-commit f7db3dfa3af9c1961edc38ad733be47ddeb50ced
+commit 70614db891859ff8474665fc0e982e772c5baf6c
+Merge: 2aa7479 7f57ad4
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Dec 31 00:05:28 2014 -0500
+Date: Sat Nov 28 21:58:09 2015 -0500
- force kernfs to initialize the dentry before returning from mkdir
- It's different behavior than every other filesystem in existence, I reported
- it to upstream but they were uninterested in fixing it, even though the fsnotify
- code uses the dentry struct that is improperly initialized immediately after
- mkdir return.
+ Merge branch 'pax-test' into grsec-test
+
+commit 7f57ad48fc90cc2c942ef8cad44804ea6cdbfc67
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 28 21:57:41 2015 -0500
+
+ Update to pax-linux-4.2.6-test25.patch:
+ - fixed constify regression, reported by spender
+
+ tools/gcc/constify_plugin.c | 14 +++++++-------
+ tools/gcc/initify_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 13 ++++++-------
+ tools/gcc/structleak_plugin.c | 2 +-
+ 4 files changed, 15 insertions(+), 16 deletions(-)
+
+commit 2aa74790571aaea3d90191b1d235f580600d109f
+Merge: e10e76a 0851e20
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 27 21:02:06 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 0851e206a7d21e18d353984cb3f827158ce4237b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 27 21:01:41 2015 -0500
+
+ Update to pax-linux-4.2.6-test24.patch:
+ - Emese fixed a few false positive overflow reports due to intentional overflows introduced by gcc, reported by Arnaud, kdave (https://forums.grsecurity.net/viewtopic.php?t=4287&p=15813#p15799) and rfnx (https://forums.grsecurity.net/viewtopic.php?t=4322)
+ - Emese fixed a false positive size overflow report in ext4, reported by saironiq (https://forums.grsecurity.net/viewtopic.php?f=3&t=4324)
+ - fixed a potential integer truncation error in the raid10 code caught by the size overflow plugin, reported by Alexander Tsoy (https://bugs.gentoo.org/show_bug.cgi?id=566316#c10)
+ - fixed a few integer sign conversion errors in the kernel's zlib code caught by the size overflow plugin, reported by audiocricket (https://forums.grsecurity.net/viewtopic.php?f=3&t=4325)
+ - fixed the handling of the no-constify constify plugin parameter
+ - constified kvm_x86_ops
+ - fixed macro param usage in access_ok, reported by gcc-6
+ - turned off ipa-icf on the size overflow plugin as gcc-5 compiles it very slowly
+ - fixed all plugins for gcc-6
+
+ arch/arm/kvm/arm.c | 2 +-
+ arch/mips/kvm/mips.c | 2 +-
+ arch/powerpc/kvm/powerpc.c | 2 +-
+ arch/x86/include/asm/uaccess.h | 2 +-
+ arch/x86/kvm/svm.c | 2 +-
+ arch/x86/kvm/vmx.c | 24 ++++----
+ arch/x86/kvm/x86.c | 2 +-
+ crypto/zlib.c | 8 +-
+ drivers/md/raid10.c | 2 +-
+ include/linux/kvm_host.h | 4 +-
+ scripts/Makefile.host | 6 ++
+ tools/gcc/constify_plugin.c | 27 +++++---
+ tools/gcc/initify_plugin.c | 6 +-
+ tools/gcc/kernexec_plugin.c | 10 +--
+ tools/gcc/size_overflow_plugin/Makefile | 2 +
+ .../disable_size_overflow_hash.data | 3 +
+ .../insert_size_overflow_asm.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 63 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin/size_overflow.h | 1 +
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 3 -
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 2 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 14 +++--
+ .../size_overflow_transform_core.c | 2 +
+ virt/kvm/kvm_main.c | 2 +-
+ 26 files changed, 140 insertions(+), 57 deletions(-)
+
+commit e10e76a7ca9aab3528a613e91b556fd2f961c446
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Nov 27 20:04:14 2015 -0500
+
+ update RANDSTRUCT for gcc6
+
+ tools/gcc/randomize_layout_plugin.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit dd166b8680fdf8a72b44f175630803f33f442428
+Author: Filipe Manana <fdmanana@suse.com>
+Date: Fri Oct 16 12:34:25 2015 +0100
+
+ Btrfs: fix truncation of compressed and inlined extents
+
+ When truncating a file to a smaller size which consists of an inline
+ extent that is compressed, we did not discard (or made unusable) the
+ data between the new file size and the old file size, wasting metadata
+ space and allowing for the truncated data to be leaked and the data
+ corruption/loss mentioned below.
