with it include/linux/compiler-gcc.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit a41c8c4d880b6005e874bf5440e24713da8483cd Author: Brad Spengler Date: Wed Oct 28 19:28:30 2015 -0400 temporarily work around issue with the dynamic FPU state and lazy FPU mode upstream configures FPU mode based on the eagerfpu variable before it's ever actually set by the commandline parser (so eagerfpu= on the commandline has no effect) arch/x86/kernel/fpu/init.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 8452f9d5cfabda9228496050a16bc8728c0ebbb7 Author: Brad Spengler Date: Wed Oct 28 19:25:55 2015 -0400 Remove/reorder some code due to the reverting of the FPU-state-in-task_struct code arch/x86/include/asm/fpu/types.h | 69 ++++++++++++++++++-------------------- arch/x86/include/asm/processor.h | 10 ++---- arch/x86/kernel/fpu/init.c | 20 ----------- include/linux/sched.h | 4 +- 4 files changed, 38 insertions(+), 65 deletions(-) commit c2127bd4215f8f02a1391bef3bde55d0bb1c19bc Author: Brad Spengler Date: Tue Oct 27 23:38:11 2015 -0400 fix typo tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c588def7b5713c31fef2b848bfebf0d727791b82 Author: Brad Spengler Date: Tue Oct 27 21:09:04 2015 -0400 remove the PAGE_SIZE padding from fpregs_state since it's not included as part of the task struct arch/x86/include/asm/fpu/types.h | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit 3bd1e5915353fee1f347577f0e80d925910695f9 Author: Herbert Xu Date: Mon Oct 19 18:23:57 2015 +0800 crypto: api - Only abort operations on fatal signal Currently a number of Crypto API operations may fail when a signal occurs. This causes nasty problems as the caller of those operations are often not in a good position to restart the operation. In fact there is currently no need for those operations to be interrupted by user signals at all. All we need is for them to be killable. This patch replaces the relevant calls of signal_pending with fatal_signal_pending, and wait_for_completion_interruptible with wait_for_completion_killable, respectively. Cc: stable@vger.kernel.org Signed-off-by: Herbert Xu crypto/ablkcipher.c | 2 +- crypto/algapi.c | 2 +- crypto/api.c | 6 +++--- crypto/crypto_user.c | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) commit 2b278f02de77bd3d0ffb4c64bc56b702d4e27e49 Author: Brad Spengler Date: Tue Oct 27 18:02:42 2015 -0400 Update a comment arch/x86/include/asm/fpu/internal.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 66cbab70d87485c22946485bfd375c3e88140213 Merge: cad84c5 8610c94 Author: Brad Spengler Date: Tue Oct 27 07:44:23 2015 -0400 Merge branch 'pax-test' into grsec-test commit 8610c949a76ac2a09b334f41c35cb8e7a04a0ce8 Merge: a851b41 f69d603 Author: Brad Spengler Date: Tue Oct 27 07:44:14 2015 -0400 Merge branch 'linux-4.2.y' into pax-test commit cad84c52f547c8ba47ddcf39d1f260f55350f0c2 Author: Brad Spengler Date: Mon Oct 26 07:33:21 2015 -0400 re-enable builtin_overflow support include/linux/compiler-gcc.h | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) commit 6e281aebbf456c27ce530055d5668bc5829c02a8 Author: Brad Spengler Date: Mon Oct 26 07:32:15 2015 -0400 Update the size_overflow plugin from Emese to fix the ICE on builtin_overflow use tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 3 ++- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) commit 75ed97df02fc6eb862df511da6ca690de3d0f15c Author: Brad Spengler Date: Mon Oct 26 07:17:00 2015 -0400 Fix from Emese for a size_overflow report in the fbcon code on the 'softback_lines' global variable drivers/video/console/fbcon.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit b088cabd42c6fe825baa27f40ab450ad75e571d3 Author: Brad Spengler Date: Sun Oct 25 18:09:55 2015 -0400 Temporarily work around an ICE on GCC >= 5 reported by Daniel Micay due to backporting of __builtin_usub_overflow include/linux/compiler-gcc.h | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) commit ba858f46865c6751af3ddba03b176e4d5ecf85c1 Author: Brad Spengler Date: Sun Oct 25 17:59:17 2015 -0400 Update size_overflow hash table .../disable_size_overflow_hash.data | 7 +++++++ .../size_overflow_plugin/size_overflow_hash.data | 9 +-------- 2 files changed, 8 insertions(+), 8 deletions(-) commit ba803bceaea0283b38e91c1d3176bf0671786269 Author: Brad Spengler Date: Sun Oct 25 15:31:17 2015 -0400 Fix oversight in pipacs' removal of FPU state from the task struct: fpu_copy was performing an OOB copy starting from the address of the 'state' pointer in the fpu struct instead of starting from the address pointed to by the state pointer. Reported at: https://bugs.archlinux.org/task/46764 arch/x86/include/asm/fpu/internal.h | 4 ++-- arch/x86/kernel/fpu/core.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) commit 26e7d31c5b5c970c50297d2b8be165e9c9ab9d83 Merge: 85d8735 a851b41 Author: Brad Spengler Date: Sun Oct 25 13:39:21 2015 -0400 Merge branch 'pax-test' into grsec-test commit a851b41415a0402d76f10712b6950ddff3872a22 Author: Brad Spengler Date: Sun Oct 25 13:38:25 2015 -0400 Update to latest size_overflow plugin release: Temporarily ignore bitfield types: https://bugs.archlinux.org/task/46798 Use SI or wider type for the size_overflow type: https://forums.grsecurity.net/viewtopic.php?t=4293&p=15655#p15655 .../size_overflow_plugin/intentional_overflow.c | 3 +++ .../size_overflow_plugin/size_overflow_plugin.c | 2 +- .../size_overflow_plugin/size_overflow_transform.c | 7 +++++++ .../size_overflow_transform_core.c | 2 -- 4 files changed, 11 insertions(+), 3 deletions(-) commit 85d8735a1d1190e3ad2e3f032ae88f811090fdfc Author: Brad Spengler Date: Sun Oct 25 13:01:32 2015 -0400 fpu doesn't live on the task_struct with PaX, so don't even bother computing some task_size variable that isn't used for anything arch/x86/kernel/fpu/init.c | 14 -------------- 1 files changed, 0 insertions(+), 14 deletions(-) commit cfd0008de8db38841f7f06b979482900994717b9 Author: Hannes Frederic Sowa Date: Fri Oct 16 11:32:42 2015 +0200 overflow-arith: begin to add support for overflow builtin functions The idea of the overflow-arith.h header is to collect overflow checking functions in one central place. If gcc compiler supports the __builtin_overflow_* builtins we use them because they might give better performance, otherwise the code falls back to normal overflow checking functions. The builtin_overflow functions are supported by gcc-5 and clang. The matter of supporting clang is to just provide a corresponding CC_HAVE_BUILTIN_OVERFLOW, because the specific overflow checking builtins don't differ between gcc and clang. I just provide overflow_usub function here as I intend this to get merged into net, more functions will definitely follow as they are needed. Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/linux/compiler-gcc.h | 4 ++++ include/linux/overflow-arith.h | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+), 0 deletions(-) commit 18d5034650b637ec479f41d98e3912398b3e3efc Author: Hannes Frederic Sowa Date: Fri Oct 16 11:32:43 2015 +0200 ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues Raw sockets with hdrincl enabled can insert ipv6 extension headers right into the data stream. In case we need to fragment those packets, we reparse the options header to find the place where we can insert the fragment header. If the extension headers exceed the link's MTU we actually cannot make progress in such a case. Instead of ending up in broken arithmetic or rounding towards 0 and entering an endless loop in ip6_fragment, just prevent those cases by aborting early and signal -EMSGSIZE to user space. Reported-by: Dmitry Vyukov Cc: Dmitry Vyukov Signed-off-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv6/ip6_output.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 0e1d1c0f1981b4049a70d23dce4c69daf19f020b Merge: c81314c 9470e78 Author: Brad Spengler Date: Sun Oct 25 11:51:44 2015 -0400 Merge branch 'pax-test' into grsec-test commit 9470e7893a9a1bf15f9b7d412dc09bebb59105e8 Author: Brad Spengler Date: Sun Oct 25 11:50:54 2015 -0400 Temporary squelching of overflow warning on skb_transport_offset(), will be fixed properly after H2HC include/linux/skbuff.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit c81314ce278e9cfa3322881a6133c2c7e53b9430 Author: Brad Spengler Date: Sat Oct 24 23:13:36 2015 -0400 Update recordmcount/fixdep paths in RPM spec, from Andrew scripts/package/mkspec | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) commit 798e4296bd55778b5e77f1db69c1bb972419590f Author: Brad Spengler Date: Sat Oct 24 23:11:22 2015 -0400 Update size_overflow hash table .../disable_size_overflow_hash.data | 3 +++ .../size_overflow_plugin/size_overflow_hash.data | 5 +---- 2 files changed, 4 insertions(+), 4 deletions(-) commit d9ef04f20fc634595883d1c1950c32a8fe04df22 Author: Brad Spengler Date: Sat Oct 24 08:27:29 2015 -0400 Fix from Emese for https://forums.grsecurity.net/viewtopic.php?f=3&t=4291 drivers/usb/class/cdc-acm.h | 2 +- include/linux/usb.h | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit eea46f1d247f5f63e3762da91a41cba76567800f Author: Brad Spengler Date: Fri Oct 23 18:24:57 2015 -0400 Update size_overflow hash tables .../disable_size_overflow_hash.data | 5 ++++- .../size_overflow_plugin/size_overflow_hash.data | 5 +---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 8f521b864bd7428f3ad42613416c106d1d619c4d Merge: 26adf00 285f0d1 Author: Brad Spengler Date: Thu Oct 22 19:41:57 2015 -0400 Merge branch 'pax-test' into grsec-test Conflicts: drivers/gpu/drm/drm_lock.c commit 285f0d1cda31b45ee217b90861677c032cb6550b Merge: d6dc25f 190bd21 Author: Brad Spengler Date: Thu Oct 22 19:40:34 2015 -0400 Merge branch 'linux-4.2.y' into pax-test Conflicts: arch/x86/kernel/process_64.c commit 26adf00caf8f4ebf155422082d4e8b8e4eb60eef Author: Eric W. Biederman Date: Sat Aug 15 13:36:12 2015 -0500 dcache: Handle escaped paths in prepend_path A rename can result in a dentry that by walking up d_parent will never reach it's mnt_root. For lack of a better term I call this an escaped path. prepend_path is called by four different functions __d_path, d_absolute_path, d_path, and getcwd. __d_path only wants to see paths are connected to the root it passes in. So __d_path needs prepend_path to return an error. d_absolute_path similarly wants to see paths that are connected to some root. Escaped paths are not connected to any mnt_root so d_absolute_path needs prepend_path to return an error greater than 1. So escaped paths will be treated like paths on lazily unmounted mounts. getcwd needs to prepend "(unreachable)" so getcwd also needs prepend_path to return an error. d_path is the interesting hold out. d_path just wants to print something, and does not care about the weird cases. Which raises the question what should be printed? Given that / should result in -ENOENT I believe it is desirable for escaped paths to be printed as empty paths. As there are not really any meaninful path components when considered from the perspective of a mount tree. So tweak prepend_path to return an empty path with an new error code of 3 when it encounters an escaped path. Signed-off-by: "Eric W. Biederman" Signed-off-by: Al Viro fs/dcache.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) commit d402147a7689356c29bfd46a7cfa6594e517ab95 Author: Salva Peiró Date: Wed Oct 14 17:48:02 2015 +0200 staging/dgnc: fix info leak in ioctl The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of struct digi_dinfo after the ->dinfo_nboards member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: Greg Kroah-Hartman drivers/staging/dgnc/dgnc_mgmt.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit bafc510c4fb4e8a5e69531fdc3a733e58c4bbdbf Author: Salva Peiró Date: Wed Oct 7 07:09:26 2015 -0300 [media] media/vivid-osd: fix info leak in ioctl The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of struct fb_vblank after the ->hcount member. Add an explicit memset(0) before filling the structure to avoid the info leak. Signed-off-by: Salva Peiró Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/vivid/vivid-osd.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 980a903796ae06366fd5acbcd179ee2dc57fbabf Author: David Howells Date: Mon Oct 19 11:20:28 2015 +0100 KEYS: Don't permit request_key() to construct a new keyring If request_key() is used to find a keyring, only do the search part - don't do the construction part if the keyring was not found by the search. We don't really want keyrings in the negative instantiated state since the rejected/negative instantiation error value in the payload is unioned with keyring metadata. Now the kernel gives an error: request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted) Signed-off-by: David Howells security/keys/request_key.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit f705c157ed6f8a9c4c0cf552fd5f054d9d500550 Author: Dan Carpenter Date: Mon Oct 19 13:16:49 2015 +0300 irda: precedence bug in irlmp_seq_hb_idx() This is decrementing the pointer, instead of the value stored in the pointer. KASan detects it as an out of bounds reference. Reported-by: "Berry Cheng 程君(成淼)" Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller net/irda/irlmp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4a110451298bfce895ed224e6bbd9201d8605b2b Author: Brad Spengler Date: Tue Oct 20 19:25:13 2015 -0400 Ratelimit the dump_stack as well, both to 15s with a burst of 3, enough not to completely flood syslog fs/exec.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) commit 183fc2ae7d90e077fd27623998d82916260a2223 Merge: a240939 d6dc25f Author: Brad Spengler Date: Tue Oct 20 19:16:04 2015 -0400 Merge branch 'pax-test' into grsec-test Conflicts: tools/gcc/size_overflow_plugin/size_overflow_plugin.c commit d6dc25f193a832e08d8e7cf097d7f70b3dc24776 Author: Brad Spengler Date: Tue Oct 20 19:14:41 2015 -0400 Update to pax-linux-4.2.3-test16.patch: - fixed undefined integer shift in proc_do_submiturb, reported by Arnaud - fixed integer underflow in scm_detach_fds (similar to 1ac70e7ad24a88710cf9b6d7ababaefa2b575df0 upstream), reported by kdave (https://forums.grsecurity.net/viewtopic.php?f=1&t=4286) - Emese added a temporary workaround for miscompiling the ath10k driver, reported by victor - Emese fixed a false positive that affected the iwlwifi driver among others, reported by victor - Emese disabled size overflow checking in acpi_ex_do_math_op and on acpi_object_integer, reported by xxterry1xx and rfnx (https://forums.grsecurity.net/viewtopic.php?f=3&t=4287) drivers/net/wireless/ath/ath10k/ce.c | 2 +- drivers/usb/core/devio.c | 2 +- fs/dlm/lowcomms.c | 2 +- net/core/scm.c | 6 ++- .../disable_size_overflow_hash.data | 4 +- .../size_overflow_plugin/intentional_overflow.c | 44 -------------------- tools/gcc/size_overflow_plugin/size_overflow.h | 1 - .../size_overflow_plugin/size_overflow_hash.data | 4 +- .../size_overflow_plugin/size_overflow_plugin.c | 4 +- .../size_overflow_plugin/size_overflow_transform.c | 3 - .../size_overflow_transform_core.c | 6 +++ 11 files changed, 19 insertions(+), 59 deletions(-) commit a2409394c2b0d97a9f02bf62ca4c0254602e58a6 Author: Brad Spengler Date: Tue Oct 20 08:58:25 2015 -0400 set default to y security/Kconfig | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 3abe24117389419654da44adc87a9a03ad7e3f38 Author: Brad Spengler Date: Tue Oct 20 08:08:32 2015 -0400 Add a new config option from Emese to allow SIZE_OVERFLOW to be enabled while having it not kill the userland process in an overflow condition. This will help us obtain reports over the next few weeks while not making some percentage of users' machines unusable. To enable this option, set CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL=y in .config fs/exec.c | 5 +++++ security/Kconfig | 4 ++++ .../size_overflow_plugin/size_overflow_plugin.c | 4 ++-- 3 files changed, 11 insertions(+), 2 deletions(-) commit bcae982f720ce0b3463a81f2b72a4807cb89048b Merge: 0e55d80 128d3a5 Author: Brad Spengler Date: Mon Oct 19 18:56:09 2015 -0400 Merge branch 'pax-test' into grsec-test commit 128d3a5452ab001b29235b05eb0be3334fff3998 Author: Brad Spengler Date: Mon Oct 19 18:55:37 2015 -0400 Update to pax-linux-4.2.3-test14.patch: - Emese fixed a false positive size overflow report, reported by gus (https://forums.grsecurity.net/viewtopic.php?t=4280) - fixed an integer sign mixup in usb_stor_invoke_transport, reported by Arnaud drivers/usb/storage/transport.c | 2 +- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- .../size_overflow_plugin/size_overflow_transform.c | 15 +++- .../size_overflow_transform_core.c | 90 ++++++++++++++----- 4 files changed, 81 insertions(+), 28 deletions(-) commit 0e55d80a65998266cab71804131a072fcc8ee558 Merge: a61fd15 9c4310f Author: Brad Spengler Date: Sat Oct 17 23:15:36 2015 -0400 Merge branch 'pax-test' into grsec-test commit 9c4310fdb2d19f83affc62eb2698d3763ce8c36b Author: Brad Spengler Date: Sat Oct 17 23:15:13 2015 -0400 Update to pax-linux-4.2.3-test14.patch: - reverted some page table hardening that caused too much slowdown under virtualization, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275) arch/x86/include/asm/pgtable-2level.h | 18 ++---------------- arch/x86/include/asm/pgtable-3level.h | 10 ---------- arch/x86/include/asm/pgtable_32.h | 2 ++ arch/x86/include/asm/pgtable_64.h | 18 ++---------------- arch/x86/mm/highmem_32.c | 2 ++ arch/x86/mm/init_64.c | 2 ++ arch/x86/mm/iomap_32.c | 4 ++++ arch/x86/mm/pageattr.c | 4 ++++ arch/x86/mm/pgtable.c | 2 ++ arch/x86/mm/pgtable_32.c | 3 +++ mm/highmem.c | 5 +++++ mm/vmalloc.c | 7 +++++++ 12 files changed, 35 insertions(+), 42 deletions(-) commit a61fd152e87bd3ed91194b07f6b1fcbcd165093b Merge: 00f1afa db7a8e5 Author: Brad Spengler Date: Sat Oct 17 18:33:48 2015 -0400 Merge branch 'pax-test' into grsec-test commit db7a8e5c284179889014b5929a40298e1b228fbc Author: Brad Spengler Date: Sat Oct 17 18:33:22 2015 -0400 Update to pax-linux-4.2.3-test13.patch: - Emese worked around a sign mixup with wiphy.rts_threshold, reported by gus (https://forums.grsecurity.net/viewtopic.php?f=3&t=4278) .../disable_size_overflow_hash.data | 2 ++ .../size_overflow_plugin/size_overflow_hash.data | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) commit 00f1afa694317365e9bd6dc77d2e3e96ae3a68ec Merge: 7098385 57dc21d Author: Brad Spengler Date: Sat Oct 17 11:04:56 2015 -0400 Merge branch 'pax-test' into grsec-test commit 57dc21d203a9fa1312a4abc608da5b3644d29078 Author: Brad Spengler Date: Sat Oct 17 11:04:34 2015 -0400 Update to pax-linux-4.2.3-test12.patch: - removed size_overflow_hash.data.prev that was left behind by accident - Emese fixed a false positive overflow report in the megaraid driver due to a gcc limitation, reported by vortex (https://forums.grsecurity.net/viewtopic.php?f=3&t=4277) drivers/scsi/megaraid/megaraid_sas.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 7098385851c43dea6692508c71cd5fbcce3187b2 Merge: bc6d23e 78b0f64 Author: Brad Spengler Date: Fri Oct 16 17:45:06 2015 -0400 Merge branch 'pax-test' into grsec-test Conflicts: tools/gcc/size_overflow_plugin/intentional_overflow.c commit 78b0f643d8d2b870e8ad5df075d4ab79befa4266 Author: Brad Spengler Date: Fri Oct 16 17:44:18 2015 -0400 Update to pax-linux-4.2.3-test11.patch: - Emese fixed a few false positives caused by error codes - simplified the switch_mm code on x86 a bit arch/x86/include/asm/mmu_context.h | 118 +++++-------- include/drm/drm_mm.h | 2 +- .../size_overflow_plugin/intentional_overflow.c | 11 +- tools/gcc/size_overflow_plugin/size_overflow.h | 19 ++- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- .../size_overflow_plugin/size_overflow_transform.c | 178 +++++++++----------- .../size_overflow_transform_core.c | 31 ++-- 7 files changed, 169 insertions(+), 192 deletions(-) commit bc6d23e3408e389f8a96134f6bc915e9fc8b370b Author: Brad Spengler Date: Fri Oct 16 17:28:54 2015 -0400 Update rpm devel spec, thanks to Andrew scripts/package/mkspec | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit b3f30cb9207a72a6aa4a78f23f8c5353be0bb27b Author: Brad Spengler Date: Thu Oct 15 20:10:56 2015 -0400 disable tracing support with GRKERNSEC_KMEM (it forces debugfs support on) kernel/trace/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 82a0c12587f14add438ddf3b558e2278fcb7a387 Author: Brad Spengler Date: Thu Oct 15 19:19:43 2015 -0400 Force DEBUG_FS off the hard way, since 'select' can cause it to be inadvertently enabled. Add a backup check that fails the build if GRKERNSEC_KMEM is enabled with DEBUG_FS Ditto for PROC_PAGE_MONITOR arch/arc/Kconfig | 1 + arch/arm/Kconfig.debug | 1 + arch/arm64/Kconfig.debug | 1 + arch/blackfin/Kconfig.debug | 1 + arch/s390/Kconfig.debug | 1 + arch/x86/Kconfig.debug | 2 ++ drivers/iommu/Kconfig | 1 + drivers/md/bcache/Kconfig | 1 + drivers/net/wireless/ath/ath9k/Kconfig | 1 - include/linux/grsecurity.h | 6 ++++++ init/Kconfig | 1 + kernel/trace/Kconfig | 2 ++ lib/Kconfig.debug | 6 +++++- mm/Kconfig | 3 +++ net/sunrpc/Kconfig | 1 + 15 files changed, 27 insertions(+), 2 deletions(-) commit 1b6f8fc8b8100292647638c713326776a0865705 Author: Brad Spengler Date: Thu Oct 15 17:58:59 2015 -0400 Force DEBUG_FS off in the kernel config, even having it present is a security risk Conflicts: lib/Kconfig.debug lib/Kconfig.debug | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit 21057fc30571f96aa46acf8922417311905d0f2b Author: Brad Spengler Date: Thu Oct 15 08:15:33 2015 -0400 Backport fix from: https://patchwork.kernel.org/patch/6853351/ The debug_read_tlb() uses the sprintf() functions directly on the buffer allocated by buf = kmalloc(count), without taking into account the size of the buffer, with the consequence corrupting the heap, depending on the count requested by the user. The patch fixes the issue replacing sprintf() by seq_printf(). Signed-off-by: Salva Peiró drivers/iommu/omap-iommu-debug.c | 26 +++++++------------------- drivers/iommu/omap-iommu.c | 28 +++++++++++----------------- drivers/iommu/omap-iommu.h | 3 +-- 3 files changed, 19 insertions(+), 38 deletions(-) commit ba936d19274485bad900a69d679878a50faa50aa Author: Joe Perches Date: Wed Oct 14 01:09:40 2015 -0700 ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings It seems that kernel memory can leak into userspace by a kmalloc, ethtool_get_strings, then copy_to_user sequence. Avoid this by using kcalloc to zero fill the copied buffer. Signed-off-by: Joe Perches Acked-by: Ben Hutchings Signed-off-by: David S. Miller net/core/ethtool.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit bae0a8209962cede6a0d486cf2414cac1747f91b Author: Brad Spengler Date: Wed Oct 14 19:54:27 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 53 +++++++++++++++++-- 1 files changed, 47 insertions(+), 6 deletions(-) commit 1d840cc98b8f9b62d3c906ae24385f79c9131e29 Author: Brad Spengler Date: Wed Oct 14 19:50:48 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) commit fca9b7af6aebd1d80f364d6d849470e917919004 Author: Brad Spengler Date: Wed Oct 14 19:47:21 2015 -0400 Update size_overflow hash table .../size_overflow_plugin/size_overflow_hash.data | 300 ++++++++++++++++---- 1 files changed, 244 insertions(+), 56 deletions(-) commit 07cadc277ba83222698c99091c7da2c28275981f Author: Brad Spengler Date: Wed Oct 14 19:39:44 2015 -0400 squelch some informational messages only used by Emese .../size_overflow_plugin/intentional_overflow.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) commit 77eeeac20bde1e0ebd72efe0f7b5c52786411bc7 Author: Brad Spengler Date: Wed Oct 14 19:15:56 2015 -0400 Re-enable size_overflow security/Kconfig | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) commit cb8efa1fd63be1bbcf5e585396cc0ed562d0c624 Merge: 913cbf6 4c48a7f Author: Brad Spengler Date: Wed Oct 14 17:14:42 2015 -0400 Merge branch 'pax-test' into grsec-test Conflicts: tools/gcc/size_overflow_plugin/size_overflow_hash.data commit 4c48a7fc8df9310f994708b42fe1102a2943917c Author: Brad Spengler Date: Wed Oct 14 17:12:54 2015 -0400 Update to pax-linux-4.2.3-test10.patch: - fixed accidentally dropped csum_partial_copy_generic_to_user entry point for pre-P6 i386 configs, by minipli - Emese fixed a bunch of false positives with the size overflow plugin, let's see how it goes in the real world :) arch/x86/include/asm/processor.h | 2 +- arch/x86/include/asm/ptrace.h | 8 +- arch/x86/lib/checksum_32.S | 2 + arch/x86/xen/mmu.c | 2 +- drivers/ata/libahci.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/spi/spidev.c | 2 +- drivers/tty/n_tty.c | 2 +- drivers/usb/core/message.c | 6 +- fs/binfmt_elf.c | 2 +- fs/ubifs/io.c | 2 +- include/drm/drm_mm.h | 2 +- include/linux/completion.h | 12 +- include/linux/jiffies.h | 10 +- include/linux/kernel.h | 2 +- include/linux/mm.h | 2 +- include/linux/random.h | 4 +- include/linux/sched.h | 2 +- include/linux/usb.h | 2 +- kernel/sched/completion.c | 6 +- kernel/time/timer.c | 2 +- lib/bitmap.c | 2 +- mm/internal.h | 2 +- net/sunrpc/svcauth_unix.c | 2 +- .../disable_size_overflow_hash.data |22980 +++++++++++--------- .../insert_size_overflow_asm.c | 7 + .../size_overflow_plugin/intentional_overflow.c | 10 +- tools/gcc/size_overflow_plugin/size_overflow.h | 29 +- .../gcc/size_overflow_plugin/size_overflow_debug.c | 20 +- .../size_overflow_plugin/size_overflow_hash.data |14092 ++++++++---- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 252 +- .../size_overflow_plugin/size_overflow_plugin.c | 2 +- .../size_overflow_plugin_hash.c | 13 +- .../size_overflow_plugin/size_overflow_transform.c | 205 +- .../size_overflow_transform_core.c | 4 +- 36 files changed, 21958 insertions(+), 15740 deletions(-) commit 913cbf6a23fcad570b776b1a5a71242b909c5c99 Author: Dave Kleikamp Date: Mon Oct 5 10:08:51 2015 -0500 crypto: sparc - initialize blkcipher.ivsize Some of the crypto algorithms write to the initialization vector, but no space has been allocated for it. This clobbers adjacent memory. Cc: stable@vger.kernel.org Signed-off-by: Dave Kleikamp Signed-off-by: Herbert Xu arch/sparc/crypto/aes_glue.c | 2 ++ arch/sparc/crypto/camellia_glue.c | 1 + arch/sparc/crypto/des_glue.c | 2 ++ 3 files changed, 5 insertions(+), 0 deletions(-) commit 7af7ad1e287067b7ea659dc0dd3e2e355588e246 Author: Brad Spengler Date: Tue Oct 13 08:03:51 2015 -0400 Apply fix by Tejun Heo for upstream bug reported on the forums by Fuxino: https://forums.grsecurity.net/viewtopic.php?f=3&t=4276#p15570 Probably made more easily reproducible via SANITIZE, but we won't know for sure without a full oops report. For some reason even though this patch was marked for 4.2+ stable over a month ago, it still hasn't hit Greg's tree. block/blk-cgroup.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 8e1f29f9e1af36f71d12213ea6530eb77014c00c Author: Dmitry Vyukov Date: Thu Sep 17 17:17:10 2015 +0200 tty: fix data race on tty_buffer.commit Race on buffer data happens when newly committed data is picked up by an old flush work in the following scenario: __tty_buffer_request_room does a plain write of tail->commit, no barriers were executed before that. At this point flush_to_ldisc reads this new value of commit, and reads buffer data, no barriers in between. The committed buffer data is not necessary visible to flush_to_ldisc. Similar bug happens when tty_schedule_flip commits data. Update commit with smp_store_release and read commit with smp_load_acquire, as it is commit that signals data readiness. This is orthogonal to the existing synchronization on tty_buffer.next, which is required to not dismiss a buffer with unconsumed data. The data race was found with KernelThreadSanitizer (KTSAN). Signed-off-by: Dmitry Vyukov Reviewed-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_buffer.c | 15 ++++++++++++--- 1 files changed, 12 insertions(+), 3 deletions(-) commit d62db216e7182e24317596471c1a3a2a9fb9d1f5 Author: Peter Hurley Date: Sun Jul 12 20:50:49 2015 -0400 tty: Replace smp_rmb/smp_wmb with smp_load_acquire/smp_store_release Clarify flip buffer producer/consumer operation; the use of smp_load_acquire() and smp_store_release() more clearly indicates which memory access requires a barrier. Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_buffer.c | 10 ++++------ 1 files changed, 4 insertions(+), 6 deletions(-) commit c6bbe8a6097f869b6a3d3c40d456727180573dd9 Author: Kosuke Tatsukawa Date: Fri Oct 2 08:27:05 2015 +0000 tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c My colleague ran into a program stall on a x86_64 server, where n_tty_read() was waiting for data even if there was data in the buffer in the pty. kernel stack for the stuck process looks like below. #0 [ffff88303d107b58] __schedule at ffffffff815c4b20 #1 [ffff88303d107bd0] schedule at ffffffff815c513e #2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818 #3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2 #4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23 #5 [ffff88303d107dd0] tty_read at ffffffff81368013 #6 [ffff88303d107e20] __vfs_read at ffffffff811a3704 #7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57 #8 [ffff88303d107f00] sys_read at ffffffff811a4306 #9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7 There seems to be two problems causing this issue. First, in drivers/tty/n_tty.c, __receive_buf() stores the data and updates ldata->commit_head using smp_store_release() and then checks the wait queue using waitqueue_active(). However, since there is no memory barrier, __receive_buf() could return without calling wake_up_interactive_poll(), and at the same time, n_tty_read() could start to wait in wait_woken() as in the following chart. __receive_buf() n_tty_read() ------------------------------------------------------------------------ if (waitqueue_active(&tty->read_wait)) /* Memory operations issued after the RELEASE may be completed before the RELEASE operation has completed */ add_wait_queue(&tty->read_wait, &wait); ... if (!input_available_p(tty, 0)) { smp_store_release(&ldata->commit_head, ldata->read_head); ... timeout = wait_woken(&wait, TASK_INTERRUPTIBLE, timeout); ------------------------------------------------------------------------ The second problem is that n_tty_read() also lacks a memory barrier call and could also cause __receive_buf() to return without calling wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken() as in the chart below. __receive_buf() n_tty_read() ------------------------------------------------------------------------ spin_lock_irqsave(&q->lock, flags); /* from add_wait_queue() */ ... if (!input_available_p(tty, 0)) { /* Memory operations issued after the RELEASE may be completed before the RELEASE operation has completed */ smp_store_release(&ldata->commit_head, ldata->read_head); if (waitqueue_active(&tty->read_wait)) __add_wait_queue(q, wait); spin_unlock_irqrestore(&q->lock,flags); /* from add_wait_queue() */ ... timeout = wait_woken(&wait, TASK_INTERRUPTIBLE, timeout); ------------------------------------------------------------------------ There are also other places in drivers/tty/n_tty.c which have similar calls to waitqueue_active(), so instead of adding many memory barrier calls, this patch simply removes the call to waitqueue_active(), leaving just wake_up*() behind. This fixes both problems because, even though the memory access before or after the spinlocks in both wake_up*() and add_wait_queue() can sneak into the critical section, it cannot go past it and the critical section assures that they will be serialized (please see "INTER-CPU ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a better explanation). Moreover, the resulting code is much simpler. Latency measurement using a ping-pong test over a pty doesn't show any visible performance drop. Signed-off-by: Kosuke Tatsukawa Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman drivers/tty/n_tty.c | 15 +++++---------- 1 files changed, 5 insertions(+), 10 deletions(-) commit 3af2011ac1a085a3e8c57ca3a840aec393b37db3 Author: Dmitry Vyukov Date: Thu Sep 17 17:17:08 2015 +0200 tty: fix data race in flush_to_ldisc flush_to_ldisc reads port->itty and checks that it is not NULL, concurrently release_tty sets port->itty to NULL. It is possible that flush_to_ldisc loads port->itty once, ensures that it is not NULL, but then reloads it again and uses. The second load can already return NULL, which will cause a crash. Use READ_ONCE to read port->itty. The data race was found with KernelThreadSanitizer (KTSAN). Signed-off-by: Dmitry Vyukov Reviewed-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_buffer.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 4a433f384b0a5b7e39f969ee8df89c56537d078d Author: Dmitry Vyukov Date: Thu Sep 17 17:17:09 2015 +0200 tty: fix data race in tty_buffer_flush tty_buffer_flush frees not acquired buffers. As the result, for example, read of b->size in tty_buffer_free can return garbage value which will lead to a huge buffer hanging in the freelist. This is just the benignest manifestation of freeing of a not acquired object. If the object is passed to kfree, heap can be corrupted. Acquire visibility over the buffer before freeing it. The data race was found with KernelThreadSanitizer (KTSAN). Signed-off-by: Dmitry Vyukov Reviewed-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_buffer.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) commit 1477c439d65debf45ac3164a1615504131fad1ff Author: Jann Horn Date: Sun Oct 4 19:29:12 2015 +0200 drivers/tty: require read access for controlling terminal This is mostly a hardening fix, given that write-only access to other users' ttys is usually only given through setgid tty executables. Signed-off-by: Jann Horn Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_io.c | 31 +++++++++++++++++++++++++++---- 1 files changed, 27 insertions(+), 4 deletions(-) commit c2d51348729aa244b827216715db7734daf07155 Author: Brad Spengler Date: Mon Oct 12 07:19:03 2015 -0400 Don't auto-enable UDEREF on x64 with a VirtualBox host Conflicts: security/Kconfig security/Kconfig | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 45ff0fe97624b7133be6f0280ab8fda4610b7937 Merge: ca6828e 1c527d2 Author: Brad Spengler Date: Sun Oct 11 17:17:58 2015 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/mm/pgtable.c commit 1c527d25ad2ece4cdb4723047625d96b942a3b91 Author: Brad Spengler Date: Sun Oct 11 17:16:49 2015 -0400 Update to pax-linux-4.2.3-test9.patch: - really fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272) and quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275) - fixed a compilation error caused by the above regression, reported by spender - fixed an arm compilation error, reported by Emese arch/arm/kernel/module-plts.c | 7 +------ arch/x86/mm/pgtable.c | 21 +++++++++++++++++++-- 2 files changed, 20 insertions(+), 8 deletions(-) commit ca6828e73b10b4a7537b16a37c2c0280523171e1 Author: Trond Myklebust Date: Fri Oct 9 13:44:34 2015 -0400 namei: results of d_is_negative() should be checked after dentry revalidation Leandro Awa writes: "After switching to version 4.1.6, our parallelized and distributed workflows now fail consistently with errors of the form: T34: ./regex.c:39:22: error: config.h: No such file or directory From our 'git bisect' testing, the following commit appears to be the possible cause of the behavior we've been seeing: commit 766c4cbfacd8" Al Viro says: "What happens is that 766c4cbfacd8 got the things subtly wrong. We used to treat d_is_negative() after lookup_fast() as "fall with ENOENT". That was wrong - checking ->d_flags outside of ->d_seq protection is unreliable and failing with hard error on what should've fallen back to non-RCU pathname resolution is a bug. Unfortunately, we'd pulled the test too far up and ran afoul of another kind of staleness. The dentry might have been absolutely stable from the RCU point of view (and we might be on UP, etc), but stale from the remote fs point of view. If ->d_revalidate() returns "it's actually stale", dentry gets thrown away and the original code wouldn't even have looked at its ->d_flags. What we need is to check ->d_flags where 766c4cbfacd8 does (prior to ->d_seq validation) but only use the result in cases where we do not discard this dentry outright" Reported-by: Leandro Awa Link: https://bugzilla.kernel.org/show_bug.cgi?id=104911 Fixes: 766c4cbfacd8 ("namei: d_is_negative() should be checked...") Tested-by: Leandro Awa Cc: stable@vger.kernel.org # v4.1+ Signed-off-by: Trond Myklebust Acked-by: Al Viro Signed-off-by: Linus Torvalds fs/namei.