+ We were also not correctly decrementing the number of bytes used by the
+ inode, we were setting it to zero, giving a wrong report for callers of
+ the stat(2) syscall. The fsck tool also reported an error about a mismatch
+ between the nbytes of the file versus the real space used by the file.
+
+ Now because we weren't discarding the truncated region of the file, it
+ was possible for a caller of the clone ioctl to actually read the data
+ that was truncated, allowing for a security breach without requiring root
+ access to the system, using only standard filesystem operations. The
+ scenario is the following:
+
+ 1) User A creates a file which consists of an inline and compressed
+ extent with a size of 2000 bytes - the file is not accessible to
+ any other users (no read, write or execution permission for anyone
+ else);
+
+ 2) The user truncates the file to a size of 1000 bytes;
+
+ 3) User A makes the file world readable;
+
+ 4) User B creates a file consisting of an inline extent of 2000 bytes;
+
+ 5) User B issues a clone operation from user A's file into its own
+ file (using a length argument of 0, clone the whole range);
+
+ 6) User B now gets to see the 1000 bytes that user A truncated from
+ its file before it made its file world readbale. User B also lost
+ the bytes in the range [1000, 2000[ bytes from its own file, but
+ that might be ok if his/her intention was reading stale data from
+ user A that was never supposed to be public.
+
+ Note that this contrasts with the case where we truncate a file from 2000
+ bytes to 1000 bytes and then truncate it back from 1000 to 2000 bytes. In
+ this case reading any byte from the range [1000, 2000[ will return a value
+ of 0x00, instead of the original data.
+
+ This problem exists since the clone ioctl was added and happens both with
+ and without my recent data loss and file corruption fixes for the clone
+ ioctl (patch "Btrfs: fix file corruption and data loss after cloning
+ inline extents").
+
+ So fix this by truncating the compressed inline extents as we do for the
+ non-compressed case, which involves decompressing, if the data isn't already
+ in the page cache, compressing the truncated version of the extent, writing
+ the compressed content into the inline extent and then truncate it.
+
+ The following test case for fstests reproduces the problem. In order for
+ the test to pass both this fix and my previous fix for the clone ioctl
+ that forbids cloning a smaller inline extent into a larger one,
+ which is titled "Btrfs: fix file corruption and data loss after cloning
+ inline extents", are needed. Without that other fix the test fails in a
+ different way that does not leak the truncated data, instead part of
+ destination file gets replaced with zeroes (because the destination file
+ has a larger inline extent than the source).
+
+ seq=`basename $0`
+ seqres=$RESULT_DIR/$seq
+ echo "QA output created by $seq"
+ tmp=/tmp/$$
+ status=1 # failure is the default!
+ trap "_cleanup; exit \$status" 0 1 2 3 15
+
+ _cleanup()
+ {
+ rm -f $tmp.*
+ }
+
+ # get standard environment, filters and checks
+ . ./common/rc
+ . ./common/filter
+
+ # real QA test starts here
+ _need_to_be_root
+ _supported_fs btrfs
+ _supported_os Linux
+ _require_scratch
+ _require_cloner
+
+ rm -f $seqres.full
+
+ _scratch_mkfs >>$seqres.full 2>&1
+ _scratch_mount "-o compress"
+
+ # Create our test files. File foo is going to be the source of a clone operation
+ # and consists of a single inline extent with an uncompressed size of 512 bytes,
+ # while file bar consists of a single inline extent with an uncompressed size of
+ # 256 bytes. For our test's purpose, it's important that file bar has an inline
+ # extent with a size smaller than foo's inline extent.
+ $XFS_IO_PROG -f -c "pwrite -S 0xa1 0 128" \
+ -c "pwrite -S 0x2a 128 384" \
+ $SCRATCH_MNT/foo | _filter_xfs_io
+ $XFS_IO_PROG -f -c "pwrite -S 0xbb 0 256" $SCRATCH_MNT/bar | _filter_xfs_io
+
+ # Now durably persist all metadata and data. We do this to make sure that we get
+ # on disk an inline extent with a size of 512 bytes for file foo.
+ sync
+
+ # Now truncate our file foo to a smaller size. Because it consists of a
+ # compressed and inline extent, btrfs did not shrink the inline extent to the
+ # new size (if the extent was not compressed, btrfs would shrink it to 128
+ # bytes), it only updates the inode's i_size to 128 bytes.
+ $XFS_IO_PROG -c "truncate 128" $SCRATCH_MNT/foo
+
+ # Now clone foo's inline extent into bar.
+ # This clone operation should fail with errno EOPNOTSUPP because the source
+ # file consists only of an inline extent and the file's size is smaller than
+ # the inline extent of the destination (128 bytes < 256 bytes). However the
+ # clone ioctl was not prepared to deal with a file that has a size smaller
+ # than the size of its inline extent (something that happens only for compressed
+ # inline extents), resulting in copying the full inline extent from the source
+ # file into the destination file.
+ #
+ # Note that btrfs' clone operation for inline extents consists of removing the
+ # inline extent from the destination inode and copy the inline extent from the
+ # source inode into the destination inode, meaning that if the destination
+ # inode's inline extent is larger (N bytes) than the source inode's inline
+ # extent (M bytes), some bytes (N - M bytes) will be lost from the destination
+ # file. Btrfs could copy the source inline extent's data into the destination's
+ # inline extent so that we would not lose any data, but that's currently not
+ # done due to the complexity that would be needed to deal with such cases
+ # (specially when one or both extents are compressed), returning EOPNOTSUPP, as
+ # it's normally not a very common case to clone very small files (only case
+ # where we get inline extents) and copying inline extents does not save any
+ # space (unlike for normal, non-inlined extents).
+ $CLONER_PROG -s 0 -d 0 -l 0 $SCRATCH_MNT/foo $SCRATCH_MNT/bar
+
+ # Now because the above clone operation used to succeed, and due to foo's inline
+ # extent not being shinked by the truncate operation, our file bar got the whole
+ # inline extent copied from foo, making us lose the last 128 bytes from bar
+ # which got replaced by the bytes in range [128, 256[ from foo before foo was
+ # truncated - in other words, data loss from bar and being able to read old and
+ # stale data from foo that should not be possible to read anymore through normal
+ # filesystem operations. Contrast with the case where we truncate a file from a
+ # size N to a smaller size M, truncate it back to size N and then read the range
+ # [M, N[, we should always get the value 0x00 for all the bytes in that range.
+
+ # We expected the clone operation to fail with errno EOPNOTSUPP and therefore
+ # not modify our file's bar data/metadata. So its content should be 256 bytes
+ # long with all bytes having the value 0xbb.
+ #
+ # Without the btrfs bug fix, the clone operation succeeded and resulted in
+ # leaking truncated data from foo, the bytes that belonged to its range
+ # [128, 256[, and losing data from bar in that same range. So reading the
+ # file gave us the following content:
+ #
+ # 0000000 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1 a1
+ # *
+ # 0000200 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a
+ # *
+ # 0000400
+ echo "File bar's content after the clone operation:"
+ od -t x1 $SCRATCH_MNT/bar
+
+ # Also because the foo's inline extent was not shrunk by the truncate
+ # operation, btrfs' fsck, which is run by the fstests framework everytime a
+ # test completes, failed reporting the following error:
+ #
+ # root 5 inode 257 errors 400, nbytes wrong
+
+ status=0
+ exit
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Filipe Manana <fdmanana@suse.com>
+
+ fs/btrfs/inode.c | 82 ++++++++++++++++++++++++++++++++++++++++++++---------
+ 1 files changed, 68 insertions(+), 14 deletions(-)
+
+commit fe6936fd0f41ee2dccce47f5642251649a54e4d4
+Author: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+Date: Wed Nov 25 07:47:40 2015 +0100
+
+ isdn: Partially revert debug format string usage clean up
+
+ Commit 35a4a57 ("isdn: clean up debug format string usage") introduced
+ a safeguard to avoid accidential format string interpolation of data
+ when calling debugl1 or HiSax_putstatus. This did however not take into
+ account VHiSax_putstatus (called by HiSax_putstatus) does *not* call
+ vsprintf if the head parameter is NULL - the format string is treated
+ as plain text then instead. As a result, the string "%s" is processed
+ literally, and the actual information is lost. This affects the isdnlog
+ userspace program which stopped logging information since that commit.