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) commit c0181260ce096a814637ad60e45a64c94840fffa Author: Matt Fleming Date: Fri Sep 25 23:02:18 2015 +0100 x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down Beginning with UEFI v2.5 EFI_PROPERTIES_TABLE was introduced that signals that the firmware PE/COFF loader supports splitting code and data sections of PE/COFF images into separate EFI memory map entries. This allows the kernel to map those regions with strict memory protections, e.g. EFI_MEMORY_RO for code, EFI_MEMORY_XP for data, etc. Unfortunately, an unwritten requirement of this new feature is that the regions need to be mapped with the same offsets relative to each other as observed in the EFI memory map. If this is not done crashes like this may occur, BUG: unable to handle kernel paging request at fffffffefe6086dd IP: [] 0xfffffffefe6086dd Call Trace: [] efi_call+0x7e/0x100 [] ? virt_efi_set_variable+0x61/0x90 [] efi_delete_dummy_variable+0x63/0x70 [] efi_enter_virtual_mode+0x383/0x392 [] start_kernel+0x38a/0x417 [] x86_64_start_reservations+0x2a/0x2c [] x86_64_start_kernel+0xeb/0xef Here 0xfffffffefe6086dd refers to an address the firmware expects to be mapped but which the OS never claimed was mapped. The issue is that included in these regions are relative addresses to other regions which were emitted by the firmware toolchain before the "splitting" of sections occurred at runtime. Needless to say, we don't satisfy this unwritten requirement on x86_64 and instead map the EFI memory map entries in reverse order. The above crash is almost certainly triggerable with any kernel newer than v3.13 because that's when we rewrote the EFI runtime region mapping code, in commit d2f7cbe7b26a ("x86/efi: Runtime services virtual mapping"). For kernel versions before v3.13 things may work by pure luck depending on the fragmentation of the kernel virtual address space at the time we map the EFI regions. Instead of mapping the EFI memory map entries in reverse order, where entry N has a higher virtual address than entry N+1, map them in the same order as they appear in the EFI memory map to preserve this relative offset between regions. This patch has been kept as small as possible with the intention that it should be applied aggressively to stable and distribution kernels. It is very much a bugfix rather than support for a new feature, since when EFI_PROPERTIES_TABLE is enabled we must map things as outlined above to even boot - we have no way of asking the firmware not to split the code/data regions. In fact, this patch doesn't even make use of the more strict memory protections available in UEFI v2.5. That will come later. Suggested-by: Ard Biesheuvel Reported-by: Ard Biesheuvel Signed-off-by: Matt Fleming Cc: Cc: Borislav Petkov Cc: Chun-Yi Cc: Dave Young Cc: H. Peter Anvin Cc: James Bottomley Cc: Lee, Chun-Yi Cc: Leif Lindholm Cc: Linus Torvalds Cc: Matthew Garrett Cc: Mike Galbraith Cc: Peter Jones Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-kernel@vger.kernel.org Link: http://lkml.kernel.org/r/1443218539-7610-2-git-send-email-matt@codeblueprint.co.uk Signed-off-by: Ingo Molnar arch/x86/platform/efi/efi.c | 67 ++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 66 insertions(+), 1 deletions(-) commit 9377caab146791c8c587da3750d6eddcd01bdfba Author: Ard Biesheuvel Date: Fri Sep 25 23:02:19 2015 +0100 arm64/efi: Fix boot crash by not padding between EFI_MEMORY_RUNTIME regions The new Properties Table feature introduced in UEFIv2.5 may split memory regions that cover PE/COFF memory images into separate code and data regions. Since these regions only differ in the type (runtime code vs runtime data) and the permission bits, but not in the memory type attributes (UC/WC/WT/WB), the spec does not require them to be aligned to 64 KB. Since the relative offset of PE/COFF .text and .data segments cannot be changed on the fly, this means that we can no longer pad out those regions to be mappable using 64 KB pages. Unfortunately, there is no annotation in the UEFI memory map that identifies data regions that were split off from a code region, so we must apply this logic to all adjacent runtime regions whose attributes only differ in the permission bits. So instead of rounding each memory region to 64 KB alignment at both ends, only round down regions that are not directly preceded by another runtime region with the same type attributes. Since the UEFI spec does not mandate that the memory map be sorted, this means we also need to sort it first. Note that this change will result in all EFI_MEMORY_RUNTIME regions whose start addresses are not aligned to the OS page size to be mapped with executable permissions (i.e., on kernels compiled with 64 KB pages). However, since these mappings are only active during the time that UEFI Runtime Services are being invoked, the window for abuse is rather small. Tested-by: Mark Salter Tested-by: Mark Rutland [UEFI 2.4 only] Signed-off-by: Ard Biesheuvel Signed-off-by: Matt Fleming Reviewed-by: Mark Salter Reviewed-by: Mark Rutland Cc: # v4.0+ Cc: Catalin Marinas Cc: Leif Lindholm Cc: Linus Torvalds Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Will Deacon Cc: linux-kernel@vger.kernel.org Link: http://lkml.kernel.org/r/1443218539-7610-3-git-send-email-matt@codeblueprint.co.uk Signed-off-by: Ingo Molnar arch/arm64/kernel/efi.c | 3 +- drivers/firmware/efi/libstub/arm-stub.c | 88 +++++++++++++++++++++++++----- 2 files changed, 75 insertions(+), 16 deletions(-) commit 189124f1e733622c44d72060832af3c68d7ee8bc Author: Ralf Baechle Date: Fri Oct 2 09:48:57 2015 +0200 MIPS: BPF: Fix load delay slots. The entire bpf_jit_asm.S is written in noreorder mode because "we know better" according to a comment. This also prevented the assembler from throwing in the required NOPs for MIPS I processors which have no load-use interlock, thus the load's consumer might end up using the old value of the register from prior to the load. Fixed by putting the assembler in reorder mode for just the affected load instructions. This is not enough for gas to actually try to be clever by looking at the next instruction and inserting a nop only when needed but as the comment said "we know better", so getting gas to unconditionally emit a NOP is just right in this case and prevents adding further ifdefery. Signed-off-by: Ralf Baechle arch/mips/net/bpf_jit_asm.S | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) commit b4b012d6599fbc3c6e81f0a03cd59eb9f0095ed8 Author: Lee, Chun-Yi Date: Tue Sep 29 20:58:57 2015 +0800 x86/kexec: Fix kexec crash in syscall kexec_file_load() The original bug is a page fault crash that sometimes happens on big machines when preparing ELF headers: BUG: unable to handle kernel paging request at ffffc90613fc9000 IP: [] prepare_elf64_ram_headers_callback+0x165/0x260 The bug is caused by us under-counting the number of memory ranges and subsequently not allocating enough ELF header space for them. The bug is typically masked on smaller systems, because the ELF header allocation is rounded up to the next page. This patch modifies the code in fill_up_crash_elf_data() by using walk_system_ram_res() instead of walk_system_ram_range() to correctly count the max number of crash memory ranges. That's because the walk_system_ram_range() filters out small memory regions that reside in the same page, but walk_system_ram_res() does not. Here's how I found the bug: After tracing prepare_elf64_headers() and prepare_elf64_ram_headers_callback(), the code uses walk_system_ram_res() to fill-in crash memory regions information to the program header, so it counts those small memory regions that reside in a page area. But, when the kernel was using walk_system_ram_range() in fill_up_crash_elf_data() to count the number of crash memory regions, it filters out small regions. I printed those small memory regions, for example: kexec: Get nr_ram ranges. vaddr=0xffff880077592258 paddr=0x77592258, sz=0xdc0 Based on the code in walk_system_ram_range(), this memory region will be filtered out: pfn = (0x77592258 + 0x1000 - 1) >> 12 = 0x77593 end_pfn = (0x77592258 + 0xfc0 -1 + 1) >> 12 = 0x77593 end_pfn - pfn = 0x77593 - 0x77593 = 0 <=== if (end_pfn > pfn) is FALSE So, the max_nr_ranges that's counted by the kernel doesn't include small memory regions - causing us to under-allocate the required space. That causes the page fault crash that happens in a later code path when preparing ELF headers. This bug is not easy to reproduce on small machines that have few CPUs, because the allocated page aligned ELF buffer has more free space to cover those small memory regions' PT_LOAD headers. Signed-off-by: Lee, Chun-Yi Cc: Andy Lutomirski Cc: Baoquan He Cc: Jiang Liu Cc: Linus Torvalds Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Stephen Rothwell Cc: Takashi Iwai Cc: Thomas Gleixner Cc: Viresh Kumar Cc: Vivek Goyal Cc: kexec@lists.infradead.org Cc: linux-kernel@vger.kernel.org Cc: Link: http://lkml.kernel.org/r/1443531537-29436-1-git-send-email-jlee@suse.com Signed-off-by: Ingo Molnar arch/x86/kernel/crash.c | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-) commit bf91f1e0162bdd27ebd1411090a81fd9188daa4f Author: Elad Raz Date: Sat Aug 22 08:44:11 2015 +0300 netfilter: ipset: Fixing unnamed union init In continue to proposed Vinson Lee's post [1], this patch fixes compilation issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed unions causes compilation error in gcc 4.4.x. References Visible links [1] https://lkml.org/lkml/2015/7/5/74 Signed-off-by: Elad Raz Signed-off-by: Pablo Neira Ayuso net/netfilter/ipset/ip_set_hash_netnet.c | 20 ++++++++++++++++++-- net/netfilter/ipset/ip_set_hash_netportnet.c | 20 ++++++++++++++++++-- 2 files changed, 36 insertions(+), 4 deletions(-) commit fed13a5012b8d7e87a6f9efa2e40e0be28eaecd9 Author: Brad Spengler Date: Fri Oct 9 23:12:43 2015 -0400 compile fix arch/x86/mm/pgtable.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) commit 58edc15a668a6dd90b3f66abc84b509f8fba7505 Author: Daniel Borkmann Date: Mon Aug 31 19:11:02 2015 +0200 netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths Commit 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack templates") migrated templates to the new allocator api, but forgot to update error paths for them in CT and synproxy to use nf_ct_tmpl_free() instead of nf_conntrack_free(). Due to that, memory is being freed into the wrong kmemcache, but also we drop the per net reference count of ct objects causing an imbalance. In Brad's case, this leads to a wrap-around of net->ct.count and thus lets __nf_conntrack_alloc() refuse to create a new ct object: [ 10.340913] xt_addrtype: ipv6 does not support BROADCAST matching [ 10.810168] nf_conntrack: table full, dropping packet [ 11.917416] r8169 0000:07:00.0 eth0: link up [ 11.917438] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 12.815902] nf_conntrack: table full, dropping packet [ 15.688561] nf_conntrack: table full, dropping packet [ 15.689365] nf_conntrack: table full, dropping packet [ 15.690169] nf_conntrack: table full, dropping packet [ 15.690967] nf_conntrack: table full, dropping packet [...] With slab debugging, it also reports the wrong kmemcache (kmalloc-512 vs. nf_conntrack_ffffffff81ce75c0) and reports poison overwrites, etc. Thus, to fix the problem, export and use nf_ct_tmpl_free() instead. Fixes: 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack templates") Reported-by: Brad Jackson Signed-off-by: Daniel Borkmann Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_conntrack.h | 1 + net/netfilter/nf_conntrack_core.c | 3 ++- net/netfilter/nf_synproxy_core.c | 2 +- net/netfilter/xt_CT.c | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) commit 37d26e44573aaa9c3b1f0c36ec9d4bddc008fc03 Author: Brad Spengler Date: Fri Oct 9 18:22:54 2015 -0400 Fix BUG() in scatterwalk_map_and_copy caused by virt_to_page being called on the KSTACKOVERFLOW's vmalloc'd stack. Thanks to Yves-Alexis Perez for the report crypto/scatterwalk.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) commit 8137d53d2b60023587a48004f0b67946ed6db4a8 Merge: 147420b a9c991f Author: Brad Spengler Date: Fri Oct 9 18:20:32 2015 -0400 Merge branch 'pax-test' into grsec-test commit a9c991f727bb8daf15838296e301683791c17071 Author: Brad Spengler Date: Fri Oct 9 18:20:07 2015 -0400 Update to pax-linux-4.2.3-test8.patch: - fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272) arch/x86/kernel/espfix_64.c | 4 +--- arch/x86/kernel/kvmclock.c | 20 ++++++-------------- arch/x86/mm/highmem_32.c | 2 ++ arch/x86/mm/pgtable.c | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 42 insertions(+), 17 deletions(-) commit 147420b0f00c7f20f354e1dfa460b904a3af432b Author: Brad Spengler Date: Fri Oct 9 08:54:24 2015 -0400 Properly fix the bug reported at: https://code.google.com/p/android/issues/detail?id=187973 drivers/net/slip/slhc.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 4918a68ea80e1185ec8f3a94d3a2210552ed0bb5 Merge: 4e736d9 7e02f35 Author: Brad Spengler Date: Wed Oct 7 20:57:21 2015 -0400 Merge branch 'pax-test' into grsec-test Conflicts: arch/x86/kernel/espfix_64.c commit 7e02f35880fd6bdb2f4e7ba07a13d6df1d121008 Author: Brad Spengler Date: Wed Oct 7 20:54:36 2015 -0400 Update to pax-linux-4.2.3-test7.patch: - backported vanilla commits b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 and 176fc2d5770a0990eebff903ba680d2edd32e718 - constified a few more page tables for ESPFIX/amd64 - fixed xen and the recently added level1_modules_pgt page tables on amd64 arch/x86/include/asm/pgtable_64.h | 1 + arch/x86/kernel/espfix_64.c | 35 +++++++++++++++++++++++---------- arch/x86/xen/mmu.c | 4 +++ drivers/base/regmap/regmap-debugfs.c | 14 +++++------- 4 files changed, 35 insertions(+), 19 deletions(-) commit 4e736d9e568f6cc0d08dfe7519abf9a5d58a5418 Author: Robin Murphy Date: Thu Oct 1 15:37:19 2015 -0700 dmapool: fix overflow condition in pool_find_page() If a DMA pool lies at the very top of the dma_addr_t range (as may happen with an IOMMU involved), the calculated end address of the pool wraps around to zero, and page lookup always fails. Tweak the relevant calculation to be overflow-proof. Signed-off-by: Robin Murphy Cc: Arnd Bergmann Cc: Marek Szyprowski Cc: Sumit Semwal Cc: Sakari Ailus Cc: Russell King Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/dmapool.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) commit 96a101a9b4208a6e5f2a0db7599881142e70ba43 Author: Greg Thelen Date: Thu Oct 1 15:37:05 2015 -0700 memcg: make mem_cgroup_read_stat() unsigned mem_cgroup_read_stat() returns a page count by summing per cpu page counters. The summing is racy wrt. updates, so a transient negative sum is possible. Callers don't want negative values: - mem_cgroup_wb_stats() doesn't want negative nr_dirty or nr_writeback. This could confuse dirty throttling. - oom reports and memory.stat shouldn't show confusing negative usage. - tree_usage() already avoids negatives. Avoid returning negative page counts from mem_cgroup_read_stat() and convert it to unsigned. [akpm@linux-foundation.org: fix old typo while we're in there] Signed-off-by: Greg Thelen Cc: Johannes Weiner Acked-by: Michal Hocko Cc: [4.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 30 ++++++++++++++++++------------ 1 files changed, 18 insertions(+), 12 deletions(-) commit b7808c46650d5f4c09f071566de991af36eb9d37 Author: Daniel Borkmann Date: Fri Oct 2 12:06:03 2015 +0200 bpf: fix panic in SO_GET_FILTER with native ebpf programs When sockets have a native eBPF program attached through setsockopt(sk, SOL_SOCKET, SO_ATTACH_BPF, ...), and then try to dump these over getsockopt(sk, SOL_SOCKET, SO_GET_FILTER, ...), the following panic appears: [49904.178642] BUG: unable to handle kernel NULL pointer dereference at (null) [49904.178762] IP: [] sk_get_filter+0x39/0x90 [49904.182000] PGD 86fc9067 PUD 531a1067 PMD 0 [49904.185196] Oops: 0000 [#1] SMP [...] [49904.224677] Call Trace: [49904.226090] [] sock_getsockopt+0x319/0x740 [49904.227535] [] ? sock_has_perm+0x63/0x70 [49904.228953] [] ? release_sock+0x108/0x150 [49904.230380] [] ? selinux_socket_getsockopt+0x23/0x30 [49904.231788] [] SyS_getsockopt+0xa6/0xc0 [49904.233267] [] entry_SYSCALL_64_fastpath+0x12/0x71 The underlying issue is the very same as in commit b382c0865600 ("sock, diag: fix panic in sock_diag_put_filterinfo"), that is, native eBPF programs don't store an original program since this is only needed in cBPF ones. However, sk_get_filter() wasn't updated to test for this at the time when eBPF could be attached. Just throw an error to the user to indicate that eBPF cannot be dumped over this interface. That way, it can also be known that a program _is_ attached (as opposed to just return 0), and a different (future) method needs to be consulted for a dump. Fixes: 89aa075832b0 ("net: sock: allow eBPF programs to be attached to sockets") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller net/core/filter.