+
+ So revert the HiSax_putstatus invocations to the previous state.
+
+ Fixes: 35a4a5733b0a ("isdn: clean up debug format string usage")
+ Cc: Kees Cook <keescook@chromium.org>
+ Cc: Karsten Keil <isdn@linux-pingi.de>
+ Signed-off-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/isdn/hisax/config.c | 2 +-
+ drivers/isdn/hisax/hfc_pci.c | 2 +-
+ drivers/isdn/hisax/hfc_sx.c | 2 +-
+ drivers/isdn/hisax/q931.c | 6 +++---
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 574035e44b3d49a71f1c0737b7b49bf60ddf0ce7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 25 20:24:52 2015 -0500
+
+ future-proof the code against users of VM_NO_GUARD, mark KASAN as an incompatibility with KSTACKOVERFLOW
+
+ lib/Kconfig.kasan | 2 +-
+ mm/vmalloc.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 8a355f2c56ecd40ada14fd16717105ea9a9ac0b5
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon Nov 23 21:11:08 2015 -0500
+
+ fix sysvfs symlinks
+
+ The thing got broken back in 2002 - sysvfs does *not* have inline
+ symlinks; even short ones have bodies stored in the first block
+ of file. sysv_symlink() handles that correctly; unfortunately,
+ attempting to look an existing symlink up will end up confusing
+ them for inline symlinks, and interpret the block number containing
+ the body as the body itself.
+
+ Nobody has noticed until now, which says something about the level
+ of testing sysvfs gets ;-/
+
+ Cc: stable@vger.kernel.org # all of them, not that anyone cared
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/sysv/inode.c | 11 ++---------
+ 1 files changed, 2 insertions(+), 9 deletions(-)
+
+commit 195f1b816ff4cdcc8defc2dc0424cf25a0d937fb
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Nov 23 13:09:50 2015 +0100
+
+ vfs: Make sendfile(2) killable even better
+
+ Commit 296291cdd162 (mm: make sendfile(2) killable) fixed an issue where
+ sendfile(2) was doing a lot of tiny writes into a filesystem and thus
+ was unkillable for a long time. However sendfile(2) can be (mis)used to
+ issue lots of writes into arbitrary file descriptor such as evenfd or
+ similar special file descriptors which never hit the standard filesystem
+ write path and thus are still unkillable. E.g. the following example
+ from Dmitry burns CPU for ~16s on my test system without possibility to
+ be killed:
+
+ int r1 = eventfd(0, 0);
+ int r2 = memfd_create("", 0);
+ unsigned long n = 1<<30;
+ fallocate(r2, 0, 0, n);
+ sendfile(r1, r2, 0, n);
+
+ There are actually quite a few tests for pending signals in sendfile
+ code however we data to write is always available none of them seems to
+ trigger. So fix the problem by adding a test for pending signal into
+ splice_from_pipe_next() also before the loop waiting for pipe buffers to
+ be available. This should fix all the lockup issues with sendfile of the
+ do-ton-of-tiny-writes nature.
+
+ CC: stable@vger.kernel.org
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/splice.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 92470552efa5a49718308238c7da9ba2579a1147
+Author: Jan Kara <jack@suse.cz>
+Date: Mon Nov 23 13:09:51 2015 +0100
+
+ vfs: Avoid softlockups with sendfile(2)
+
+ The following test program from Dmitry can cause softlockups or RCU
+ stalls as it copies 1GB from tmpfs into eventfd and we don't have any
+ scheduling point at that path in sendfile(2) implementation:
+
+ int r1 = eventfd(0, 0);
+ int r2 = memfd_create("", 0);
+ unsigned long n = 1<<30;
+ fallocate(r2, 0, 0, n);
+ sendfile(r1, r2, 0, n);
+
+ Add cond_resched() into __splice_from_pipe() to fix the problem.
+
+ CC: Dmitry Vyukov <dvyukov@google.com>
+ CC: stable@vger.kernel.org
+ Signed-off-by: Jan Kara <jack@suse.cz>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/splice.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 28ab97eb348dca6653eccb40d012103786d03ae6
+Author: Eric Dumazet <edumazet@google.com>
+Date: Tue Nov 24 11:39:54 2015 -0800
+
+ pidns: fix NULL dereference in __task_pid_nr_ns()
+
+ I got a crash during a "perf top" session that was caused by a race in
+ __task_pid_nr_ns() :
+
+ pid_nr_ns() was inlined, but apparently compiler chose to read
+ task->pids[type].pid twice, and the pid->level dereference crashed
+ because we got a NULL pointer at the second read :
+
+ if (pid && ns->level <= pid->level) { // CRASH
+
+ Just use RCU API properly to solve this race, and not worry about "perf
+ top" crashing hosts :(
+
+ get_task_pid() can benefit from same fix.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/pid.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 2545f7485c4676c52855750b992d8c1921e559c4
+Merge: 93a41eb 83df348
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 23 20:30:33 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 83df3482b33ef4d8192a253a6852e9a9db1f7dca
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 23 20:30:16 2015 -0500
+
+ Update to pax-linux-4.2.6-test23.patch:
+ - fixed gcc-common.h regression under gcc-5, reported by Arnaud and coldhak
+ - fixed ath10k compile error with the size overflow plugin, reported by victor and careta (https://forums.grsecurity.net/viewtopic.php?t=4323)
+
+ drivers/net/wireless/ath/ath10k/ce.c | 4 ++--
+ tools/gcc/gcc-common.h | 13 ++++++-------
+ 2 files changed, 8 insertions(+), 9 deletions(-)
+
+commit 93a41eb6e3a7ab9446658b6d2ec4623014b55232
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 22 17:14:38 2015 -0500
+
+ update gcc-common.h
+
+ tools/gcc/gcc-common.h | 13 ++++++-------
+ 1 files changed, 6 insertions(+), 7 deletions(-)
+
+commit 7da11be9f025bd8193f03f9b32697bc1ce8ac650
+Author: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Wed Jun 3 10:31:14 2015 +0100
+
+ x86/cpu: Fix SMAP check in PVOPS environments
+
+ There appears to be no formal statement of what pv_irq_ops.save_fl() is
+ supposed to return precisely. Native returns the full flags, while lguest and
+ Xen only return the Interrupt Flag, and both have comments by the
+ implementations stating that only the Interrupt Flag is looked at. This may
+ have been true when initially implemented, but no longer is.
+
+ To make matters worse, the Xen PVOP leaves the upper bits undefined, making
+ the BUG_ON() undefined behaviour. Experimentally, this now trips for 32bit PV
+ guests on Broadwell hardware. The BUG_ON() is consistent for an individual
+ build, but not consistent for all builds. It has also been a sitting timebomb
+ since SMAP support was introduced.
+
+ Use native_save_fl() instead, which will obtain an accurate view of the AC
+ flag.
+
+ Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+ Reviewed-by: David Vrabel <david.vrabel@citrix.com>
+ Tested-by: Rusty Russell <rusty@rustcorp.com.au>
+ Cc: Rusty Russell <rusty@rustcorp.com.au>
+ Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+ Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+ Cc: <lguest@lists.ozlabs.org>
+ Cc: Xen-devel <xen-devel@lists.xen.org>
+ CC: stable@vger.kernel.org
+ Link: http://lkml.kernel.org/r/1433323874-6927-1-git-send-email-andrew.cooper3@citrix.com
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/kernel/cpu/common.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 08ce34cf092b9f1b5311f156df4182a282bf7acc
+Author: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed Nov 11 10:19:31 2015 -0800
+
+ x86/mpx: Do proper get_user() when running 32-bit binaries on 64-bit kernels
+
+ When you call get_user(foo, bar), you effectively do a
+
+ copy_from_user(&foo, bar, sizeof(*bar));
+
+ Note that the sizeof() is implicit.
+
+ When we reach out to userspace to try to zap an entire "bounds
+ table" we need to go read a "bounds directory entry" in order to
+ locate the table's address. The size of a "directory entry"
+ depends on the binary being run and is always the size of a
+ pointer.