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) commit 40853c884afb5fc2dcb9f7fc34ef446162566fcc Author: Steve French Date: Mon Sep 28 17:21:07 2015 -0500 [SMB3] Do not fall back to SMBWriteX in set_file_size error cases The error paths in set_file_size for cifs and smb3 are incorrect. In the unlikely event that a server did not support set file info of the file size, the code incorrectly falls back to trying SMBWriteX (note that only the original core SMB Write, used for example by DOS, can set the file size this way - this actually does not work for the more recent SMBWriteX). The idea was since the old DOS SMB Write could set the file size if you write zero bytes at that offset then use that if server rejects the normal set file info call. Fortunately the SMBWriteX will never be sent on the wire (except when file size is zero) since the length and offset fields were reversed in the two places in this function that call SMBWriteX causing the fall back path to return an error. It is also important to never call an SMB request from an SMB2/sMB3 session (which theoretically would be possible, and can cause a brief session drop, although the client recovers) so this should be fixed. In practice this path does not happen with modern servers but the error fall back to SMBWriteX is clearly wrong. Removing the calls to SMBWriteX in the error paths in cifs_set_file_size Pointed out by PaX/grsecurity team Signed-off-by: Steve French Reported-by: PaX Team CC: Emese Revfy CC: Brad Spengler CC: Stable fs/cifs/inode.c | 34 ---------------------------------- 1 files changed, 0 insertions(+), 34 deletions(-) commit f5fad97c967a08f4a89513969598b1d3c8232a38 Author: Brad Spengler Date: Wed Oct 7 18:22:40 2015 -0400 Initial import of grsecurity for Linux 4.2.3 Note that size_overflow is currently marked BROKEN Documentation/dontdiff | 2 + Documentation/kernel-parameters.txt | 7 + Documentation/sysctl/kernel.txt | 15 + Makefile | 18 +- arch/alpha/include/asm/cache.h | 4 +- arch/alpha/kernel/osf_sys.c | 12 +- arch/arm/Kconfig | 1 + arch/arm/include/asm/thread_info.h | 9 +- arch/arm/kernel/process.c | 4 +- arch/arm/kernel/ptrace.c | 9 + arch/arm/kernel/traps.c | 7 +- arch/arm/mm/Kconfig | 2 +- arch/arm/mm/fault.c | 40 +- arch/arm/mm/mmap.c | 8 +- arch/arm/net/bpf_jit_32.c | 51 +- arch/avr32/include/asm/cache.h | 4 +- arch/blackfin/include/asm/cache.h | 3 +- arch/cris/include/arch-v10/arch/cache.h | 3 +- arch/cris/include/arch-v32/arch/cache.h | 3 +- arch/frv/include/asm/cache.h | 3 +- arch/frv/mm/elf-fdpic.c | 4 +- arch/hexagon/include/asm/cache.h | 6 +- arch/ia64/Kconfig | 1 + arch/ia64/include/asm/cache.h | 3 +- arch/ia64/kernel/sys_ia64.c | 2 + arch/ia64/mm/hugetlbpage.c | 2 + arch/m32r/include/asm/cache.h | 4 +- arch/m68k/include/asm/cache.h | 4 +- arch/metag/mm/hugetlbpage.c | 1 + arch/microblaze/include/asm/cache.h | 3 +- arch/mips/Kconfig | 1 + arch/mips/include/asm/cache.h | 3 +- arch/mips/include/asm/thread_info.h | 11 +- arch/mips/kernel/irq.c | 3 + arch/mips/kernel/ptrace.c | 9 + arch/mips/mm/mmap.c | 4 +- arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +- arch/mn10300/proc-mn2ws0050/include/proc/cache.h | 4 +- arch/openrisc/include/asm/cache.h | 4 +- arch/parisc/include/asm/cache.h | 5 +- arch/parisc/kernel/sys_parisc.c | 4 + arch/powerpc/Kconfig | 1 + arch/powerpc/include/asm/cache.h | 3 +- arch/powerpc/include/asm/thread_info.h | 5 +- arch/powerpc/kernel/Makefile | 2 + arch/powerpc/kernel/irq.c | 3 + arch/powerpc/kernel/process.c | 10 +- arch/powerpc/kernel/ptrace.c | 14 + arch/powerpc/kernel/traps.c | 5 + arch/powerpc/mm/slice.c | 2 +- arch/s390/include/asm/cache.h | 4 +- arch/score/include/asm/cache.h | 4 +- arch/sh/include/asm/cache.h | 3 +- arch/sh/mm/mmap.c | 6 +- arch/sparc/include/asm/cache.h | 4 +- arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/thread_info_64.h | 8 +- arch/sparc/kernel/process_32.c | 6 +- arch/sparc/kernel/process_64.c | 8 +- arch/sparc/kernel/ptrace_64.c | 14 + arch/sparc/kernel/sys_sparc_64.c | 8 +- arch/sparc/kernel/syscalls.S | 8 +- arch/sparc/kernel/traps_32.c | 8 +- arch/sparc/kernel/traps_64.c | 28 +- arch/sparc/kernel/unaligned_64.c | 2 +- arch/sparc/mm/fault_64.c | 2 +- arch/sparc/mm/hugetlbpage.c | 15 +- arch/tile/Kconfig | 1 + arch/tile/include/asm/cache.h | 3 +- arch/tile/mm/hugetlbpage.c | 2 + arch/um/include/asm/cache.h | 3 +- arch/unicore32/include/asm/cache.h | 6 +- arch/x86/Kconfig | 21 + arch/x86/entry/entry_32.S | 2 +- arch/x86/entry/entry_64.S | 2 +- arch/x86/ia32/ia32_aout.c | 2 + arch/x86/include/asm/floppy.h | 20 +- arch/x86/include/asm/io.h | 2 +- arch/x86/include/asm/page.h | 12 +- arch/x86/include/asm/paravirt_types.h | 23 +- arch/x86/include/asm/processor.h | 2 +- arch/x86/include/asm/thread_info.h | 8 +- arch/x86/kernel/dumpstack.c | 10 +- arch/x86/kernel/dumpstack_32.c | 2 +- arch/x86/kernel/dumpstack_64.c | 2 +- arch/x86/kernel/espfix_64.c | 2 +- arch/x86/kernel/fpu/init.c | 4 +- arch/x86/kernel/ioport.c | 13 + arch/x86/kernel/irq_32.c | 3 + arch/x86/kernel/irq_64.c | 4 + arch/x86/kernel/ldt.c | 18 + arch/x86/kernel/msr.c | 10 + arch/x86/kernel/ptrace.c | 28 + arch/x86/kernel/signal.c | 9 +- arch/x86/kernel/sys_i386_32.c | 9 +- arch/x86/kernel/sys_x86_64.c | 8 +- arch/x86/kernel/traps.c | 5 + arch/x86/kernel/verify_cpu.S | 1 + arch/x86/kernel/vm86_32.c | 16 + arch/x86/mm/fault.c | 12 +- arch/x86/mm/hugetlbpage.c | 15 +- arch/x86/mm/init.c | 66 +- arch/x86/mm/init_32.c | 6 +- arch/x86/net/bpf_jit_comp.c | 4 + arch/x86/platform/efi/efi_64.c | 2 +- arch/x86/xen/Kconfig | 1 + arch/xtensa/variants/dc232b/include/variant/core.h | 2 +- arch/xtensa/variants/fsf/include/variant/core.h | 3 +- drivers/acpi/acpica/hwxfsleep.c | 11 +- drivers/acpi/custom_method.c | 4 + drivers/block/cciss.h | 30 +- drivers/block/smart1,2.h | 40 +- drivers/cdrom/cdrom.c | 2 +- drivers/char/Kconfig | 4 +- drivers/char/genrtc.c | 1 + drivers/char/mem.c | 17 + drivers/char/random.c | 5 +- drivers/cpufreq/sparc-us3-cpufreq.c | 2 - drivers/firewire/ohci.c | 4 + drivers/gpu/drm/drm_context.c | 50 +- drivers/gpu/drm/drm_drv.c | 11 +- drivers/gpu/drm/drm_lock.c | 18 +- drivers/gpu/drm/i915/i915_dma.c | 2 + drivers/gpu/drm/nouveau/nouveau_drm.c | 3 +- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +- drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +- drivers/gpu/drm/virtio/virtgpu_ttm.c | 10 +- drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +- drivers/hid/hid-wiimote-debug.c | 2 +- drivers/infiniband/hw/nes/nes_cm.c | 22 +- drivers/iommu/amd_iommu.c | 14 +- drivers/isdn/gigaset/bas-gigaset.c | 32 +- drivers/isdn/gigaset/ser-gigaset.c | 32 +- drivers/isdn/gigaset/usb-gigaset.c | 32 +- drivers/isdn/i4l/isdn_concap.c | 6 +- drivers/isdn/i4l/isdn_x25iface.c | 16 +- drivers/md/raid5.c | 8 + drivers/media/pci/solo6x10/solo6x10-g723.c | 2 +- drivers/media/radio/radio-cadet.c | 5 +- drivers/media/usb/dvb-usb/cinergyT2-core.c | 91 +- drivers/media/usb/dvb-usb/cinergyT2-fe.c | 182 +- drivers/media/usb/dvb-usb/dvb-usb-firmware.c | 37 +- drivers/media/usb/dvb-usb/technisat-usb2.c | 75 +- drivers/message/fusion/mptbase.c | 9 + drivers/misc/sgi-xp/xp_main.c | 12 +- drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +- drivers/net/wan/lmc/lmc_media.c | 97 +- drivers/net/wan/z85230.c | 24 +- drivers/net/wireless/zd1211rw/zd_usb.c | 2 +- drivers/pci/proc.c | 9 + drivers/platform/x86/asus-wmi.c | 12 + drivers/rtc/rtc-dev.c | 3 + drivers/scsi/bfa/bfa_fcs.c | 19 +- drivers/scsi/bfa/bfa_fcs_lport.c | 29 +- drivers/scsi/bfa/bfa_modules.h | 12 +- drivers/scsi/hpsa.h | 40 +- drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 10 +- drivers/staging/sm750fb/sm750.c | 3 + drivers/tty/serial/uartlite.c | 4 +- drivers/tty/sysrq.c | 2 +- drivers/tty/vt/keyboard.c | 22 +- drivers/uio/uio.c | 6 +- drivers/usb/core/hub.c | 5 + drivers/usb/gadget/function/f_uac1.c | 1 + drivers/usb/gadget/function/u_uac1.c | 1 + drivers/usb/host/hwa-hc.c | 9 +- drivers/usb/usbip/vhci_sysfs.c | 2 +- drivers/video/fbdev/arcfb.c | 2 +- drivers/video/fbdev/matrox/matroxfb_DAC1064.c | 10 +- drivers/video/fbdev/matrox/matroxfb_Ti3026.c | 5 +- drivers/video/fbdev/sh_mobile_lcdcfb.c | 6 +- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++----- drivers/xen/xenfs/xenstored.c | 5 + firmware/Makefile | 2 + firmware/WHENCE | 20 +- firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 +++++++++++++++++ firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 ++++++++++++++++++++ fs/attr.c | 1 + fs/autofs4/waitq.c | 9 + fs/binfmt_aout.c | 7 + fs/binfmt_elf.c | 40 +- fs/compat.c | 20 +- fs/coredump.c | 17 +- fs/dcache.c | 3 + fs/debugfs/inode.c | 11 +- fs/exec.c | 218 +- fs/ext2/balloc.c | 4 +- fs/ext2/super.c | 8 +- fs/ext3/balloc.c | 4 +- fs/ext3/super.c | 8 +- fs/ext4/balloc.c | 4 +- fs/fcntl.c | 4 + fs/fhandle.c | 3 +- fs/file.c | 4 + fs/filesystems.c | 4 + fs/fs_struct.c | 20 +- fs/hugetlbfs/inode.c | 5 +- fs/inode.c | 8 +- fs/kernfs/dir.c | 6 + fs/mount.h | 4 +- fs/namei.c | 285 +- fs/namespace.c | 24 + fs/nfsd/nfscache.c | 2 +- fs/open.c | 38 + fs/overlayfs/inode.c | 3 + fs/overlayfs/super.c | 6 +- fs/pipe.c | 2 +- fs/posix_acl.c | 15 +- fs/proc/Kconfig | 10 +- fs/proc/array.c | 66 +- fs/proc/base.c | 168 +- fs/proc/cmdline.c | 4 + fs/proc/devices.c | 4 + fs/proc/fd.c | 17 +- fs/proc/generic.c | 64 + fs/proc/inode.c | 17 + fs/proc/internal.h | 11 +- fs/proc/interrupts.c | 4 + fs/proc/kcore.c | 3 + fs/proc/proc_net.c | 31 + fs/proc/proc_sysctl.c | 52 +- fs/proc/root.c | 8 + fs/proc/stat.c | 69 +- fs/proc/task_mmu.c | 66 +- fs/readdir.c | 19 + fs/reiserfs/item_ops.c | 24 +- fs/reiserfs/super.c | 4 + fs/select.c | 2 + fs/seq_file.c | 30 +- fs/stat.c | 20 +- fs/sysfs/dir.c | 30 +- fs/utimes.c | 7 + fs/xattr.c | 26 +- grsecurity/Kconfig | 1182 ++++ grsecurity/Makefile | 54 + grsecurity/gracl.c | 2757 +++++++++ grsecurity/gracl_alloc.c | 105 + grsecurity/gracl_cap.c | 127 + grsecurity/gracl_compat.c | 269 + grsecurity/gracl_fs.c | 448 ++ grsecurity/gracl_ip.c | 386 ++ grsecurity/gracl_learn.c | 207 + grsecurity/gracl_policy.c | 1786 ++++++ grsecurity/gracl_res.c | 68 + grsecurity/gracl_segv.c | 304 + grsecurity/gracl_shm.c | 40 + grsecurity/grsec_chdir.c | 19 + grsecurity/grsec_chroot.c | 467 ++ grsecurity/grsec_disabled.c | 445 ++ grsecurity/grsec_exec.c | 189 + grsecurity/grsec_fifo.c | 26 + grsecurity/grsec_fork.c | 23 + grsecurity/grsec_init.c | 290 + grsecurity/grsec_ipc.c | 48 + grsecurity/grsec_link.c | 65 + grsecurity/grsec_log.c | 340 + grsecurity/grsec_mem.c | 48 + grsecurity/grsec_mount.c | 65 + grsecurity/grsec_pax.c | 47 + grsecurity/grsec_proc.c | 20 + grsecurity/grsec_ptrace.c | 30 + grsecurity/grsec_sig.c | 236 + grsecurity/grsec_sock.c | 244 + grsecurity/grsec_sysctl.c | 488 ++ grsecurity/grsec_time.c | 16 + grsecurity/grsec_tpe.c | 78 + grsecurity/grsec_usb.c | 15 + grsecurity/grsum.c | 64 + include/drm/drmP.h | 23 +- include/linux/binfmts.h | 5 +- include/linux/capability.h | 13 + include/linux/compiler-gcc.h | 5 + include/linux/compiler.h | 8 + include/linux/cred.h | 8 +- include/linux/dcache.h | 5 +- include/linux/fs.h | 24 +- include/linux/fs_struct.h | 2 +- include/linux/fsnotify.h | 6 + include/linux/gracl.h | 342 + include/linux/gracl_compat.h | 156 + include/linux/gralloc.h | 9 + include/linux/grdefs.h | 140 + include/linux/grinternal.h | 230 + include/linux/grmsg.h | 118 + include/linux/grsecurity.h | 249 + include/linux/grsock.h | 19 + include/linux/ipc.h | 2 +- include/linux/ipc_namespace.h | 2 +- include/linux/kallsyms.h | 18 +- include/linux/kmod.h | 5 + include/linux/kobject.h | 2 +- include/linux/lsm_hooks.h | 4 +- include/linux/mm.h | 12 + include/linux/mm_types.h | 4 +- include/linux/module.h | 5 +- include/linux/mount.h | 2 +- include/linux/netfilter/xt_gradm.h | 9 + include/linux/path.h | 4 +- include/linux/perf_event.h | 13 +- include/linux/pid_namespace.h | 2 +- include/linux/printk.h | 2 +- include/linux/proc_fs.h | 22 +- include/linux/proc_ns.h | 2 +- include/linux/random.h | 2 +- include/linux/rbtree_augmented.h | 4 +- include/linux/scatterlist.h | 12 +- include/linux/sched.h | 110 +- include/linux/security.h | 3 +- include/linux/seq_file.h | 5 + include/linux/shm.h | 6 +- include/linux/skbuff.h | 3 + include/linux/slab.h | 9 - include/linux/sysctl.h | 8 +- include/linux/thread_info.h | 6 +- include/linux/tty.h | 2 +- include/linux/tty_driver.h | 4 +- include/linux/uidgid.h | 5 + include/linux/user_namespace.h | 2 +- include/linux/utsname.h | 2 +- include/linux/vermagic.h | 16 +- include/linux/vmalloc.h | 8 + include/net/af_unix.h | 2 +- include/net/ip.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 2 +- include/net/sock.h | 2 +- include/trace/events/fs.h | 53 + include/uapi/drm/i915_drm.h | 1 + include/uapi/linux/personality.h | 1 + init/Kconfig | 3 +- init/main.c | 35 +- ipc/mqueue.c | 1 + ipc/msg.c | 14 +- ipc/shm.c | 36 +- ipc/util.c | 14 +- kernel/auditsc.c | 2 +- kernel/bpf/syscall.c | 8 +- kernel/capability.c | 41 +- kernel/cgroup.c | 5 +- kernel/compat.c | 1 + kernel/configs.c | 11 + kernel/cred.c | 112 +- kernel/events/core.c | 14 +- kernel/exit.c | 10 +- kernel/fork.c | 86 +- kernel/futex.c | 4 +- kernel/kallsyms.c | 9 + kernel/kcmp.c | 4 + kernel/kexec.c | 2 +- kernel/kmod.c | 95 +- kernel/kprobes.c | 7 +- kernel/ksysfs.c | 2 + kernel/locking/lockdep_proc.c | 10 +- kernel/module.c | 108 +- kernel/panic.c | 4 +- kernel/pid.c | 19 +- kernel/power/Kconfig | 2 + kernel/printk/printk.c | 7 +- kernel/ptrace.c | 20 +- kernel/resource.c | 10 + kernel/sched/core.c | 11 +- kernel/signal.c | 37 +- kernel/sys.c | 64 +- kernel/sysctl.c | 180 +- kernel/taskstats.c | 6 + kernel/time/posix-timers.c | 8 + kernel/time/time.c | 5 + kernel/time/timekeeping.c | 3 + kernel/time/timer_list.c | 13 +- kernel/time/timer_stats.c | 10 +- kernel/trace/trace_syscalls.c | 8 + kernel/user_namespace.c | 15 + lib/Kconfig.debug | 7 +- lib/is_single_threaded.c | 3 + lib/list_debug.c | 65 +- lib/nlattr.c | 2 + lib/rbtree.c | 4 +- lib/vsprintf.c | 39 +- localversion-grsec | 1 + mm/Kconfig | 5 +- mm/Kconfig.debug | 1 + mm/filemap.c | 1 + mm/hugetlb.c | 8 + mm/kmemleak.c | 4 +- mm/memory.c | 2 +- mm/mempolicy.c | 12 +- mm/migrate.c | 3 +- mm/mlock.c | 6 +- mm/mmap.c | 93 +- mm/mprotect.c | 8 + mm/page_alloc.c | 2 +- mm/process_vm_access.c | 6 + mm/shmem.c | 2 +- mm/slab.c | 27 +- mm/slab_common.c | 2 +- mm/slob.c | 12 + mm/slub.c | 33 +- mm/util.c | 3 + mm/vmalloc.c | 80 +- mm/vmstat.c | 29 +- net/appletalk/atalk_proc.c | 2 +- net/atm/lec.c | 6 +- net/atm/mpoa_caches.c | 42 +- net/can/bcm.c | 2 +- net/can/proc.c | 2 +- net/core/dev_ioctl.c | 7 +- net/core/filter.c | 8 +- net/core/net-procfs.c | 17 +- net/core/pktgen.c | 2 +- net/core/sock.c | 3 +- net/core/sysctl_net_core.c | 2 +- net/decnet/dn_dev.c | 2 +- net/ipv4/devinet.c | 6 +- net/ipv4/inet_hashtables.c | 5 + net/ipv4/ip_input.c | 7 + net/ipv4/ip_sockglue.c | 3 +- net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +- net/ipv4/route.c | 6 +- net/ipv4/tcp_input.c | 4 +- net/ipv4/tcp_ipv4.c | 24 +- net/ipv4/tcp_minisocks.c | 9 +- net/ipv4/tcp_timer.c | 11 + net/ipv4/udp.c | 24 + net/ipv6/addrconf.c | 13 +- net/ipv6/proc.c | 2 +- net/ipv6/tcp_ipv6.c | 23 +- net/ipv6/udp.c | 7 + net/ipx/ipx_proc.c | 2 +- net/irda/irproc.c | 2 +- net/llc/llc_proc.c | 2 +- net/netfilter/Kconfig | 10 + net/netfilter/Makefile | 1 + net/netfilter/nf_conntrack_core.c | 8 + net/netfilter/xt_gradm.c | 51 + net/netfilter/xt_hashlimit.c | 4 +- net/netfilter/xt_recent.c | 2 +- net/socket.c | 71 +- net/sunrpc/cache.c | 2 +- net/sunrpc/stats.c | 2 +- net/sysctl_net.c | 2 +- net/unix/af_unix.c | 52 +- net/vmw_vsock/vmci_transport_notify.c | 30 +- net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +- net/x25/sysctl_net_x25.c | 2 +- net/x25/x25_proc.c | 2 +- scripts/package/Makefile | 2 +- scripts/package/mkspec | 38 +- security/Kconfig | 370 +- security/apparmor/file.c | 4 +- security/apparmor/lsm.c | 8 +- security/commoncap.c | 29 + security/min_addr.c | 2 + security/tomoyo/file.c | 12 +- security/tomoyo/mount.c | 4 + security/tomoyo/tomoyo.c | 20 +- security/yama/Kconfig | 2 +- sound/synth/emux/emux_seq.c | 14 +- sound/usb/line6/driver.c | 40 +- sound/usb/line6/toneport.c | 12 +- tools/gcc/.gitignore | 1 + tools/gcc/Makefile | 12 + tools/gcc/gen-random-seed.sh | 8 + tools/gcc/randomize_layout_plugin.c | 930 +++ tools/gcc/size_overflow_plugin/.gitignore | 1 + .../size_overflow_plugin/size_overflow_hash.data | 320 +- 466 files changed, 32295 insertions(+), 2907 deletions(-) commit fc19197ab5a42069863a7d88f1d41eb687697fe9 Author: Brad Spengler Date: Sun Oct 4 20:43:51 2015 -0400 Update to pax-linux-4.2.3-test6.patch: - fixed a KERNEXEC/x86 and early ioremap regression, reported by spender - sanitized a few more top level page table entries on amd64 arch/x86/kernel/espfix_64.c | 2 +- arch/x86/kernel/head_64.S | 8 ++++---- arch/x86/mm/ioremap.c | 6 +++++- 3 files changed, 10 insertions(+), 6 deletions(-) commit 23ac5415b9ef394e10b1516d3b314c742c6a3e59 Author: Brad Spengler Date: Sun Oct 4 17:47:37 2015 -0400 Resync with pax-linux-4.2.3-test5.patch arch/x86/include/asm/pgtable-2level.h | 20 ++++++++++++++++---- arch/x86/include/asm/pgtable-3level.h | 8 ++++++++ arch/x86/include/asm/pgtable_32.h | 2 -- arch/x86/include/asm/pgtable_64.h | 20 ++++++++++++++++---- arch/x86/mm/highmem_32.c | 2 -- arch/x86/mm/init_64.c | 2 -- arch/x86/mm/iomap_32.c | 4 ---- arch/x86/mm/ioremap.c | 2 +- arch/x86/mm/pgtable.c | 2 -- arch/x86/mm/pgtable_32.c | 3 --- mm/highmem.c | 6 +----- mm/vmalloc.c | 12 +----------- .../size_overflow_plugin/size_overflow_hash.data | 2 -- 13 files changed, 43 insertions(+), 42 deletions(-) commit 25f4bed80f0d87783793a70d6c20080031a1fd38 Author: Brad Spengler Date: Sun Oct 4 13:06:32 2015 -0400 Update to pax-linux-4.2.3-test5.patch: - forward port to 4.2.3 - fixed integer sign conversion errors caused by ieee80211_tx_rate_control.max_rate_idx, caught by the size overflow plugin - fixed a bug in try_preserve_large_page that caused unnecessary large page split ups - increased the number of statically allocated kernel page tables under KERNEXEC/amd64 arch/x86/include/asm/pgtable-2level.h | 2 ++ arch/x86/include/asm/pgtable-3level.h | 5 +++++ arch/x86/include/asm/pgtable_64.h | 2 ++ arch/x86/kernel/cpu/bugs_64.c | 2 ++ arch/x86/kernel/head_64.S | 28 +++++++++++++++++++++++----- arch/x86/kernel/vmlinux.lds.S | 8 +++++++- arch/x86/mm/init.c | 18 ++++++++++++++---- arch/x86/mm/ioremap.c | 8 ++++++-- arch/x86/mm/pageattr.c | 5 ++--- arch/x86/mm/pgtable.c | 2 ++ include/asm-generic/sections.h | 1 + include/asm-generic/vmlinux.lds.h | 2 ++ include/net/mac80211.h | 2 +- mm/vmalloc.c | 7 ++++++- 14 files changed, 75 insertions(+), 17 deletions(-) commit a2dce7cb2e3c389b7ef6c76c15ccdbf506007ddd Merge: d113ff6 fcba09f Author: Brad Spengler Date: Sat Oct 3 09:12:31 2015 -0400 Merge branch 'linux-4.2.y' into pax-test commit d113ff6e7835e89e2b954503b1a100750ddb43c7 Author: Brad Spengler Date: Thu Oct 1 21:34:12 2015 -0400 Update to pax-linux-4.2.2-test5.patch: - fixed a RANDKSTACK regression, reported by spender - fixed some more compiler warnings due to the ktla_ktva changes, reported by spender arch/x86/entry/entry_64.S | 2 ++ arch/x86/kernel/process.c | 1 + drivers/hv/hv.c | 2 +- drivers/lguest/x86/core.c | 4 ++-- drivers/misc/kgdbts.c | 4 ++-- drivers/video/fbdev/uvesafb.c | 4 ++-- fs/binfmt_elf_fdpic.c | 2 +- 7 files changed, 11 insertions(+), 8 deletions(-) commit 149e32a4dddfae46e2490f011870cd4492ca946c Author: Brad Spengler Date: Tue Sep 29 16:31:50 2015 -0400 Update to pax-linux-4.2.2-test4.patch: - fixed a few compiler warnings caused by the recently reworked ktla_ktva/ktva_ktla functions, reported by spender - Emese fixed a size overflow false positive in the IDE driver, reported by spender arch/x86/lib/insn.c | 2 +- drivers/ide/ide-disk.c | 2 +- drivers/video/fbdev/vesafb.c | 4 ++-- fs/binfmt_elf.c | 2 +- .../size_overflow_plugin/size_overflow_plugin.c | 4 ++-- .../size_overflow_transform_core.c | 11 +++++------ 6 files changed, 12 insertions(+), 13 deletions(-) commit 02c41b848fbaddf82ce98690b23d3d85a94d55fe Merge: b8b2f5b 7659db3 Author: Brad Spengler Date: Tue Sep 29 15:50:40 2015 -0400 Merge branch 'linux-4.2.y' into pax-test Conflicts: fs/nfs/inode.c commit b8b2f5bc93ced0ca9a8366d0f3fa09abd1ca7ac6 Author: Brad Spengler Date: Tue Sep 29 09:13:54 2015 -0400 Initial import of pax-linux-4.2.1-test3.patch Documentation/dontdiff | 47 +- Documentation/kbuild/makefiles.txt | 39 +- Documentation/kernel-parameters.txt | 28 + Makefile | 108 +- arch/alpha/include/asm/atomic.h | 10 + arch/alpha/include/asm/elf.h | 7 + arch/alpha/include/asm/pgalloc.h | 6 + arch/alpha/include/asm/pgtable.h | 11 + arch/alpha/kernel/module.c | 2 +- arch/alpha/kernel/osf_sys.c | 8 +- arch/alpha/mm/fault.c | 141 +- arch/arm/Kconfig | 2 +- arch/arm/include/asm/atomic.h | 319 +- arch/arm/include/asm/barrier.h | 2 +- arch/arm/include/asm/cache.h | 5 +- arch/arm/include/asm/cacheflush.h | 2 +- arch/arm/include/asm/checksum.h | 14 +- arch/arm/include/asm/cmpxchg.h | 4 + arch/arm/include/asm/cpuidle.h | 2 +- arch/arm/include/asm/domain.h | 33 +- arch/arm/include/asm/elf.h | 9 +- arch/arm/include/asm/fncpy.h | 2 + arch/arm/include/asm/futex.h | 10 + arch/arm/include/asm/kmap_types.h | 2 +- arch/arm/include/asm/mach/dma.h | 2 +- arch/arm/include/asm/mach/map.h | 16 +- arch/arm/include/asm/outercache.h | 2 +- arch/arm/include/asm/page.h | 3 +- arch/arm/include/asm/pgalloc.h | 20 + arch/arm/include/asm/pgtable-2level-hwdef.h | 4 +- arch/arm/include/asm/pgtable-2level.h | 3 + arch/arm/include/asm/pgtable-3level.h | 3 + arch/arm/include/asm/pgtable.h | 54 +- arch/arm/include/asm/psci.h | 2 +- arch/arm/include/asm/smp.h | 2 +- arch/arm/include/asm/thread_info.h | 6 +- arch/arm/include/asm/tls.h | 3 + arch/arm/include/asm/uaccess.h | 100 +- arch/arm/include/uapi/asm/ptrace.h | 2 +- arch/arm/kernel/armksyms.c | 8 +- arch/arm/kernel/cpuidle.c | 2 +- arch/arm/kernel/entry-armv.S | 110 +- arch/arm/kernel/entry-common.S | 40 +- arch/arm/kernel/entry-header.S | 60 + arch/arm/kernel/fiq.c | 3 + arch/arm/kernel/head.S | 2 +- arch/arm/kernel/module.c | 38 +- arch/arm/kernel/patch.c | 2 + arch/arm/kernel/process.c | 90 +- arch/arm/kernel/psci.c | 2 +- arch/arm/kernel/reboot.c | 1 + arch/arm/kernel/setup.c | 20 +- arch/arm/kernel/signal.c | 35 +- arch/arm/kernel/smp.c | 2 +- arch/arm/kernel/tcm.c | 4 +- arch/arm/kernel/traps.c | 6 +- arch/arm/kernel/vmlinux.lds.S | 6 +- arch/arm/kvm/arm.c | 10 +- arch/arm/lib/clear_user.S | 6 +- arch/arm/lib/copy_from_user.S | 6 +- arch/arm/lib/copy_page.S | 1 + arch/arm/lib/copy_to_user.S | 6 +- arch/arm/lib/csumpartialcopyuser.S | 4 +- arch/arm/lib/delay.c | 2 +- arch/arm/lib/uaccess_with_memcpy.c | 8 +- arch/arm/mach-exynos/suspend.c | 6 +- arch/arm/mach-mvebu/coherency.c | 4 +- arch/arm/mach-omap2/board-n8x0.c | 2 +- arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +- arch/arm/mach-omap2/omap-smp.c | 1 + arch/arm/mach-omap2/omap-wakeupgen.c | 2 +- arch/arm/mach-omap2/omap_device.c | 4 +- arch/arm/mach-omap2/omap_device.h | 4 +- arch/arm/mach-omap2/omap_hwmod.c | 4 +- arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +- arch/arm/mach-omap2/wd_timer.c | 6 +- arch/arm/mach-shmobile/platsmp-apmu.c | 5 +- arch/arm/mach-shmobile/pm-r8a7740.c | 5 +- arch/arm/mach-shmobile/pm-sh73a0.c | 5 +- arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +- arch/arm/mach-tegra/irq.c | 1 + arch/arm/mach-ux500/pm.c | 1 + arch/arm/mach-zynq/platsmp.c | 1 + arch/arm/mm/Kconfig | 6 +- arch/arm/mm/alignment.c | 8 + arch/arm/mm/cache-l2x0.c | 2 +- arch/arm/mm/context.c | 10 +- arch/arm/mm/fault.c | 146 + arch/arm/mm/fault.h | 12 + arch/arm/mm/init.c | 39 + arch/arm/mm/ioremap.c | 4 +- arch/arm/mm/mmap.c | 30 +- arch/arm/mm/mmu.c | 182 +- arch/arm/net/bpf_jit_32.c | 3 + arch/arm/plat-iop/setup.c | 2 +- arch/arm/plat-omap/sram.c | 2 + arch/arm64/include/asm/atomic.h | 10 + arch/arm64/include/asm/barrier.h | 2 +- arch/arm64/include/asm/percpu.h | 8 +- arch/arm64/include/asm/pgalloc.h | 5 + arch/arm64/include/asm/uaccess.h | 1 + arch/arm64/mm/dma-mapping.c | 2 +- arch/avr32/include/asm/elf.h | 8 +- arch/avr32/include/asm/kmap_types.h | 4 +- arch/avr32/mm/fault.c | 27 + arch/frv/include/asm/atomic.h | 10 + arch/frv/include/asm/kmap_types.h | 2 +- arch/frv/mm/elf-fdpic.c | 3 +- arch/ia64/Makefile | 1 + arch/ia64/include/asm/atomic.h | 10 + arch/ia64/include/asm/barrier.h | 2 +- arch/ia64/include/asm/elf.h | 7 + arch/ia64/include/asm/pgalloc.h | 12 + arch/ia64/include/asm/pgtable.h | 13 +- arch/ia64/include/asm/spinlock.h | 2 +- arch/ia64/include/asm/uaccess.h | 27 +- arch/ia64/kernel/module.c | 45 +- arch/ia64/kernel/palinfo.c | 2 +- arch/ia64/kernel/sys_ia64.c | 7 + arch/ia64/kernel/vmlinux.lds.S | 2 +- arch/ia64/mm/fault.c | 32 +- arch/ia64/mm/init.c | 15 +- arch/m32r/lib/usercopy.c | 6 + arch/metag/include/asm/barrier.h | 2 +- arch/mips/cavium-octeon/dma-octeon.c | 2 +- arch/mips/include/asm/atomic.h | 355 +- arch/mips/include/asm/barrier.h | 2 +- arch/mips/include/asm/elf.h | 7 + arch/mips/include/asm/exec.h | 2 +- arch/mips/include/asm/hw_irq.h | 2 +- arch/mips/include/asm/local.h | 57 + arch/mips/include/asm/page.h | 2 +- arch/mips/include/asm/pgalloc.h | 5 + arch/mips/include/asm/pgtable.h | 3 + arch/mips/include/asm/uaccess.h | 1 + arch/mips/kernel/binfmt_elfn32.c | 7 + arch/mips/kernel/binfmt_elfo32.c | 7 + arch/mips/kernel/i8259.c | 2 +- arch/mips/kernel/irq-gt641xx.c | 2 +- arch/mips/kernel/irq.c | 6 +- arch/mips/kernel/pm-cps.c | 2 +- arch/mips/kernel/process.c | 12 - arch/mips/kernel/sync-r4k.c | 24 +- arch/mips/kernel/traps.c | 13 +- arch/mips/kvm/mips.c | 2 +- arch/mips/mm/fault.c | 25 + arch/mips/mm/mmap.c | 51 +- arch/mips/sgi-ip27/ip27-nmi.c | 6 +- arch/mips/sni/rm200.c | 2 +- arch/mips/vr41xx/common/icu.c | 2 +- arch/mips/vr41xx/common/irq.c | 4 +- arch/parisc/include/asm/atomic.h | 10 + arch/parisc/include/asm/elf.h | 7 + arch/parisc/include/asm/pgalloc.h | 6 + arch/parisc/include/asm/pgtable.h | 11 + arch/parisc/include/asm/uaccess.h | 4 +- arch/parisc/kernel/module.c | 50 +- arch/parisc/kernel/sys_parisc.c | 15 + arch/parisc/kernel/traps.c | 4 +- arch/parisc/mm/fault.c | 140 +- arch/powerpc/include/asm/atomic.h | 329 +- arch/powerpc/include/asm/barrier.h | 2 +- arch/powerpc/include/asm/elf.h | 12 + arch/powerpc/include/asm/exec.h | 2 +- arch/powerpc/include/asm/kmap_types.h | 2 +- arch/powerpc/include/asm/local.h | 46 + arch/powerpc/include/asm/mman.h | 2 +- arch/powerpc/include/asm/page.h | 8 +- arch/powerpc/include/asm/page_64.h | 7 +- arch/powerpc/include/asm/pgalloc-64.h | 7 + arch/powerpc/include/asm/pgtable.h | 1 + arch/powerpc/include/asm/pte-hash32.h | 1 + arch/powerpc/include/asm/reg.h | 1 + arch/powerpc/include/asm/smp.h | 2 +- arch/powerpc/include/asm/spinlock.h | 42 +- arch/powerpc/include/asm/uaccess.h | 141 +- arch/powerpc/kernel/Makefile | 5 + arch/powerpc/kernel/exceptions-64e.S | 4 +- arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/module_32.c | 15 +- arch/powerpc/kernel/process.c | 46 - arch/powerpc/kernel/signal_32.c | 2 +- arch/powerpc/kernel/signal_64.c | 2 +- arch/powerpc/kernel/traps.c | 21 + arch/powerpc/kernel/vdso.c | 5 +- arch/powerpc/kvm/powerpc.c | 2 +- arch/powerpc/lib/usercopy_64.c | 18 - arch/powerpc/mm/fault.c | 56 +- arch/powerpc/mm/mmap.c | 16 + arch/powerpc/mm/slice.c | 13 +- arch/powerpc/platforms/cell/spufs/file.c | 4 +- arch/s390/include/asm/atomic.h | 10 + arch/s390/include/asm/barrier.h | 2 +- arch/s390/include/asm/elf.h | 7 + arch/s390/include/asm/exec.h | 2 +- arch/s390/include/asm/uaccess.h | 13 +- arch/s390/kernel/module.c | 22 +- arch/s390/kernel/process.c | 24 - arch/s390/mm/mmap.c | 16 + arch/score/include/asm/exec.h | 2 +- arch/score/kernel/process.c | 5 - arch/sh/mm/mmap.c | 22 +- arch/sparc/include/asm/atomic_64.h | 110 +- arch/sparc/include/asm/barrier_64.h | 2 +- arch/sparc/include/asm/cache.h | 2 +- arch/sparc/include/asm/elf_32.h | 7 + arch/sparc/include/asm/elf_64.h | 7 + arch/sparc/include/asm/pgalloc_32.h | 1 + arch/sparc/include/asm/pgalloc_64.h | 1 + arch/sparc/include/asm/pgtable.h | 4 + arch/sparc/include/asm/pgtable_32.h | 15 +- arch/sparc/include/asm/pgtsrmmu.h | 5 + arch/sparc/include/asm/setup.h | 4 +- arch/sparc/include/asm/spinlock_64.h | 35 +- arch/sparc/include/asm/thread_info_32.h | 1 + arch/sparc/include/asm/thread_info_64.h | 2 + arch/sparc/include/asm/uaccess.h | 1 + arch/sparc/include/asm/uaccess_32.h | 28 +- arch/sparc/include/asm/uaccess_64.h | 24 +- arch/sparc/kernel/Makefile | 2 +- arch/sparc/kernel/prom_common.c | 2 +- arch/sparc/kernel/smp_64.c | 8 +- arch/sparc/kernel/sys_sparc_32.c | 2 +- arch/sparc/kernel/sys_sparc_64.c | 52 +- arch/sparc/kernel/traps_64.c | 27 +- arch/sparc/lib/Makefile | 2 +- arch/sparc/lib/atomic_64.S | 57 +- arch/sparc/lib/ksyms.c | 6 +- arch/sparc/mm/Makefile | 2 +- arch/sparc/mm/fault_32.c | 292 + arch/sparc/mm/fault_64.c | 486 + arch/sparc/mm/hugetlbpage.c | 22 +- arch/sparc/mm/init_64.c | 10 +- arch/tile/include/asm/atomic_64.h | 10 + arch/tile/include/asm/uaccess.h | 4 +- arch/um/Makefile | 4 + arch/um/include/asm/kmap_types.h | 2 +- arch/um/include/asm/page.h | 3 + arch/um/include/asm/pgtable-3level.h | 1 + arch/um/kernel/process.c | 16 - arch/x86/Kconfig | 15 +- arch/x86/Kconfig.cpu | 6 +- arch/x86/Kconfig.debug | 4 +- arch/x86/Makefile | 13 +- arch/x86/boot/Makefile | 3 + arch/x86/boot/bitops.h | 4 +- arch/x86/boot/boot.h | 2 +- arch/x86/boot/compressed/Makefile | 3 + arch/x86/boot/compressed/efi_stub_32.S | 16 +- arch/x86/boot/compressed/efi_thunk_64.S | 4 +- arch/x86/boot/compressed/head_32.S | 4 +- arch/x86/boot/compressed/head_64.S | 12 +- arch/x86/boot/compressed/misc.c | 11 +- arch/x86/boot/cpucheck.c | 16 +- arch/x86/boot/header.S | 6 +- arch/x86/boot/memory.c | 2 +- arch/x86/boot/video-vesa.c | 1 + arch/x86/boot/video.c | 2 +- arch/x86/crypto/aes-x86_64-asm_64.S | 4 + arch/x86/crypto/aesni-intel_asm.S | 106 +- arch/x86/crypto/blowfish-x86_64-asm_64.S | 7 + arch/x86/crypto/camellia-aesni-avx-asm_64.S | 10 + arch/x86/crypto/camellia-aesni-avx2-asm_64.S | 10 + arch/x86/crypto/camellia-x86_64-asm_64.S | 7 + arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +- arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 4 +- arch/x86/crypto/ghash-clmulni-intel_asm.S | 4 + arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 + arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 + arch/x86/crypto/serpent-avx2-asm_64.S | 9 + arch/x86/crypto/serpent-sse2-x86_64-asm_64.S | 4 + arch/x86/crypto/sha1_ssse3_asm.S | 10 +- arch/x86/crypto/sha256-avx-asm.S | 2 + arch/x86/crypto/sha256-avx2-asm.S | 2 + arch/x86/crypto/sha256-ssse3-asm.S | 2 + arch/x86/crypto/sha512-avx-asm.S | 2 + arch/x86/crypto/sha512-avx2-asm.S | 2 + arch/x86/crypto/sha512-ssse3-asm.S | 2 + arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +- arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 + arch/x86/crypto/twofish-x86_64-asm_64.S | 3 + arch/x86/entry/calling.h | 92 +- arch/x86/entry/entry_32.S | 360 +- arch/x86/entry/entry_64.S | 636 +- arch/x86/entry/entry_64_compat.S | 159 +- arch/x86/entry/thunk_64.S | 2 + arch/x86/entry/vdso/Makefile | 2 +- arch/x86/entry/vdso/vdso2c.h | 4 +- arch/x86/entry/vdso/vma.c | 41 +- arch/x86/entry/vsyscall/vsyscall_64.c | 16 +- arch/x86/ia32/ia32_signal.c | 23 +- arch/x86/ia32/sys_ia32.c | 42 +- arch/x86/include/asm/alternative-asm.h | 43 +- arch/x86/include/asm/alternative.h | 4 +- arch/x86/include/asm/apic.h | 2 +- arch/x86/include/asm/apm.h | 4 +- arch/x86/include/asm/atomic.h | 269 +- arch/x86/include/asm/atomic64_32.h | 100 + arch/x86/include/asm/atomic64_64.h | 164 +- arch/x86/include/asm/barrier.h | 4 +- arch/x86/include/asm/bitops.h | 18 +- arch/x86/include/asm/boot.h | 2 +- arch/x86/include/asm/cache.h | 5 +- arch/x86/include/asm/checksum_32.h | 12 +- arch/x86/include/asm/cmpxchg.h | 39 + arch/x86/include/asm/compat.h | 2 +- arch/x86/include/asm/cpufeature.h | 17 +- arch/x86/include/asm/desc.h | 78 +- arch/x86/include/asm/desc_defs.h | 6 + arch/x86/include/asm/div64.h | 2 +- arch/x86/include/asm/elf.h | 33 +- arch/x86/include/asm/emergency-restart.h | 2 +- arch/x86/include/asm/fpu/internal.h | 36 +- arch/x86/include/asm/fpu/types.h | 5 +- arch/x86/include/asm/futex.h | 14 +- arch/x86/include/asm/hw_irq.h | 4 +- arch/x86/include/asm/i8259.h | 2 +- arch/x86/include/asm/io.h | 22 +- arch/x86/include/asm/irqflags.h | 5 + arch/x86/include/asm/kprobes.h | 9 +- arch/x86/include/asm/local.h | 106 +- arch/x86/include/asm/mman.h | 15 + arch/x86/include/asm/mmu.h | 14 +- arch/x86/include/asm/mmu_context.h | 138 +- arch/x86/include/asm/module.h | 17 +- arch/x86/include/asm/nmi.h | 19 +- arch/x86/include/asm/page.h | 1 + arch/x86/include/asm/page_32.h | 12 +- arch/x86/include/asm/page_64.h | 14 +- arch/x86/include/asm/paravirt.h | 46 +- arch/x86/include/asm/paravirt_types.h | 15 +- arch/x86/include/asm/pgalloc.h | 23 + arch/x86/include/asm/pgtable-2level.h | 2 + arch/x86/include/asm/pgtable-3level.h | 4 + arch/x86/include/asm/pgtable.h | 128 +- arch/x86/include/asm/pgtable_32.h | 14 +- arch/x86/include/asm/pgtable_32_types.h | 24 +- arch/x86/include/asm/pgtable_64.h | 22 +- arch/x86/include/asm/pgtable_64_types.h | 5 + arch/x86/include/asm/pgtable_types.h | 26 +- arch/x86/include/asm/preempt.h | 2 +- arch/x86/include/asm/processor.h | 59 +- arch/x86/include/asm/ptrace.h | 21 +- arch/x86/include/asm/qrwlock.h | 4 +- arch/x86/include/asm/realmode.h | 4 +- arch/x86/include/asm/reboot.h | 10 +- arch/x86/include/asm/rmwcc.h | 84 +- arch/x86/include/asm/rwsem.h | 60 +- arch/x86/include/asm/segment.h | 27 +- arch/x86/include/asm/smap.h | 43 + arch/x86/include/asm/smp.h | 14 +- arch/x86/include/asm/stackprotector.h | 4 +- arch/x86/include/asm/stacktrace.h | 32 +- arch/x86/include/asm/switch_to.h | 4 +- arch/x86/include/asm/sys_ia32.h | 6 +- arch/x86/include/asm/thread_info.h | 27 +- arch/x86/include/asm/tlbflush.h | 77 +- arch/x86/include/asm/uaccess.h | 192 +- arch/x86/include/asm/uaccess_32.h | 28 +- arch/x86/include/asm/uaccess_64.h | 169 +- arch/x86/include/asm/word-at-a-time.h | 2 +- arch/x86/include/asm/x86_init.h | 10 +- arch/x86/include/asm/xen/page.h | 2 +- arch/x86/include/uapi/asm/e820.h | 2 +- arch/x86/kernel/Makefile | 2 +- arch/x86/kernel/acpi/boot.c | 4 +- arch/x86/kernel/acpi/sleep.c | 4 + arch/x86/kernel/acpi/wakeup_32.S | 6 +- arch/x86/kernel/alternative.c | 124 +- arch/x86/kernel/apic/apic.c | 4 +- arch/x86/kernel/apic/apic_flat_64.c | 4 +- arch/x86/kernel/apic/apic_noop.c | 2 +- arch/x86/kernel/apic/bigsmp_32.c | 2 +- arch/x86/kernel/apic/io_apic.c | 8 +- arch/x86/kernel/apic/msi.c | 2 +- arch/x86/kernel/apic/probe_32.c | 2 +- arch/x86/kernel/apic/vector.c | 4 +- arch/x86/kernel/apic/x2apic_cluster.c | 4 +- arch/x86/kernel/apic/x2apic_phys.