+
+ But, when we have a 64-bit kernel and a 32-bit application, the
+ directory entry is still only 32-bits long, but we fetch it with
+ a 64-bit pointer which makes get_user() does a 64-bit fetch.
+ Reading 4 extra bytes isn't harmful, unless we are at the end of
+ and run off the table. It might also cause the zero page to get
+ faulted in unnecessarily even if you are not at the end.
+
+ Fix it up by doing a special 32-bit get_user() via a cast when
+ we have 32-bit userspace.
+
+ Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org>
+ Cc: Andy Lutomirski <luto@amacapital.net>
+ Cc: Borislav Petkov <bp@alien8.de>
+ Cc: Brian Gerst <brgerst@gmail.com>
+ Cc: Dave Hansen <dave@sr71.net>
+ Cc: Denys Vlasenko <dvlasenk@redhat.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Link: http://lkml.kernel.org/r/20151111181931.3ACF6822@viggo.jf.intel.com
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ arch/x86/mm/mpx.c | 25 ++++++++++++++++++++++++-
+ 1 files changed, 24 insertions(+), 1 deletions(-)
+
+commit 9e1e1d1d6f6f41b13a6e85f25e27aee4410f58bf
+Author: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Wed Nov 11 10:19:34 2015 -0800
+
+ x86/mpx: Fix 32-bit address space calculation
+
+ I received a bug report that running 32-bit MPX binaries on
+ 64-bit kernels was broken. I traced it down to this little code
+ snippet. We were switching our "number of bounds directory
+ entries" calculation correctly. But, we didn't switch the other
+ side of the calculation: the virtual space size.
+
+ This meant that we were calculating an absurd size for
+ bd_entry_virt_space() on 32-bit because we used the 64-bit
+ virt_space.
+
+ This was _also_ broken for 32-bit kernels running on 64-bit
+ hardware since boot_cpu_data.x86_virt_bits=48 even when running
+ in 32-bit mode.
+
+ Correct that and properly handle all 3 possible cases:
+
+ 1. 32-bit binary on 64-bit kernel
+ 2. 64-bit binary on 64-bit kernel
+ 3. 32-bit binary on 32-bit kernel
+
+ This manifested in having bounds tables not properly unmapped.
+ It "leaked" memory but had no functional impact otherwise.
+
+ Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org>
+ Cc: Andy Lutomirski <luto@amacapital.net>
+ Cc: Borislav Petkov <bp@alien8.de>
+ Cc: Brian Gerst <brgerst@gmail.com>
+ Cc: Dave Hansen <dave@sr71.net>
+ Cc: Denys Vlasenko <dvlasenk@redhat.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Link: http://lkml.kernel.org/r/20151111181934.FA7FAC34@viggo.jf.intel.com
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ arch/x86/mm/mpx.c | 22 +++++++++++++++++-----
+ 1 files changed, 17 insertions(+), 5 deletions(-)
+
+commit c197eee75054d90aafe695c0edb4f25feb469292
+Author: Huaitong Han <huaitong.han@intel.com>
+Date: Fri Nov 6 17:00:23 2015 +0800
+
+ x86/fpu: Fix get_xsave_addr() behavior under virtualization
+
+ KVM uses the get_xsave_addr() function in a different fashion from
+ the native kernel, in that the 'xsave' parameter belongs to guest vcpu,
+ not the currently running task.
+
+ But 'xsave' is replaced with current task's (host) xsave structure, so
+ get_xsave_addr() will incorrectly return the bad xsave address to KVM.
+
+ Fix it so that the passed in 'xsave' address is used - as intended
+ originally.
+
+ Signed-off-by: Huaitong Han <huaitong.han@intel.com>
+ Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org>
+ Cc: Andy Lutomirski <luto@amacapital.net>
+ Cc: Paolo Bonzini <pbonzini@redhat.com>
+ Cc: Borislav Petkov <bp@alien8.de>
+ Cc: Fenghua Yu <fenghua.yu@intel.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Cc: Oleg Nesterov <oleg@redhat.com>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: dave.hansen@intel.com
+ Link: http://lkml.kernel.org/r/1446800423-21622-1-git-send-email-huaitong.han@intel.com
+ [ Tidied up the changelog. ]
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ Conflicts:
+
+ arch/x86/kernel/fpu/xstate.c
+
+ arch/x86/kernel/fpu/xstate.c | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit 460cdd8a9a19731ce27333866943eed81cba1d96
+Author: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Tue Nov 10 16:23:54 2015 -0800
+
+ x86/fpu: Fix 32-bit signal frame handling
+
+ (This should have gone to LKML originally. Sorry for the extra
+ noise, folks on the cc.)
+
+ Background:
+
+ Signal frames on x86 have two formats:
+
+ 1. For 32-bit executables (whether on a real 32-bit kernel or
+ under 32-bit emulation on a 64-bit kernel) we have a
+ 'fpregset_t' that includes the "FSAVE" registers.
+
+ 2. For 64-bit executables (on 64-bit kernels obviously), the
+ 'fpregset_t' is smaller and does not contain the "FSAVE"
+ state.
+
+ When creating the signal frame, we have to be aware of whether
+ we are running a 32 or 64-bit executable so we create the
+ correct format signal frame.
+
+ Problem:
+
+ save_xstate_epilog() uses 'fx_sw_reserved_ia32' whenever it is
+ called for a 32-bit executable. This is for real 32-bit and
+ ia32 emulation.
+
+ But, fpu__init_prepare_fx_sw_frame() only initializes
+ 'fx_sw_reserved_ia32' when emulation is enabled, *NOT* for real
+ 32-bit kernels.
+
+ This leads to really wierd situations where 32-bit programs
+ lose their extended state when returning from a signal handler.
+ The kernel copies the uninitialized (zero) 'fx_sw_reserved_ia32'
+ out to userspace in save_xstate_epilog(). But when returning
+ from the signal, the kernel errors out in check_for_xstate()
+ when it does not see FP_XSTATE_MAGIC1 present (because it was
+ zeroed). This leads to the FPU/XSAVE state being initialized.
+
+ For MPX, this leads to the most permissive state and means we
+ silently lose bounds violations. I think this would also mean
+ that we could lose *ANY* FPU/SSE/AVX state. I'm not sure why
+ no one has spotted this bug.
+
+ I believe this was broken by:
+
+ 72a671ced66d ("x86, fpu: Unify signal handling code paths for x86 and x86_64 kernels")
+
+ way back in 2012.
+
+ Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org>
+ Cc: Andy Lutomirski <luto@amacapital.net>
+ Cc: Borislav Petkov <bp@alien8.de>
+ Cc: Brian Gerst <brgerst@gmail.com>
+ Cc: Denys Vlasenko <dvlasenk@redhat.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: dave@sr71.net
+ Cc: fenghua.yu@intel.com
+ Cc: yu-cheng.yu@intel.com
+ Link: http://lkml.kernel.org/r/20151111002354.A0799571@viggo.jf.intel.com
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ arch/x86/kernel/fpu/signal.c | 11 +++++------
+ 1 files changed, 5 insertions(+), 6 deletions(-)
+
+commit c3f2cc8921a08fff1fbad9127dd7a30c4a953e88
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 21 18:36:58 2015 -0500
+
+ Fix gcc 5.x compilation, reported by Arnaud and coldhak
+
+ tools/gcc/gcc-common.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit f0ea1bc982c60c1c39d0f95d9f3db0ec799387ca
+Merge: 3929e88 c692401
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 21 15:41:38 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit c69240179ca6ff101670f4859bb0e9a9deb85359
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 21 15:41:06 2015 -0500
+
+ Update to pax-linux-4.2.6-test22.patch:
+ - made the previous READ_ONCE/WRITE_ONCE fix compatible with gcc PR 58145
+
+ include/linux/compiler.h | 11 +++++++----
+ 1 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 3929e882e451b177af1a615858f0a96a7cd734b1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 21 13:14:25 2015 -0500
+
+ remove disable_kill option entirely for the final 4.2 release
+
+ fs/exec.c | 11 -----------
+ security/Kconfig | 5 -----
+ 2 files changed, 0 insertions(+), 16 deletions(-)
+
+commit 91633d0eebc41553ea77b5fa7559aa806a60008c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 21 07:38:10 2015 -0500
+
+ compile fix
+
+ net/unix/af_unix.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0afc2f69e7f948995522f6e1dbb957ed84abd9b9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 21 07:14:43 2015 -0500
+
+ Revert previous AF_UNIX fix:
+ http://www.spinics.net/lists/netdev/msg318826.html
+ and apply new one by Jason Baron:
+ https://lkml.org/lkml/2015/9/29/825
+
+ include/net/af_unix.h | 1 +
+ net/unix/af_unix.c | 36 ++++++++++++++++++++++++++++++------