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/apm_32.c | 21 +- arch/x86/kernel/asm-offsets.c | 20 + arch/x86/kernel/asm-offsets_64.c | 1 + arch/x86/kernel/cpu/Makefile | 4 - arch/x86/kernel/cpu/amd.c | 2 +- arch/x86/kernel/cpu/common.c | 202 +- arch/x86/kernel/cpu/intel_cacheinfo.c | 14 +- arch/x86/kernel/cpu/mcheck/mce.c | 31 +- arch/x86/kernel/cpu/mcheck/p5.c | 3 + arch/x86/kernel/cpu/mcheck/winchip.c | 3 + arch/x86/kernel/cpu/microcode/core.c | 2 +- arch/x86/kernel/cpu/microcode/intel.c | 4 +- arch/x86/kernel/cpu/mtrr/main.c | 2 +- arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +- arch/x86/kernel/cpu/perf_event.c | 10 +- arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +- arch/x86/kernel/cpu/perf_event_intel.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_bts.c | 6 +- arch/x86/kernel/cpu/perf_event_intel_cqm.c | 4 +- arch/x86/kernel/cpu/perf_event_intel_pt.c | 44 +- arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +- arch/x86/kernel/cpuid.c | 2 +- arch/x86/kernel/crash_dump_64.c | 2 +- arch/x86/kernel/doublefault.c | 8 +- arch/x86/kernel/dumpstack.c | 24 +- arch/x86/kernel/dumpstack_32.c | 25 +- arch/x86/kernel/dumpstack_64.c | 62 +- arch/x86/kernel/e820.c | 4 +- arch/x86/kernel/early_printk.c | 1 + arch/x86/kernel/espfix_64.c | 13 +- arch/x86/kernel/fpu/core.c | 22 +- arch/x86/kernel/fpu/init.c | 8 +- arch/x86/kernel/fpu/regset.c | 22 +- arch/x86/kernel/fpu/signal.c | 20 +- arch/x86/kernel/fpu/xstate.c | 8 +- arch/x86/kernel/ftrace.c | 18 +- arch/x86/kernel/head64.c | 14 +- arch/x86/kernel/head_32.S | 235 +- arch/x86/kernel/head_64.S | 149 +- arch/x86/kernel/i386_ksyms_32.c | 12 + arch/x86/kernel/i8259.c | 10 +- arch/x86/kernel/io_delay.c | 2 +- arch/x86/kernel/ioport.c | 2 +- arch/x86/kernel/irq.c | 8 +- arch/x86/kernel/irq_32.c | 45 +- arch/x86/kernel/jump_label.c | 10 +- arch/x86/kernel/kgdb.c | 21 +- arch/x86/kernel/kprobes/core.c | 28 +- arch/x86/kernel/kprobes/opt.c | 16 +- arch/x86/kernel/ksysfs.c | 2 +- arch/x86/kernel/ldt.c | 25 + arch/x86/kernel/livepatch.c | 12 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/mcount_64.S | 19 +- arch/x86/kernel/module.c | 78 +- arch/x86/kernel/msr.c | 2 +- arch/x86/kernel/nmi.c | 34 +- arch/x86/kernel/nmi_selftest.c | 4 +- arch/x86/kernel/paravirt-spinlocks.c | 2 +- arch/x86/kernel/paravirt.c | 45 +- arch/x86/kernel/paravirt_patch_64.c | 8 + arch/x86/kernel/pci-calgary_64.c | 2 +- arch/x86/kernel/pci-iommu_table.c | 2 +- arch/x86/kernel/pci-swiotlb.c | 2 +- arch/x86/kernel/process.c | 71 +- arch/x86/kernel/process_32.c | 30 +- arch/x86/kernel/process_64.c | 19 +- arch/x86/kernel/ptrace.c | 20 +- arch/x86/kernel/pvclock.c | 8 +- arch/x86/kernel/reboot.c | 44 +- arch/x86/kernel/reboot_fixups_32.c | 2 +- arch/x86/kernel/relocate_kernel_64.S | 3 +- arch/x86/kernel/setup.c | 29 +- arch/x86/kernel/setup_percpu.c | 29 +- arch/x86/kernel/signal.c | 17 +- arch/x86/kernel/smp.c | 2 +- arch/x86/kernel/smpboot.c | 29 +- arch/x86/kernel/step.c | 6 +- arch/x86/kernel/sys_i386_32.c | 184 + arch/x86/kernel/sys_x86_64.c | 22 +- arch/x86/kernel/tboot.c | 14 +- arch/x86/kernel/time.c | 8 +- arch/x86/kernel/tls.c | 7 +- arch/x86/kernel/tracepoint.c | 4 +- arch/x86/kernel/traps.c | 53 +- arch/x86/kernel/tsc.c | 2 +- arch/x86/kernel/uprobes.c | 2 +- arch/x86/kernel/vm86_32.c | 6 +- arch/x86/kernel/vmlinux.lds.S | 147 +- arch/x86/kernel/x8664_ksyms_64.c | 6 +- arch/x86/kernel/x86_init.c | 6 +- arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/emulate.c | 2 +- arch/x86/kvm/lapic.c | 2 +- arch/x86/kvm/paging_tmpl.h | 2 +- arch/x86/kvm/svm.c | 8 + arch/x86/kvm/vmx.c | 82 +- arch/x86/kvm/x86.c | 44 +- arch/x86/lguest/boot.c | 3 +- arch/x86/lib/atomic64_386_32.S | 164 + arch/x86/lib/atomic64_cx8_32.S | 98 +- arch/x86/lib/checksum_32.S | 97 +- arch/x86/lib/clear_page_64.S | 3 + arch/x86/lib/cmpxchg16b_emu.S | 3 + arch/x86/lib/copy_page_64.S | 14 +- arch/x86/lib/copy_user_64.S | 66 +- arch/x86/lib/csum-copy_64.S | 14 +- arch/x86/lib/csum-wrappers_64.c | 8 +- arch/x86/lib/getuser.S | 74 +- arch/x86/lib/insn.c | 8 +- arch/x86/lib/iomap_copy_64.S | 2 + arch/x86/lib/memcpy_64.S | 6 + arch/x86/lib/memmove_64.S | 3 +- arch/x86/lib/memset_64.S | 3 + arch/x86/lib/mmx_32.c | 243 +- arch/x86/lib/msr-reg.S | 2 + arch/x86/lib/putuser.S | 87 +- arch/x86/lib/rwsem.S | 6 +- arch/x86/lib/usercopy_32.c | 359 +- arch/x86/lib/usercopy_64.c | 20 +- arch/x86/math-emu/fpu_aux.c | 2 +- arch/x86/math-emu/fpu_entry.c | 4 +- arch/x86/math-emu/fpu_system.h | 2 +- arch/x86/mm/Makefile | 4 + arch/x86/mm/extable.c | 26 +- arch/x86/mm/fault.c | 570 +- arch/x86/mm/gup.c | 6 +- arch/x86/mm/highmem_32.c | 4 + arch/x86/mm/hugetlbpage.c | 24 +- arch/x86/mm/init.c | 101 +- arch/x86/mm/init_32.c | 111 +- arch/x86/mm/init_64.c | 46 +- arch/x86/mm/iomap_32.c | 4 + arch/x86/mm/ioremap.c | 44 +- arch/x86/mm/kmemcheck/kmemcheck.c | 4 +- arch/x86/mm/mmap.c | 40 +- arch/x86/mm/mmio-mod.c | 10 +- arch/x86/mm/numa.c | 2 +- arch/x86/mm/pageattr.c | 33 +- arch/x86/mm/pat.c | 12 +- arch/x86/mm/pat_rbtree.c | 2 +- arch/x86/mm/pf_in.c | 10 +- arch/x86/mm/pgtable.c | 162 +- arch/x86/mm/pgtable_32.c | 3 + arch/x86/mm/setup_nx.c | 7 + arch/x86/mm/tlb.c | 4 + arch/x86/mm/uderef_64.c | 37 + arch/x86/net/bpf_jit.S | 11 + arch/x86/net/bpf_jit_comp.c | 13 +- arch/x86/oprofile/backtrace.c | 6 +- arch/x86/oprofile/nmi_int.c | 8 +- arch/x86/oprofile/op_model_amd.c | 8 +- arch/x86/oprofile/op_model_ppro.c | 7 +- arch/x86/oprofile/op_x86_model.h | 2 +- arch/x86/pci/intel_mid_pci.c | 2 +- arch/x86/pci/irq.c | 8 +- arch/x86/pci/pcbios.c | 144 +- arch/x86/platform/efi/efi_32.c | 24 + arch/x86/platform/efi/efi_64.c | 26 +- arch/x86/platform/efi/efi_stub_32.S | 64 +- arch/x86/platform/efi/efi_stub_64.S | 2 + arch/x86/platform/intel-mid/intel-mid.c | 5 +- arch/x86/platform/intel-mid/intel_mid_weak_decls.h | 6 +- arch/x86/platform/intel-mid/mfld.c | 4 +- arch/x86/platform/intel-mid/mrfl.c | 2 +- arch/x86/platform/intel-quark/imr_selftest.c | 2 +- arch/x86/platform/olpc/olpc_dt.c | 2 +- arch/x86/power/cpu.c | 11 +- arch/x86/realmode/init.c | 10 +- arch/x86/realmode/rm/Makefile | 3 + arch/x86/realmode/rm/header.S | 4 +- arch/x86/realmode/rm/reboot.S | 4 + arch/x86/realmode/rm/trampoline_32.S | 12 +- arch/x86/realmode/rm/trampoline_64.S | 3 +- arch/x86/realmode/rm/wakeup_asm.S | 5 +- arch/x86/tools/Makefile | 2 +- arch/x86/tools/relocs.c | 96 +- arch/x86/um/mem_32.c | 2 +- arch/x86/um/tls_32.c | 2 +- arch/x86/xen/enlighten.c | 50 +- arch/x86/xen/mmu.c | 17 +- arch/x86/xen/smp.c | 16 +- arch/x86/xen/xen-asm_32.S | 2 +- arch/x86/xen/xen-head.S | 11 + arch/x86/xen/xen-ops.h | 2 - block/bio.c | 4 +- block/blk-iopoll.c | 2 +- block/blk-map.c | 2 +- block/blk-softirq.c | 2 +- block/bsg.c | 12 +- block/compat_ioctl.c | 4 +- block/genhd.c | 9 +- block/partitions/efi.c | 8 +- block/scsi_ioctl.c | 29 +- crypto/cryptd.c | 4 +- crypto/pcrypt.c | 2 +- crypto/zlib.c | 4 +- drivers/acpi/acpi_video.c | 2 +- drivers/acpi/apei/apei-internal.h | 2 +- drivers/acpi/apei/ghes.c | 4 +- drivers/acpi/bgrt.c | 6 +- drivers/acpi/blacklist.c | 4 +- drivers/acpi/bus.c | 4 +- drivers/acpi/device_pm.c | 4 +- drivers/acpi/ec.c | 2 +- drivers/acpi/pci_slot.c | 2 +- drivers/acpi/processor_driver.c | 2 +- drivers/acpi/processor_idle.c | 2 +- drivers/acpi/processor_pdc.c | 2 +- drivers/acpi/sleep.c | 2 +- drivers/acpi/sysfs.c | 4 +- drivers/acpi/thermal.c | 2 +- drivers/acpi/video_detect.c | 7 +- drivers/ata/libahci.c | 2 +- drivers/ata/libata-core.c | 12 +- drivers/ata/libata-scsi.c | 2 +- drivers/ata/libata.h | 2 +- drivers/ata/pata_arasan_cf.c | 4 +- drivers/atm/adummy.c | 2 +- drivers/atm/ambassador.c | 8 +- drivers/atm/atmtcp.c | 14 +- drivers/atm/eni.c | 10 +- drivers/atm/firestream.c | 8 +- drivers/atm/fore200e.c | 14 +- drivers/atm/he.c | 18 +- drivers/atm/horizon.c | 4 +- drivers/atm/idt77252.c | 36 +- drivers/atm/iphase.c | 34 +- drivers/atm/lanai.c | 12 +- drivers/atm/nicstar.c | 46 +- drivers/atm/solos-pci.c | 4 +- drivers/atm/suni.c | 4 +- drivers/atm/uPD98402.c | 16 +- drivers/atm/zatm.c | 6 +- drivers/base/bus.c | 4 +- drivers/base/devtmpfs.c | 8 +- drivers/base/node.c | 2 +- drivers/base/power/domain.c | 11 +- drivers/base/power/sysfs.c | 2 +- drivers/base/power/wakeup.c | 8 +- drivers/base/syscore.c | 4 +- drivers/block/cciss.c | 28 +- drivers/block/cciss.h | 2 +- drivers/block/cpqarray.c | 28 +- drivers/block/cpqarray.h | 2 +- drivers/block/drbd/drbd_bitmap.c | 2 +- drivers/block/drbd/drbd_int.h | 8 +- drivers/block/drbd/drbd_main.c | 12 +- drivers/block/drbd/drbd_nl.c | 4 +- drivers/block/drbd/drbd_receiver.c | 34 +- drivers/block/drbd/drbd_worker.c | 8 +- drivers/block/pktcdvd.c | 4 +- drivers/block/rbd.c | 2 +- drivers/bluetooth/btwilink.c | 2 +- drivers/cdrom/cdrom.c | 11 +- drivers/cdrom/gdrom.c | 1 - drivers/char/agp/compat_ioctl.c | 2 +- drivers/char/agp/frontend.c | 4 +- drivers/char/agp/intel-gtt.c | 4 +- drivers/char/hpet.c | 2 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_si_intf.c | 8 +- drivers/char/mem.c | 47 +- drivers/char/nvram.c | 2 +- drivers/char/pcmcia/synclink_cs.c | 16 +- drivers/char/random.c | 12 +- drivers/char/sonypi.c | 11 +- drivers/char/tpm/tpm_acpi.c | 3 +- drivers/char/tpm/tpm_eventlog.c | 7 +- drivers/char/virtio_console.c | 4 +- drivers/clk/clk-composite.c | 2 +- drivers/clk/samsung/clk.h | 2 +- drivers/clk/socfpga/clk-gate.c | 9 +- drivers/clk/socfpga/clk-pll.c | 9 +- drivers/cpufreq/acpi-cpufreq.c | 17 +- drivers/cpufreq/cpufreq-dt.c | 4 +- drivers/cpufreq/cpufreq.c | 26 +- drivers/cpufreq/cpufreq_governor.c | 2 +- drivers/cpufreq/cpufreq_governor.h | 4 +- drivers/cpufreq/cpufreq_ondemand.c | 10 +- drivers/cpufreq/intel_pstate.c | 33 +- drivers/cpufreq/p4-clockmod.c | 12 +- drivers/cpufreq/sparc-us3-cpufreq.c | 67 +- drivers/cpufreq/speedstep-centrino.c | 7 +- drivers/cpuidle/driver.c | 2 +- drivers/cpuidle/dt_idle_states.c | 2 +- drivers/cpuidle/governor.c | 2 +- drivers/cpuidle/sysfs.c | 2 +- drivers/crypto/hifn_795x.c | 4 +- drivers/devfreq/devfreq.c | 4 +- drivers/dma/sh/shdma-base.c | 4 +- drivers/dma/sh/shdmac.c | 2 +- drivers/edac/edac_device.c | 4 +- drivers/edac/edac_mc_sysfs.c | 2 +- drivers/edac/edac_pci.c | 4 +- drivers/edac/edac_pci_sysfs.c | 22 +- drivers/edac/mce_amd.h | 2 +- drivers/firewire/core-card.c | 6 +- drivers/firewire/core-device.c | 2 +- drivers/firewire/core-transaction.c | 1 + drivers/firewire/core.h | 1 + drivers/firmware/dmi-id.c | 2 +- drivers/firmware/dmi_scan.c | 12 +- drivers/firmware/efi/cper.c | 8 +- drivers/firmware/efi/efi.c | 12 +- drivers/firmware/efi/efivars.c | 2 +- drivers/firmware/efi/runtime-map.c | 2 +- drivers/firmware/google/gsmi.c | 2 +- drivers/firmware/google/memconsole.c | 7 +- drivers/firmware/memmap.c | 2 +- drivers/gpio/gpio-davinci.c | 6 +- drivers/gpio/gpio-em.c | 2 +- drivers/gpio/gpio-ich.c | 2 +- drivers/gpio/gpio-omap.c | 4 +- drivers/gpio/gpio-rcar.c | 2 +- drivers/gpio/gpio-vr41xx.c | 2 +- drivers/gpio/gpiolib.c | 13 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 +- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 90 +- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.h | 8 +- .../drm/amd/amdkfd/kfd_device_queue_manager_cik.c | 14 +- .../drm/amd/amdkfd/kfd_device_queue_manager_vi.c | 14 +- drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c | 4 +- drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h | 2 +- .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 16 +- drivers/gpu/drm/drm_crtc.c | 2 +- drivers/gpu/drm/drm_drv.c | 2 +- drivers/gpu/drm/drm_fops.c | 12 +- drivers/gpu/drm/drm_global.c | 14 +- drivers/gpu/drm/drm_info.c | 13 +- drivers/gpu/drm/drm_ioc32.c | 13 +- drivers/gpu/drm/drm_ioctl.c | 2 +- drivers/gpu/drm/gma500/mdfld_dsi_dpi.c | 10 +- drivers/gpu/drm/i810/i810_drv.h | 4 +- drivers/gpu/drm/i915/i915_debugfs.c | 2 +- drivers/gpu/drm/i915/i915_dma.c | 2 +- drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +- drivers/gpu/drm/i915/i915_gem_gtt.c | 32 +- drivers/gpu/drm/i915/i915_gem_gtt.h | 16 +- drivers/gpu/drm/i915/i915_gem_stolen.c | 2 +- drivers/gpu/drm/i915/i915_ioc32.c | 16 +- drivers/gpu/drm/i915/intel_display.c | 26 +- drivers/gpu/drm/imx/imx-drm-core.c | 2 +- drivers/gpu/drm/mga/mga_drv.h | 4 +- drivers/gpu/drm/mga/mga_ioc32.c | 10 +- drivers/gpu/drm/mga/mga_irq.c | 8 +- drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +- drivers/gpu/drm/nouveau/nouveau_drm.h | 1 - drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +- drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +- drivers/gpu/drm/omapdrm/Makefile | 2 +- drivers/gpu/drm/qxl/qxl_cmd.c | 12 +- drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +- drivers/gpu/drm/qxl/qxl_drv.h | 8 +- drivers/gpu/drm/qxl/qxl_ioctl.c | 10 +- drivers/gpu/drm/qxl/qxl_irq.c | 16 +- drivers/gpu/drm/qxl/qxl_ttm.c | 38 +- drivers/gpu/drm/r128/r128_cce.c | 2 +- drivers/gpu/drm/r128/r128_drv.h | 4 +- drivers/gpu/drm/r128/r128_ioc32.c | 10 +- drivers/gpu/drm/r128/r128_irq.c | 4 +- drivers/gpu/drm/r128/r128_state.c | 4 +- drivers/gpu/drm/radeon/mkregtable.c | 4 +- drivers/gpu/drm/radeon/radeon_device.c | 2 +- drivers/gpu/drm/radeon/radeon_drv.h | 2 +- drivers/gpu/drm/radeon/radeon_ioc32.c | 12 +- drivers/gpu/drm/radeon/radeon_irq.c | 6 +- drivers/gpu/drm/radeon/radeon_state.c | 4 +- drivers/gpu/drm/radeon/radeon_ttm.c | 4 +- drivers/gpu/drm/tegra/dc.c | 2 +- drivers/gpu/drm/tegra/dsi.c | 2 +- drivers/gpu/drm/tegra/hdmi.c | 2 +- drivers/gpu/drm/tegra/sor.c | 7 +- drivers/gpu/drm/tilcdc/Makefile | 6 +- drivers/gpu/drm/ttm/ttm_memory.c | 4 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 18 +- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 18 +- drivers/gpu/drm/udl/udl_fb.c | 1 - drivers/gpu/drm/via/via_drv.h | 4 +- drivers/gpu/drm/via/via_irq.c | 18 +- drivers/gpu/drm/virtio/virtgpu_debugfs.c | 2 +- drivers/gpu/drm/virtio/virtgpu_fence.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +- drivers/gpu/vga/vga_switcheroo.c | 4 +- drivers/hid/hid-core.c | 4 +- drivers/hid/hid-sensor-custom.c | 2 +- drivers/hv/channel.c | 2 +- drivers/hv/hv.c | 4 +- drivers/hv/hv_balloon.c | 18 +- drivers/hv/hyperv_vmbus.h | 2 +- drivers/hwmon/acpi_power_meter.c | 6 +- drivers/hwmon/applesmc.c | 2 +- drivers/hwmon/asus_atk0110.c | 10 +- drivers/hwmon/coretemp.c | 2 +- drivers/hwmon/dell-smm-hwmon.c | 2 +- drivers/hwmon/ibmaem.c | 2 +- drivers/hwmon/iio_hwmon.c | 2 +- drivers/hwmon/nct6683.c | 6 +- drivers/hwmon/nct6775.c | 6 +- drivers/hwmon/pmbus/pmbus_core.c | 10 +- drivers/hwmon/sht15.c | 12 +- drivers/hwmon/via-cputemp.c | 2 +- drivers/i2c/busses/i2c-amd756-s4882.c | 2 +- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +- drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/ide/ide-cd.c | 2 +- drivers/iio/industrialio-core.c | 2 +- drivers/iio/magnetometer/ak8975.c | 2 +- drivers/infiniband/core/cm.c | 32 +- drivers/infiniband/core/fmr_pool.c | 20 +- drivers/infiniband/core/uverbs_cmd.c | 3 + drivers/infiniband/hw/cxgb4/mem.c | 4 +- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +- drivers/infiniband/hw/mlx4/mad.c | 2 +- drivers/infiniband/hw/mlx4/mcg.c | 2 +- drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mthca/mthca_cmd.c | 8 +- drivers/infiniband/hw/mthca/mthca_main.c | 2 +- drivers/infiniband/hw/mthca/mthca_mr.c | 6 +- drivers/infiniband/hw/mthca/mthca_provider.c | 2 +- drivers/infiniband/hw/nes/nes.c | 4 +- drivers/infiniband/hw/nes/nes.h | 40 +- drivers/infiniband/hw/nes/nes_cm.c | 62 +- drivers/infiniband/hw/nes/nes_mgt.c | 8 +- drivers/infiniband/hw/nes/nes_nic.c | 40 +- drivers/infiniband/hw/nes/nes_verbs.c | 10 +- drivers/infiniband/hw/qib/qib.h | 1 + drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 2 +- drivers/input/gameport/gameport.c | 4 +- drivers/input/input.c | 4 +- drivers/input/joystick/sidewinder.c | 1 + drivers/input/joystick/xpad.c | 4 +- drivers/input/misc/ims-pcu.c | 4 +- drivers/input/mouse/psmouse.h | 2 +- drivers/input/mousedev.c | 2 +- drivers/input/serio/serio.c | 4 +- drivers/input/serio/serio_raw.c | 4 +- drivers/input/touchscreen/htcpen.c | 2 +- drivers/iommu/arm-smmu.c | 43 +- drivers/iommu/io-pgtable-arm.c | 101 +- drivers/iommu/io-pgtable.c | 11 +- drivers/iommu/io-pgtable.h | 19 +- drivers/iommu/iommu.c | 2 +- drivers/iommu/ipmmu-vmsa.c | 13 +- drivers/iommu/irq_remapping.c | 2 +- drivers/irqchip/irq-gic.c | 2 +- drivers/irqchip/irq-renesas-intc-irqpin.c | 2 +- drivers/irqchip/irq-renesas-irqc.c | 2 +- drivers/isdn/capi/capi.c | 10 +- drivers/isdn/gigaset/interface.c | 8 +- drivers/isdn/gigaset/usb-gigaset.c | 2 +- drivers/isdn/hardware/avm/b1.c | 4 +- drivers/isdn/i4l/isdn_common.c | 2 + drivers/isdn/i4l/isdn_tty.c | 22 +- drivers/isdn/icn/icn.c | 2 +- drivers/isdn/mISDN/dsp_cmx.c | 2 +- drivers/lguest/core.c | 10 +- drivers/lguest/page_tables.c | 2 +- drivers/lguest/x86/core.c | 12 +- drivers/lguest/x86/switcher_32.S | 27 +- drivers/md/bcache/closure.h | 2 +- drivers/md/bitmap.c | 2 +- drivers/md/dm-ioctl.c | 2 +- drivers/md/dm-raid1.c | 18 +- drivers/md/dm-stats.c | 6 +- drivers/md/dm-stripe.c | 10 +- drivers/md/dm-table.c | 2 +- drivers/md/dm-thin-metadata.c | 4 +- drivers/md/dm.c | 16 +- drivers/md/md.c | 26 +- drivers/md/md.h | 6 +- drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- drivers/md/persistent-data/dm-space-map.h | 1 + drivers/md/raid1.c | 4 +- drivers/md/raid10.c | 16 +- drivers/md/raid5.c | 22 +- drivers/media/dvb-core/dvbdev.c | 2 +- drivers/media/dvb-frontends/af9033.h | 2 +- drivers/media/dvb-frontends/dib3000.h | 2 +- drivers/media/dvb-frontends/dib7000p.h | 2 +- drivers/media/dvb-frontends/dib8000.h | 2 +- drivers/media/pci/cx88/cx88-video.c | 6 +- drivers/media/pci/ivtv/ivtv-driver.c | 2 +- drivers/media/pci/solo6x10/solo6x10-core.c | 2 +- drivers/media/pci/solo6x10/solo6x10-p2m.c | 2 +- drivers/media/pci/solo6x10/solo6x10.h | 2 +- drivers/media/pci/tw68/tw68-core.c | 2 +- drivers/media/platform/omap/omap_vout.c | 11 +- drivers/media/platform/s5p-tv/mixer.h | 2 +- drivers/media/platform/s5p-tv/mixer_grp_layer.c | 2 +- drivers/media/platform/s5p-tv/mixer_reg.c | 2 +- drivers/media/platform/s5p-tv/mixer_video.c | 24 +- drivers/media/platform/s5p-tv/mixer_vp_layer.c | 2 +- drivers/media/radio/radio-cadet.c | 2 + drivers/media/radio/radio-maxiradio.c | 2 +- drivers/media/radio/radio-shark.c | 2 +- drivers/media/radio/radio-shark2.c | 2 +- drivers/media/radio/radio-si476x.c | 2 +- drivers/media/radio/wl128x/fmdrv_common.c | 2 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 12 +- drivers/media/v4l2-core/v4l2-device.c | 4 +- drivers/media/v4l2-core/v4l2-ioctl.c | 13 +- drivers/memory/omap-gpmc.c | 21 +- drivers/message/fusion/mptsas.c | 34 +- drivers/mfd/ab8500-debugfs.c | 2 +- drivers/mfd/kempld-core.c | 2 +- drivers/mfd/max8925-i2c.c | 2 +- drivers/mfd/tps65910.c | 2 +- drivers/mfd/twl4030-irq.c | 9 +- drivers/misc/c2port/core.c | 4 +- drivers/misc/eeprom/sunxi_sid.c | 4 +- drivers/misc/kgdbts.c | 4 +- drivers/misc/lis3lv02d/lis3lv02d.c | 8 +- drivers/misc/lis3lv02d/lis3lv02d.h | 2 +- drivers/misc/mic/scif/scif_rb.c | 8 +- drivers/misc/sgi-gru/gruhandles.c | 4 +- drivers/misc/sgi-gru/gruprocfs.c | 8 +- drivers/misc/sgi-gru/grutables.h | 154 +- drivers/misc/sgi-xp/xp.h | 2 +- drivers/misc/sgi-xp/xpc.h | 3 +- drivers/misc/sgi-xp/xpc_main.c | 2 +- drivers/mmc/card/block.c | 2 +- drivers/mmc/host/dw_mmc.h | 2 +- drivers/mmc/host/mmci.c | 4 +- drivers/mmc/host/omap_hsmmc.c | 4 +- drivers/mmc/host/sdhci-esdhc-imx.c | 7 +- drivers/mmc/host/sdhci-s3c.c | 8 +- drivers/mtd/chips/cfi_cmdset_0020.c | 2 +- drivers/mtd/nand/denali.c | 1 + drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 2 +- drivers/mtd/nftlmount.c | 1 + drivers/mtd/sm_ftl.c | 2 +- drivers/net/bonding/bond_netlink.c | 2 +- drivers/net/caif/caif_hsi.c | 2 +- drivers/net/can/Kconfig | 2 +- drivers/net/can/dev.c | 2 +- drivers/net/can/vcan.c | 2 +- drivers/net/dummy.c | 2 +- drivers/net/ethernet/8390/ax88796.c | 4 +- drivers/net/ethernet/altera/altera_tse_main.c | 4 +- drivers/net/ethernet/amd/xgbe/xgbe-common.h | 4 +- drivers/net/ethernet/amd/xgbe/xgbe-dcb.c | 4 +- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 27 +- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 143 +- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 64 +- drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 10 +- drivers/net/ethernet/amd/xgbe/xgbe-main.c | 15 +- drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 27 +- drivers/net/ethernet/amd/xgbe/xgbe-ptp.c | 4 +- drivers/net/ethernet/amd/xgbe/xgbe.h | 10 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +- drivers/net/ethernet/broadcom/tg3.h | 1 + drivers/net/ethernet/cavium/liquidio/lio_ethtool.c | 6 +- drivers/net/ethernet/cavium/liquidio/lio_main.c | 11 +- drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +- drivers/net/ethernet/dec/tulip/de4x5.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 2 +- drivers/net/ethernet/faraday/ftgmac100.c | 2 + drivers/net/ethernet/faraday/ftmac100.c | 2 + drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_tx.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +- drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +- .../net/ethernet/qlogic/qlcnic/qlcnic_minidump.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/sfc/ptp.c | 2 +- drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +- drivers/net/ethernet/via/via-rhine.c | 2 +- drivers/net/hyperv/hyperv_net.h | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ifb.c | 2 +- drivers/net/ipvlan/ipvlan_core.c | 2 +- drivers/net/macvlan.c | 20 +- drivers/net/macvtap.c | 6 +- drivers/net/nlmon.c | 2 +- drivers/net/phy/phy_device.c | 6 +- drivers/net/ppp/ppp_generic.c | 4 +- drivers/net/slip/slhc.c | 2 +- drivers/net/team/team.c | 4 +- drivers/net/tun.c | 7 +- drivers/net/usb/hso.c | 23 +- drivers/net/usb/r8152.c | 2 +- drivers/net/usb/sierra_net.c | 4 +- drivers/net/virtio_net.c | 2 +- drivers/net/vxlan.c | 4 +- drivers/net/wimax/i2400m/rx.c | 2 +- drivers/net/wireless/airo.c | 2 +- drivers/net/wireless/at76c50x-usb.c | 2 +- drivers/net/wireless/ath/ath10k/htc.c | 7 +- drivers/net/wireless/ath/ath10k/htc.h | 4 +- drivers/net/wireless/ath/ath9k/ar9002_mac.c | 36 +- drivers/net/wireless/ath/ath9k/ar9003_mac.c | 64 +- drivers/net/wireless/ath/ath9k/hw.h | 4 +- drivers/net/wireless/ath/ath9k/main.c | 22 +- drivers/net/wireless/b43/phy_lp.c | 2 +- drivers/net/wireless/iwlegacy/3945-mac.c | 4 +- drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +- drivers/net/wireless/iwlwifi/pcie/trans.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 28 +- drivers/net/wireless/rndis_wlan.c | 2 +- drivers/net/wireless/rt2x00/rt2x00.h | 2 +- drivers/net/wireless/rt2x00/rt2x00queue.c | 4 +- drivers/net/wireless/ti/wl1251/sdio.c | 12 +- drivers/net/wireless/ti/wl12xx/main.c | 8 +- drivers/net/wireless/ti/wl18xx/main.c | 6 +- drivers/nfc/nfcwilink.c | 2 +- drivers/of/fdt.c | 4 +- drivers/oprofile/buffer_sync.c | 8 +- drivers/oprofile/event_buffer.c | 2 +- drivers/oprofile/oprof.c | 2 +- drivers/oprofile/oprofile_files.c | 2 +- drivers/oprofile/oprofile_stats.c | 10 +- drivers/oprofile/oprofile_stats.h | 10 +- drivers/oprofile/oprofilefs.c | 6 +- drivers/oprofile/timer_int.c | 2 +- drivers/parport/procfs.c | 4 +- drivers/pci/host/pci-host-generic.c | 24 +- drivers/pci/hotplug/acpiphp_ibm.c | 4 +- drivers/pci/hotplug/cpcihp_generic.c | 6 +- drivers/pci/hotplug/cpcihp_zt5550.c | 14 +- drivers/pci/hotplug/cpqphp_nvram.c | 2 + drivers/pci/hotplug/pci_hotplug_core.c | 6 +- drivers/pci/hotplug/pciehp_core.c | 2 +- drivers/pci/msi.c | 21 +- drivers/pci/pci-sysfs.c | 6 +- drivers/pci/pci.h | 2 +- drivers/pci/pcie/aspm.c | 6 +- drivers/pci/pcie/portdrv_pci.c | 2 +- drivers/pci/probe.c | 2 +- drivers/pinctrl/pinctrl-at91.c | 5 +- drivers/platform/chrome/chromeos_pstore.c | 2 +- drivers/platform/x86/alienware-wmi.c | 4 +- drivers/platform/x86/compal-laptop.c | 2 +- drivers/platform/x86/hdaps.c | 2 +- drivers/platform/x86/ibm_rtl.c | 2 +- drivers/platform/x86/intel_oaktrail.c | 2 +- drivers/platform/x86/msi-laptop.c | 16 +- drivers/platform/x86/msi-wmi.c | 2 +- drivers/platform/x86/samsung-laptop.c | 2 +- drivers/platform/x86/samsung-q10.c | 2 +- drivers/platform/x86/sony-laptop.c | 14 +- drivers/platform/x86/thinkpad_acpi.c | 2 +- drivers/pnp/pnpbios/bioscalls.c | 14 +- drivers/pnp/pnpbios/core.c | 2 +- drivers/power/pda_power.c | 7 +- drivers/power/power_supply.h | 4 +- drivers/power/power_supply_core.c | 7 +- drivers/power/power_supply_sysfs.c | 6 +- drivers/power/reset/at91-reset.c | 9 +- drivers/powercap/powercap_sys.c | 136 +- drivers/ptp/ptp_private.h | 2 +- drivers/ptp/ptp_sysfs.c | 2 +- drivers/regulator/core.c | 4 +- drivers/regulator/max8660.c | 6 +- drivers/regulator/max8973-regulator.c | 16 +- drivers/regulator/mc13892-regulator.c | 8 +- drivers/rtc/rtc-armada38x.c | 7 +- drivers/rtc/rtc-cmos.c | 4 +- drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-m48t59.c | 4 +- drivers/rtc/rtc-test.c | 6 +- drivers/scsi/be2iscsi/be_main.c | 2 +- drivers/scsi/bfa/bfa_fcpim.h | 2 +- drivers/scsi/bfa/bfa_ioc.h | 4 +- drivers/scsi/fcoe/fcoe_sysfs.c | 12 +- drivers/scsi/hosts.c | 4 +- drivers/scsi/hpsa.c | 38 +- drivers/scsi/hpsa.h | 2 +- drivers/scsi/libfc/fc_exch.c | 50 +- drivers/scsi/libsas/sas_ata.c | 2 +- drivers/scsi/lpfc/lpfc.h | 8 +- drivers/scsi/lpfc/lpfc_debugfs.c | 18 +- drivers/scsi/lpfc/lpfc_init.c | 6 +- drivers/scsi/lpfc/lpfc_scsi.c | 10 +- drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +- drivers/scsi/pmcraid.c | 20 +- drivers/scsi/pmcraid.h | 8 +- drivers/scsi/qla2xxx/qla_attr.c | 4 +- drivers/scsi/qla2xxx/qla_gbl.h | 4 +- drivers/scsi/qla2xxx/qla_os.c | 6 +- drivers/scsi/qla4xxx/ql4_def.h | 2 +- drivers/scsi/qla4xxx/ql4_os.c | 6 +- drivers/scsi/scsi.c | 2 +- drivers/scsi/scsi_lib.c | 8 +- drivers/scsi/scsi_sysfs.c | 2 +- drivers/scsi/scsi_transport_fc.c | 8 +- drivers/scsi/scsi_transport_iscsi.c | 6 +- drivers/scsi/scsi_transport_srp.c | 6 +- drivers/scsi/sd.c | 6 +- drivers/scsi/sg.c | 2 +- drivers/scsi/sr.c | 21 +- drivers/soc/tegra/fuse/fuse-tegra.c | 2 +- drivers/spi/spi.c | 2 +- drivers/spi/spidev.c | 2 +- drivers/staging/android/timed_output.c | 6 +- drivers/staging/comedi/comedi_fops.c | 8 +- drivers/staging/fbtft/fbtft-core.c | 2 +- drivers/staging/fbtft/fbtft.h | 2 +- drivers/staging/gdm724x/gdm_tty.c | 2 +- drivers/staging/iio/accel/lis3l02dq_ring.c | 2 +- drivers/staging/iio/adc/ad7280a.c | 4 +- drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +- drivers/staging/lustre/lnet/selftest/framework.c | 4 - drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +- drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +- drivers/staging/lustre/lustre/include/obd.h | 2 +- drivers/staging/lustre/lustre/libcfs/module.c | 6 +- drivers/staging/octeon/ethernet-rx.c | 12 +- drivers/staging/octeon/ethernet.c | 8 +- drivers/staging/rtl8188eu/include/hal_intf.h | 2 +- drivers/staging/rtl8712/rtl871x_io.h | 2 +- drivers/staging/sm750fb/sm750.c | 14 +- drivers/staging/unisys/visorbus/visorbus_private.h | 4 +- drivers/target/sbp/sbp_target.c | 4 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_transport.c | 2 +- drivers/thermal/cpu_cooling.c | 9 +- drivers/thermal/int340x_thermal/int3400_thermal.c | 6 +- drivers/thermal/of-thermal.c | 17 +- drivers/thermal/x86_pkg_temp_thermal.c | 2 +- drivers/tty/cyclades.c | 6 +- drivers/tty/hvc/hvc_console.c | 14 +- drivers/tty/hvc/hvcs.c | 21 +- drivers/tty/hvc/hvsi.c | 22 +- drivers/tty/hvc/hvsi_lib.c | 4 +- drivers/tty/ipwireless/tty.c | 27 +- drivers/tty/moxa.c | 2 +- drivers/tty/n_gsm.c | 4 +- drivers/tty/n_tty.c | 5 +- drivers/tty/pty.c | 4 +- drivers/tty/rocket.c | 6 +- drivers/tty/serial/8250/8250_core.c | 10 +- drivers/tty/serial/ifx6x60.c | 2 +- drivers/tty/serial/ioc4_serial.c | 6 +- drivers/tty/serial/kgdb_nmi.c | 4 +- drivers/tty/serial/kgdboc.c | 32 +- drivers/tty/serial/msm_serial.c | 4 +- drivers/tty/serial/samsung.c | 9 +- drivers/tty/serial/serial_core.c | 8 +- drivers/tty/synclink.c | 34 +- drivers/tty/synclink_gt.c | 28 +- drivers/tty/synclinkmp.c | 34 +- drivers/tty/tty_io.c | 2 +- drivers/tty/tty_ldisc.c | 8 +- drivers/tty/tty_port.c | 22 +- drivers/uio/uio.c | 13 +- drivers/usb/atm/cxacru.c | 2 +- drivers/usb/atm/usbatm.c | 24 +- drivers/usb/core/devices.c | 6 +- drivers/usb/core/devio.c | 10 +- drivers/usb/core/hcd.c | 4 +- drivers/usb/core/message.c | 6 +- drivers/usb/core/sysfs.c | 2 +- drivers/usb/core/usb.c | 2 +- drivers/usb/early/ehci-dbgp.c | 16 +- drivers/usb/gadget/function/u_serial.c | 22 +- drivers/usb/gadget/udc/dummy_hcd.c | 2 +- drivers/usb/host/ehci-hcd.c | 2 +- drivers/usb/host/ehci-hub.c | 4 +- drivers/usb/host/ehci-q.c | 4 +- drivers/usb/host/fotg210-hcd.c | 2 +- drivers/usb/host/fusbh200-hcd.c | 2 +- drivers/usb/host/hwa-hc.c | 2 +- drivers/usb/host/ohci-hcd.c | 2 +- drivers/usb/host/r8a66597.h | 2 +- drivers/usb/host/uhci-hcd.c | 2 +- drivers/usb/host/xhci-pci.c | 2 +- drivers/usb/host/xhci.c | 2 +- drivers/usb/misc/appledisplay.c | 4 +- drivers/usb/serial/console.c | 8 +- drivers/usb/storage/usb.c | 2 +- drivers/usb/storage/usb.h | 2 +- drivers/usb/usbip/vhci.h | 2 +- drivers/usb/usbip/vhci_hcd.c | 6 +- drivers/usb/usbip/vhci_rx.c | 2 +- drivers/usb/wusbcore/wa-hc.h | 4 +- drivers/usb/wusbcore/wa-xfer.c | 2 +- drivers/vfio/vfio.c | 2 +- drivers/vhost/vringh.c | 20 +- drivers/video/backlight/kb3886_bl.c | 2 +- drivers/video/fbdev/aty/aty128fb.c | 2 +- drivers/video/fbdev/aty/atyfb_base.c | 8 +- drivers/video/fbdev/aty/mach64_cursor.c | 5 +- drivers/video/fbdev/core/fb_defio.c | 6 +- drivers/video/fbdev/core/fbmem.c | 2 +- drivers/video/fbdev/hyperv_fb.c | 4 +- drivers/video/fbdev/i810/i810_accel.c | 1 + drivers/video/fbdev/matrox/matroxfb_base.c | 2 +- drivers/video/fbdev/mb862xx/mb862xxfb_accel.c | 16 +- drivers/video/fbdev/nvidia/nvidia.c | 27 +- drivers/video/fbdev/omap2/dss/display.c | 8 +- drivers/video/fbdev/s1d13xxxfb.c | 6 +- drivers/video/fbdev/smscufx.c | 4 +- drivers/video/fbdev/udlfb.c | 36 +- drivers/video/fbdev/uvesafb.c | 52 +- drivers/video/fbdev/vesafb.c | 58 +- drivers/video/fbdev/via/via_clock.h | 2 +- drivers/xen/events/events_base.c | 6 +- drivers/xen/evtchn.c | 4 +- fs/Kconfig.binfmt | 2 +- fs/afs/inode.c | 4 +- fs/aio.c | 2 +- fs/autofs4/waitq.c | 2 +- fs/befs/endian.h | 6 +- fs/binfmt_aout.c | 23 +- fs/binfmt_elf.c | 672 +- fs/binfmt_elf_fdpic.c | 2 +- fs/block_dev.c | 2 +- fs/btrfs/ctree.c | 9 +- fs/btrfs/delayed-inode.c | 6 +- fs/btrfs/delayed-inode.h | 4 +- fs/btrfs/super.c | 2 +- fs/btrfs/sysfs.c | 2 +- fs/btrfs/tests/free-space-tests.c | 8 +- fs/btrfs/tree-log.h | 2 +- fs/buffer.c | 2 +- fs/cachefiles/bind.c | 6 +- fs/cachefiles/daemon.c | 8 +- fs/cachefiles/internal.h | 12 +- fs/cachefiles/namei.c | 2 +- fs/cachefiles/proc.c | 12 +- fs/ceph/dir.c | 12 +- fs/ceph/super.c | 4 +- fs/cifs/cifs_debug.c | 12 +- fs/cifs/cifsfs.c | 8 +- fs/cifs/cifsglob.h | 54 +- fs/cifs/file.c | 10 +- fs/cifs/misc.c | 4 +- fs/cifs/smb1ops.c | 80 +- fs/cifs/smb2ops.c | 84 +- fs/cifs/smb2pdu.c | 3 +- fs/coda/cache.c | 10 +- fs/compat.c | 4 +- fs/compat_binfmt_elf.c | 2 + fs/compat_ioctl.c | 12 +- fs/configfs/dir.c | 10 +- fs/coredump.c | 16 +- fs/dcache.c | 51 +- fs/ecryptfs/inode.c | 2 +- fs/ecryptfs/miscdev.c | 2 +- fs/exec.c | 362 +- fs/ext2/xattr.c | 5 +- fs/ext3/xattr.c | 5 +- fs/ext4/ext4.h | 20 +- fs/ext4/mballoc.c | 44 +- fs/ext4/mmp.c | 2 +- fs/ext4/resize.c | 16 +- fs/ext4/super.c | 4 +- fs/ext4/xattr.c | 5 +- fs/fhandle.c | 3 +- fs/file.c | 4 +- fs/fs_struct.c | 8 +- fs/fscache/cookie.c | 40 +- fs/fscache/internal.h | 202 +- fs/fscache/object.c | 26 +- fs/fscache/operation.c | 38 +- fs/fscache/page.c | 110 +- fs/fscache/stats.c | 348 +- fs/fuse/cuse.c | 10 +- fs/fuse/dev.c | 4 +- fs/gfs2/glock.c | 22 +- fs/gfs2/glops.c | 4 +- fs/gfs2/quota.c | 6 +- fs/hugetlbfs/inode.c | 13 +- fs/inode.c | 4 +- fs/jffs2/erase.c | 3 +- fs/jffs2/wbuf.c | 3 +- fs/jfs/super.c | 2 +- fs/kernfs/dir.c | 2 +- fs/kernfs/file.c | 20 +- fs/libfs.c | 10 +- fs/lockd/clntproc.c | 4 +- fs/namei.c | 16 +- fs/namespace.c | 16 +- fs/nfs/callback_xdr.c | 2 +- fs/nfs/inode.c | 6 +- fs/nfsd/nfs4proc.c | 2 +- fs/nfsd/nfs4xdr.c | 2 +- fs/nfsd/nfscache.c | 11 +- fs/nfsd/vfs.c | 6 +- fs/nls/nls_base.c | 26 +- fs/nls/nls_euc-jp.c | 6 +- fs/nls/nls_koi8-ru.c | 6 +- fs/notify/fanotify/fanotify_user.c | 4 +- fs/notify/notification.c | 4 +- fs/ntfs/dir.c | 2 +- fs/ntfs/super.c | 6 +- fs/ocfs2/localalloc.c | 2 +- fs/ocfs2/ocfs2.h | 10 +- fs/ocfs2/suballoc.c | 12 +- fs/ocfs2/super.c | 20 +- fs/pipe.c | 72 +- fs/posix_acl.c | 4 +- fs/proc/array.c | 20 + fs/proc/base.c | 4 +- fs/proc/kcore.c | 34 +- fs/proc/meminfo.c | 2 +- fs/proc/nommu.c | 2 +- fs/proc/proc_sysctl.c | 26 +- fs/proc/task_mmu.c | 39 +- fs/proc/task_nommu.c | 4 +- fs/proc/vmcore.c | 16 +- fs/qnx6/qnx6.h | 4 +- fs/quota/netlink.c | 4 +- fs/read_write.c | 2 +- fs/reiserfs/do_balan.c | 2 +- fs/reiserfs/procfs.c | 2 +- fs/reiserfs/reiserfs.h | 4 +- fs/seq_file.c | 4 +- fs/splice.c | 43 +- fs/squashfs/xattr.c | 12 +- fs/sysv/sysv.h | 2 +- fs/tracefs/inode.c | 8 +- fs/ubifs/io.c | 2 +- fs/udf/misc.c | 2 +- fs/ufs/swab.h | 4 +- fs/xattr.c | 21 + fs/xfs/libxfs/xfs_bmap.c | 2 +- fs/xfs/xfs_dir2_readdir.c | 7 +- fs/xfs/xfs_ioctl.c | 2 +- fs/xfs/xfs_linux.h | 4 +- include/asm-generic/4level-fixup.h | 2 + include/asm-generic/atomic-long.h | 214 +- include/asm-generic/atomic64.h | 12 + include/asm-generic/barrier.h | 2 +- include/asm-generic/bitops/__fls.h | 2 +- include/asm-generic/bitops/fls.h | 2 +- include/asm-generic/bitops/fls64.h | 4 +- include/asm-generic/bug.h | 6 +- include/asm-generic/cache.h | 4 +- include/asm-generic/emergency-restart.h | 2 +- include/asm-generic/kmap_types.h | 4 +- include/asm-generic/local.h | 13 + include/asm-generic/pgtable-nopmd.h | 18 +- include/asm-generic/pgtable-nopud.h | 15 +- include/asm-generic/pgtable.h | 16 + include/asm-generic/uaccess.h | 16 + include/asm-generic/vmlinux.lds.h | 13 +- include/crypto/algapi.h | 2 +- include/drm/drmP.h | 16 +- include/drm/drm_crtc_helper.h | 2 +- include/drm/drm_mm.h | 2 +- include/drm/i915_pciids.h | 2 +- include/drm/intel-gtt.h | 4 +- include/drm/ttm/ttm_memory.h | 2 +- include/drm/ttm/ttm_page_alloc.h | 1 + include/keys/asymmetric-subtype.h | 2 +- include/linux/atmdev.h | 4 +- include/linux/atomic.h | 2 +- include/linux/audit.h | 2 +- include/linux/binfmts.h | 3 +- include/linux/bitmap.h | 2 +- include/linux/bitops.h | 8 +- include/linux/blkdev.h | 2 +- include/linux/blktrace_api.h | 2 +- include/linux/cache.h | 8 + include/linux/cdrom.h | 1 - include/linux/cleancache.h | 2 +- include/linux/clk-provider.h | 1 + include/linux/compat.h | 6 +- include/linux/compiler-gcc.h | 28 +- include/linux/compiler.h | 95 +- include/linux/completion.h | 12 +- include/linux/configfs.h | 2 +- include/linux/cpufreq.h | 3 +- include/linux/cpuidle.h | 5 +- include/linux/cpumask.h | 14 +- include/linux/crypto.h | 4 +- include/linux/ctype.h | 2 +- include/linux/dcache.h | 4 +- include/linux/decompress/mm.h | 2 +- include/linux/devfreq.h | 2 +- include/linux/device.h | 7 +- include/linux/dma-mapping.h | 2 +- include/linux/efi.h | 1 + include/linux/elf.h | 2 + include/linux/err.h | 4 +- include/linux/extcon.h | 2 +- include/linux/fb.h | 3 +- include/linux/fdtable.h | 2 +- include/linux/fs.h | 5 +- include/linux/fs_struct.h | 2 +- include/linux/fscache-cache.h | 2 +- include/linux/fscache.h | 2 +- include/linux/fsnotify.h | 2 +- include/linux/genhd.h | 4 +- include/linux/genl_magic_func.h | 2 +- include/linux/gfp.h | 12 +- include/linux/highmem.h | 12 + include/linux/hwmon-sysfs.h | 6 +- include/linux/i2c.h | 1 + include/linux/if_pppox.h | 2 +- include/linux/init.h | 12 +- include/linux/init_task.h | 7 + include/linux/interrupt.h | 6 +- include/linux/iommu.h | 2 +- include/linux/ioport.h | 2 +- include/linux/ipc.h | 2 +- include/linux/irq.h | 5 +- include/linux/irqdesc.h | 2 +- include/linux/irqdomain.h | 3 + include/linux/jiffies.h | 30 +- include/linux/kernel.h | 2 +- include/linux/key-type.h | 2 +- include/linux/kgdb.h | 6 +- include/linux/kmemleak.h | 4 +- include/linux/kobject.h | 3 +- include/linux/kobject_ns.h | 2 +- include/linux/kref.h | 2 +- include/linux/kvm_host.h | 4 +- include/linux/libata.h | 2 +- include/linux/linkage.h | 1 + include/linux/list.h | 15 + include/linux/lockref.h | 26 +- include/linux/math64.h | 10 +- include/linux/mempolicy.h | 7 + include/linux/mm.h | 104 +- include/linux/mm_types.h | 20 + include/linux/mmiotrace.h | 4 +- include/linux/mmzone.h | 2 +- include/linux/mod_devicetable.h | 4 +- include/linux/module.h | 69 +- include/linux/moduleloader.h | 16 + include/linux/moduleparam.h | 4 +- include/linux/net.h | 2 +- include/linux/netdevice.h | 7 +- include/linux/netfilter.h | 2 +- include/linux/netfilter/nfnetlink.h | 2 +- include/linux/nls.h | 4 +- include/linux/notifier.h | 3 +- include/linux/oprofile.h | 4 +- include/linux/padata.h | 2 +- include/linux/pci_hotplug.h | 3 +- include/linux/percpu.h | 2 +- include/linux/perf_event.h | 12 +- include/linux/pipe_fs_i.h | 8 +- include/linux/pm.h | 1 + include/linux/pm_domain.h | 4 +- include/linux/pm_runtime.h | 2 +- include/linux/pnp.h | 2 +- include/linux/poison.h | 4 +- include/linux/power/smartreflex.h | 2 +- include/linux/ppp-comp.h | 2 +- include/linux/preempt.h | 21 + include/linux/proc_ns.h | 2 +- include/linux/quota.h | 2 +- include/linux/random.h | 23 +- include/linux/rculist.h | 16 + include/linux/reboot.h | 14 +- include/linux/regset.h | 3 +- include/linux/relay.h | 2 +- include/linux/rio.h | 2 +- include/linux/rmap.h | 4 +- include/linux/sched.h | 74 +- include/linux/sched/sysctl.h | 1 + include/linux/semaphore.h | 2 +- include/linux/seq_file.h | 1 + include/linux/signal.h | 2 +- include/linux/skbuff.h | 10 +- include/linux/slab.h | 47 +- include/linux/slab_def.h | 14 +- include/linux/slub_def.h | 2 +- include/linux/smp.h | 2 + include/linux/sock_diag.h | 2 +- include/linux/sonet.h | 2 +- include/linux/sunrpc/addr.h | 8 +- include/linux/sunrpc/clnt.h | 2 +- include/linux/sunrpc/svc.h | 2 +- include/linux/sunrpc/svc_rdma.h | 18 +- include/linux/sunrpc/svcauth.h | 2 +- include/linux/swiotlb.h | 3 +- include/linux/syscalls.h | 21 +- include/linux/syscore_ops.h | 2 +- include/linux/sysctl.h | 3 +- include/linux/sysfs.h | 9 +- include/linux/sysrq.h | 3 +- include/linux/tcp.h | 14 +- include/linux/thread_info.h | 7 + include/linux/tty.h | 4 +- include/linux/tty_driver.h | 2 +- include/linux/tty_ldisc.h | 2 +- include/linux/types.h | 16 + include/linux/uaccess.h | 6 +- include/linux/uio_driver.h | 2 +- include/linux/unaligned/access_ok.h | 24 +- include/linux/usb.h | 6 +- include/linux/usb/hcd.h | 1 + include/linux/usb/renesas_usbhs.h | 2 +- include/linux/vermagic.h | 21 +- include/linux/vga_switcheroo.h | 8 +- include/linux/vmalloc.h | 7 +- include/linux/vmstat.h | 24 +- include/linux/xattr.h | 5 +- include/linux/zlib.h | 3 +- include/media/v4l2-dev.h | 2 +- include/media/v4l2-device.h | 2 +- include/net/9p/transport.h | 2 +- include/net/bluetooth/l2cap.h | 2 +- include/net/bonding.h | 2 +- include/net/caif/cfctrl.h | 6 +- include/net/flow.h | 2 +- include/net/genetlink.h | 2 +- include/net/gro_cells.h | 2 +- include/net/inet_connection_sock.h | 2 +- include/net/inet_sock.h | 2 +- include/net/inetpeer.h | 2 +- include/net/ip_fib.h | 2 +- include/net/ip_vs.h | 8 +- include/net/irda/ircomm_tty.h | 1 + include/net/iucv/af_iucv.h | 2 +- include/net/llc_c_ac.h | 2 +- include/net/llc_c_ev.h | 4 +- include/net/llc_c_st.h | 2 +- include/net/llc_s_ac.h | 2 +- include/net/llc_s_st.h | 2 +- include/net/mac80211.h | 2 +- include/net/neighbour.h | 2 +- include/net/net_namespace.h | 18 +- include/net/netlink.h | 2 +- include/net/netns/conntrack.h | 6 +- include/net/netns/ipv4.h | 4 +- include/net/netns/ipv6.h | 4 +- include/net/netns/xfrm.h | 2 +- include/net/ping.h | 2 +- include/net/protocol.h | 4 +- include/net/rtnetlink.h | 2 +- include/net/sctp/checksum.h | 4 +- include/net/sctp/sm.h | 4 +- include/net/sctp/structs.h | 2 +- include/net/sock.h | 12 +- include/net/tcp.h | 8 +- include/net/xfrm.h | 13 +- include/rdma/iw_cm.h | 2 +- include/scsi/libfc.h | 3 +- include/scsi/scsi_device.h | 6 +- include/scsi/scsi_driver.h | 2 +- include/scsi/scsi_transport_fc.h | 3 +- include/scsi/sg.h | 2 +- include/sound/compress_driver.h | 2 +- include/sound/soc.h | 4 +- include/target/target_core_base.h | 2 +- include/trace/events/irq.h | 4 +- include/uapi/linux/a.out.h | 8 + include/uapi/linux/bcache.h | 5 +- include/uapi/linux/byteorder/little_endian.h | 28 +- include/uapi/linux/connector.h | 2 +- include/uapi/linux/elf.h | 28 + include/uapi/linux/screen_info.h | 3 +- include/uapi/linux/swab.h | 6 +- include/uapi/linux/xattr.h | 4 + include/video/udlfb.h | 8 +- include/video/uvesafb.h | 1 + init/Kconfig | 2 +- init/Makefile | 3 + init/do_mounts.c | 14 +- init/do_mounts.h | 8 +- init/do_mounts_initrd.c | 30 +- init/do_mounts_md.c | 6 +- init/init_task.c | 4 + init/initramfs.c | 38 +- init/main.c | 30 +- ipc/compat.c | 4 +- ipc/ipc_sysctl.c | 8 +- ipc/mq_sysctl.c | 4 +- ipc/sem.c | 4 +- ipc/shm.c | 6 + kernel/audit.c | 8 +- kernel/auditsc.c | 4 +- kernel/bpf/core.c | 7 +- kernel/capability.c | 3 + kernel/compat.c | 38 +- kernel/debug/debug_core.c | 16 +- kernel/debug/kdb/kdb_main.c | 4 +- kernel/events/core.c | 26 +- kernel/events/internal.h | 10 +- kernel/events/uprobes.c | 2 +- kernel/exit.c | 2 +- kernel/fork.c | 165 +- kernel/futex.c | 11 +- kernel/futex_compat.c | 2 +- kernel/gcov/base.c | 7 +- kernel/irq/manage.c | 2 +- kernel/irq/msi.c | 20 +- kernel/irq/spurious.c | 2 +- kernel/jump_label.c | 5 + kernel/kallsyms.c | 37 +- kernel/kexec.c | 3 +- kernel/kmod.c | 8 +- kernel/kprobes.c | 4 +- kernel/ksysfs.c | 2 +- kernel/locking/lockdep.c | 7 +- kernel/locking/mutex-debug.c | 12 +- kernel/locking/mutex-debug.h | 4 +- kernel/locking/mutex.c | 6 +- kernel/locking/rtmutex-tester.c | 24 +- kernel/module.c | 422 +- kernel/notifier.c | 17 +- kernel/padata.c | 4 +- kernel/panic.c | 5 +- kernel/pid.c | 2 +- kernel/pid_namespace.c | 2 +- kernel/power/process.c | 12 +- kernel/profile.c | 14 +- kernel/ptrace.c | 8 +- kernel/rcu/rcutorture.c | 60 +- kernel/rcu/tiny.c | 4 +- kernel/rcu/tree.c | 66 +- kernel/rcu/tree.h | 26 +- kernel/rcu/tree_plugin.h | 14 +- kernel/rcu/tree_trace.c | 22 +- kernel/sched/auto_group.c | 4 +- kernel/sched/completion.c | 6 +- kernel/sched/core.c | 45 +- kernel/sched/fair.c | 2 +- kernel/sched/sched.h | 2 +- kernel/signal.c | 12 +- kernel/smpboot.c | 4 +- kernel/softirq.c | 12 +- kernel/sys.c | 10 +- kernel/sysctl.c | 34 +- kernel/time/alarmtimer.c | 2 +- kernel/time/posix-cpu-timers.c | 4 +- kernel/time/posix-timers.c | 24 +- kernel/time/timer.c | 4 +- kernel/time/timer_stats.c | 10 +- kernel/trace/blktrace.c | 6 +- kernel/trace/ftrace.c | 15 +- kernel/trace/ring_buffer.c | 96 +- kernel/trace/trace.c | 2 +- kernel/trace/trace.h | 2 +- kernel/trace/trace_clock.c | 4 +- kernel/trace/trace_events.c | 1 - kernel/trace/trace_functions_graph.c | 4 +- kernel/trace/trace_mmiotrace.c | 8 +- kernel/trace/trace_output.c | 10 +- kernel/trace/trace_seq.c | 2 +- kernel/trace/trace_stack.c | 2 +- kernel/user_namespace.c | 2 +- kernel/utsname_sysctl.c | 2 +- kernel/watchdog.c | 2 +- kernel/workqueue.c | 4 +- lib/Kconfig.debug | 8 +- lib/Makefile | 2 +- lib/average.c | 2 +- lib/bitmap.c | 10 +- lib/bug.c | 2 + lib/debugobjects.c | 2 +- lib/decompress_bunzip2.c | 3 +- lib/decompress_unlzma.c | 4 +- lib/div64.c | 4 +- lib/dma-debug.c | 4 +- lib/inflate.c | 2 +- lib/ioremap.c | 4 +- lib/kobject.c | 4 +- lib/list_debug.c | 126 +- lib/lockref.c | 44 +- lib/percpu-refcount.c | 2 +- lib/radix-tree.c | 2 +- lib/random32.c | 2 +- lib/show_mem.c | 2 +- lib/strncpy_from_user.c | 2 +- lib/strnlen_user.c | 2 +- lib/swiotlb.c | 2 +- lib/usercopy.c | 6 + lib/vsprintf.c | 12 +- mm/Kconfig | 6 +- mm/backing-dev.c | 4 +- mm/filemap.c | 2 +- mm/gup.c | 13 +- mm/highmem.c | 7 +- mm/hugetlb.c | 70 +- mm/internal.h | 3 +- mm/maccess.c | 4 +- mm/madvise.c | 37 + mm/memory-failure.c | 34 +- mm/memory.c | 425 +- mm/mempolicy.c | 25 + mm/mlock.c | 15 +- mm/mm_init.c | 2 +- mm/mmap.c | 582 +- mm/mprotect.c | 137 +- mm/mremap.c | 44 +- mm/nommu.c | 21 +- mm/page-writeback.c | 2 +- mm/page_alloc.c | 49 +- mm/percpu.c | 2 +- mm/process_vm_access.c | 14 +- mm/rmap.c | 45 +- mm/shmem.c | 19 +- mm/slab.c | 109 +- mm/slab.h | 22 +- mm/slab_common.c | 86 +- mm/slob.c | 218 +- mm/slub.c | 102 +- mm/sparse-vmemmap.c | 4 +- mm/sparse.c | 2 +- mm/swap.c | 2 + mm/swapfile.c | 12 +- mm/util.c | 6 + mm/vmalloc.c | 112 +- mm/vmstat.c | 12 +- net/8021q/vlan.c | 5 +- net/8021q/vlan_netlink.c | 2 +- net/9p/mod.c | 4 +- net/9p/trans_fd.c | 2 +- net/atm/atm_misc.c | 8 +- net/atm/lec.h | 2 +- net/atm/proc.c | 6 +- net/atm/resources.c | 4 +- net/ax25/sysctl_net_ax25.c | 2 +- net/batman-adv/bat_iv_ogm.c | 8 +- net/batman-adv/fragmentation.c | 2 +- net/batman-adv/soft-interface.c | 8 +- net/batman-adv/types.h | 6 +- net/bluetooth/hci_sock.c | 2 +- net/bluetooth/l2cap_core.c | 6 +- net/bluetooth/l2cap_sock.c | 12 +- net/bluetooth/rfcomm/sock.c | 4 +- net/bluetooth/rfcomm/tty.c | 4 +- net/bridge/br_netlink.c | 2 +- net/bridge/netfilter/ebtables.c | 6 +- net/caif/cfctrl.c | 11 +- net/caif/chnl_net.c | 2 +- net/can/af_can.c | 2 +- net/can/gw.c | 6 +- net/ceph/messenger.c | 4 +- net/compat.c | 24 +- net/core/datagram.c | 2 +- net/core/dev.c | 16 +- net/core/filter.c | 2 +- net/core/flow.c | 6 +- net/core/neighbour.c | 4 +- net/core/net-sysfs.c | 2 +- net/core/net_namespace.c | 8 +- net/core/netpoll.c | 4 +- net/core/rtnetlink.c | 15 +- net/core/scm.c | 8 +- net/core/skbuff.c | 8 +- net/core/sock.c | 28 +- net/core/sock_diag.c | 15 +- net/core/sysctl_net_core.c | 22 +- net/decnet/af_decnet.c | 1 + net/decnet/sysctl_net_decnet.c | 4 +- net/dsa/dsa.c | 2 +- net/hsr/hsr_netlink.c | 2 +- net/ieee802154/6lowpan/core.c | 2 +- net/ieee802154/6lowpan/reassembly.c | 14 +- net/ipv4/af_inet.c | 2 +- net/ipv4/devinet.c | 18 +- net/ipv4/fib_frontend.c | 6 +- net/ipv4/fib_semantics.c | 2 +- net/ipv4/inet_connection_sock.c | 4 +- net/ipv4/inet_timewait_sock.c | 2 +- net/ipv4/inetpeer.c | 2 +- net/ipv4/ip_fragment.c | 15 +- net/ipv4/ip_gre.c | 6 +- net/ipv4/ip_sockglue.c | 2 +- net/ipv4/ip_vti.c | 4 +- net/ipv4/ipconfig.c | 6 +- net/ipv4/ipip.c | 4 +- net/ipv4/netfilter/arp_tables.c | 12 +- net/ipv4/netfilter/ip_tables.c | 12 +- net/ipv4/ping.c | 14 +- net/ipv4/raw.c | 14 +- net/ipv4/route.c | 32 +- net/ipv4/sysctl_net_ipv4.c | 22 +- net/ipv4/tcp_input.c | 6 +- net/ipv4/tcp_probe.c | 2 +- net/ipv4/udp.c | 10 +- net/ipv4/xfrm4_policy.c | 18 +- net/ipv6/addrconf.c | 16 +- net/ipv6/af_inet6.c | 2 +- net/ipv6/datagram.c | 2 +- net/ipv6/icmp.c | 2 +- net/ipv6/ip6_fib.c | 4 +- net/ipv6/ip6_gre.c | 10 +- net/ipv6/ip6_tunnel.c | 4 +- net/ipv6/ip6_vti.c | 4 +- net/ipv6/ipv6_sockglue.c | 2 +- net/ipv6/netfilter/ip6_tables.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 14 +- net/ipv6/ping.c | 33 +- net/ipv6/raw.c | 17 +- net/ipv6/reassembly.c | 13 +- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 4 +- net/ipv6/sysctl_net_ipv6.c | 2 +- net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_policy.c | 23 +- net/irda/ircomm/ircomm_tty.c | 18 +- net/iucv/af_iucv.c | 4 +- net/iucv/iucv.c | 2 +- net/key/af_key.c | 4 +- net/l2tp/l2tp_eth.c | 38 +- net/l2tp/l2tp_ip.c | 2 +- net/l2tp/l2tp_ip6.c | 2 +- net/mac80211/cfg.c | 8 +- net/mac80211/ieee80211_i.h | 3 +- net/mac80211/iface.c | 20 +- net/mac80211/main.c | 2 +- net/mac80211/pm.c | 4 +- net/mac80211/rate.c | 2 +- net/mac80211/sta_info.c | 2 +- net/mac80211/util.c | 8 +- net/mpls/af_mpls.c | 6 +- net/netfilter/ipset/ip_set_core.c | 2 +- net/netfilter/ipvs/ip_vs_conn.c | 6 +- net/netfilter/ipvs/ip_vs_core.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 14 +- net/netfilter/ipvs/ip_vs_lblc.c | 2 +- net/netfilter/ipvs/ip_vs_lblcr.c | 2 +- net/netfilter/ipvs/ip_vs_sync.c | 6 +- net/netfilter/ipvs/ip_vs_xmit.c | 4 +- net/netfilter/nf_conntrack_acct.c | 2 +- net/netfilter/nf_conntrack_ecache.c | 2 +- net/netfilter/nf_conntrack_helper.c | 2 +- net/netfilter/nf_conntrack_proto.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nf_conntrack_timestamp.c | 2 +- net/netfilter/nf_log.c | 10 +- net/netfilter/nf_sockopt.c | 4 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/nft_compat.c | 9 +- net/netfilter/xt_statistic.c | 8 +- net/netlink/af_netlink.c | 4 +- net/openvswitch/vport-internal_dev.c | 2 +- net/openvswitch/vport.c | 16 +- net/openvswitch/vport.h | 8 +- net/packet/af_packet.c | 8 +- net/phonet/pep.c | 6 +- net/phonet/socket.c | 2 +- net/phonet/sysctl.c | 2 +- net/rds/cong.c | 6 +- net/rds/ib.h | 2 +- net/rds/ib_cm.c | 2 +- net/rds/ib_recv.c | 4 +- net/rds/iw.h | 2 +- net/rds/iw_cm.c | 2 +- net/rds/iw_recv.c | 4 +- net/rds/rds.h | 2 +- net/rds/tcp.c | 2 +- net/rds/tcp_send.c | 2 +- net/rxrpc/af_rxrpc.c | 2 +- net/rxrpc/ar-ack.c | 14 +- net/rxrpc/ar-call.c | 2 +- net/rxrpc/ar-connection.c | 2 +- net/rxrpc/ar-connevent.c | 2 +- net/rxrpc/ar-input.c | 4 +- net/rxrpc/ar-internal.h | 8 +- net/rxrpc/ar-local.c | 2 +- net/rxrpc/ar-output.c | 4 +- net/rxrpc/ar-peer.c | 2 +- net/rxrpc/ar-proc.c | 4 +- net/rxrpc/ar-transport.c | 2 +- net/rxrpc/rxkad.c | 4 +- net/sched/sch_generic.c | 4 +- net/sctp/ipv6.c | 6 +- net/sctp/protocol.c | 10 +- net/sctp/sm_sideeffect.c | 2 +- net/sctp/socket.c | 21 +- net/sctp/sysctl.c | 10 +- net/socket.c | 18 +- net/sunrpc/auth_gss/svcauth_gss.c | 4 +- net/sunrpc/clnt.c | 4 +- net/sunrpc/sched.c | 4 +- net/sunrpc/svc.c | 4 +- net/sunrpc/svcauth_unix.c | 4 +- net/sunrpc/xprtrdma/svc_rdma.c | 38 +- net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 +- net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +- net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +- net/tipc/netlink_compat.c | 12 +- net/tipc/subscr.c | 2 +- net/unix/af_unix.c | 7 +- net/unix/sysctl_net_unix.c | 2 +- net/wireless/wext-core.c | 19 +- net/xfrm/xfrm_policy.c | 16 +- net/xfrm/xfrm_state.c | 33 +- net/xfrm/xfrm_sysctl.c | 2 +- scripts/Kbuild.include | 2 +- scripts/Makefile.build | 2 +- scripts/Makefile.clean | 3 +- scripts/Makefile.host | 63 +- scripts/basic/fixdep.c | 12 +- scripts/dtc/checks.c | 14 +- scripts/dtc/data.c | 6 +- scripts/dtc/flattree.c | 8 +- scripts/dtc/livetree.c | 4 +- scripts/gcc-plugin.sh | 51 + scripts/headers_install.sh | 1 + scripts/kallsyms.c | 4 +- scripts/kconfig/lkc.h | 5 +- scripts/kconfig/menu.c | 2 +- scripts/kconfig/symbol.c | 6 +- scripts/link-vmlinux.sh | 2 +- scripts/mod/file2alias.c | 14 +- scripts/mod/modpost.c | 25 +- scripts/mod/modpost.h | 6 +- scripts/mod/sumversion.c | 2 +- scripts/module-common.lds | 4 + scripts/package/builddeb | 1 + scripts/pnmtologo.c | 6 +- scripts/sortextable.h | 6 +- scripts/tags.sh | 2 +- security/Kconfig | 691 +- security/integrity/ima/ima.h | 4 +- security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 4 +- security/integrity/ima/ima_queue.c | 2 +- security/keys/key.c | 18 +- security/selinux/avc.c | 6 +- security/selinux/include/xfrm.h | 2 +- security/yama/yama_lsm.c | 2 +- sound/aoa/codecs/onyx.c | 7 +- sound/aoa/codecs/onyx.h | 1 + sound/core/oss/pcm_oss.c | 18 +- sound/core/pcm_compat.c | 2 +- sound/core/pcm_native.c | 4 +- sound/core/sound.c | 2 +- sound/drivers/mts64.c | 14 +- sound/drivers/opl4/opl4_lib.c | 2 +- sound/drivers/portman2x4.c | 3 +- sound/firewire/amdtp.c | 4 +- sound/firewire/amdtp.h | 4 +- sound/firewire/isight.c | 10 +- sound/firewire/scs1x.c | 8 +- sound/oss/sb_audio.c | 2 +- sound/oss/swarm_cs4297a.c | 6 +- sound/pci/hda/hda_codec.c | 2 +- sound/pci/ymfpci/ymfpci.h | 2 +- sound/pci/ymfpci/ymfpci_main.c | 12 +- sound/soc/soc-ac97.c | 6 +- sound/soc/xtensa/xtfpga-i2s.c | 2 +- tools/gcc/Makefile | 42 + tools/gcc/checker_plugin.c | 150 + tools/gcc/colorize_plugin.c | 215 + tools/gcc/constify_plugin.c | 564 + tools/gcc/gcc-common.h | 790 + tools/gcc/initify_plugin.c | 450 + tools/gcc/kallocstat_plugin.c | 188 + tools/gcc/kernexec_plugin.c | 551 + tools/gcc/latent_entropy_plugin.c | 470 + tools/gcc/size_overflow_plugin/.gitignore | 2 + tools/gcc/size_overflow_plugin/Makefile | 26 + .../disable_size_overflow_hash.data |11008 ++++++++++++++ .../generate_size_overflow_hash.sh | 103 + .../insert_size_overflow_asm.c | 409 + .../size_overflow_plugin/intentional_overflow.c | 980 ++ .../size_overflow_plugin/remove_unnecessary_dup.c | 137 + tools/gcc/size_overflow_plugin/size_overflow.h | 329 + .../gcc/size_overflow_plugin/size_overflow_debug.c | 192 + .../size_overflow_plugin/size_overflow_hash.data |15719 ++++++++++++++++++++ .../size_overflow_hash_aux.data | 92 + tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1373 ++ .../gcc/size_overflow_plugin/size_overflow_misc.c | 505 + .../size_overflow_plugin/size_overflow_plugin.c | 318 + .../size_overflow_plugin_hash.c | 353 + .../size_overflow_plugin/size_overflow_transform.c | 576 + .../size_overflow_transform_core.c | 962 ++ tools/gcc/stackleak_plugin.c | 436 + tools/gcc/structleak_plugin.c | 287 + tools/include/linux/compiler.h | 8 + tools/lib/api/Makefile | 2 +- tools/perf/util/include/asm/alternative-asm.h | 3 + tools/virtio/linux/uaccess.h | 2 +- virt/kvm/kvm_main.c | 44 +- 1963 files changed, 60342 insertions(+), 8946 deletions(-)