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+commit 0a3eec2b3d110042af4e0a9f1e87458262fce1eb
+Merge: 917a60c 8fd74af
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 21 06:50:33 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8fd74afe08ee45516a9daf2593f31c176516cb55
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 21 06:49:57 2015 -0500
+
+ Update to pax-linux-4.2.6-test21.patch:
+ - fixed a size overflow plugin bug that could cause a compiler error
+ - Emese fixed a size overflow false positive in xfrm4_mode_tunnel_input, reported by Arnaud <arnaud@drno.eu>
+ - updated gcc-common.h to support gcc-6
+ - fixed some undefined behaviour in READ_ONCE/WRITE_ONCE
+
+ include/linux/compiler.h | 38 +++----------------
+ tools/gcc/gcc-common.h | 39 ++++++++++++++++----
+ tools/gcc/initify_plugin.c | 4 +-
+ .../disable_size_overflow_hash.data | 7 +++-
+ .../size_overflow_plugin/intentional_overflow.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 9 +----
+ .../size_overflow_plugin/size_overflow_transform.c | 4 +-
+ 7 files changed, 50 insertions(+), 53 deletions(-)
+
+commit 917a60c749d80121229a1752874ff8a606778fc5
+Merge: 76fc822 77d474f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 18 19:58:31 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 77d474f0bcb2e5acafc78c66c456d1aebaac14b3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 18 19:58:08 2015 -0500
+
+ Update to pax-linux-4.2.6-test20.patch:
+ - constified some vdso/vsyscall related code/data
+
+ arch/x86/entry/vdso/vdso2c.h | 4 ++--
+ arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +-
+ arch/x86/mm/ioremap.c | 2 +-
+ mm/debug.c | 3 +++
+ 4 files changed, 7 insertions(+), 4 deletions(-)
+
+commit 76fc8223b2e6b6c950702adfdb055dd5da90657c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Nov 18 17:40:27 2015 -0500
+
+ Allow processes with CAP_SYS_PTRACE to ignore /proc/pid restrictions,
+ as reported by Andrew
+
+ fs/proc/base.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 708c2e025f8a05b76f319cfa5fa624d37d8ef6f3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Nov 17 18:43:24 2015 -0500
+
+ Fix multiple character encodings in patch, reported by IooNag on the forums
+
+ grsecurity/Makefile | 2 +-
+ net/netfilter/xt_gradm.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit d1f7534df8687fd05858fd45805b1185eafe38a7
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Nov 17 15:10:59 2015 +0100
+
+ af_unix: take receive queue lock while appending new skb
+
+ While possibly in future we don't necessarily need to use
+ sk_buff_head.lock this is a rather larger change, as it affects the
+ af_unix fd garbage collector, diag and socket cleanups. This is too much
+ for a stable patch.
+
+ For the time being grab sk_buff_head.lock without disabling bh and irqs,
+ so don't use locked skb_queue_tail.
+
+ Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
+ Cc: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Reported-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 0df914e7a66a4807bac7762ab33ba3020944ef6b
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Nov 16 16:25:56 2015 +0100
+
+ af_unix: don't append consumed skbs to sk_receive_queue
+
+ In case multiple writes to a unix stream socket race we could end up in a
+ situation where we pre-allocate a new skb for use in unix_stream_sendpage
+ but have to free it again in the locked section because another skb
+ has been appended meanwhile, which we must use. Accidentally we didn't
+ clear the pointer after consuming it and so we touched freed memory
+ while appending it to the sk_receive_queue. So, clear the pointer after
+ consuming the skb.
+
+ This bug has been found with syzkaller
+ (http://github.com/google/syzkaller) by Dmitry Vyukov.
+
+ Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit ac8466abcd0ae871cd38d868e1a4e903b92ffc48
+Author: Jason A. Donenfeld <Jason@zx2c4.com>
+Date: Thu Nov 12 17:35:58 2015 +0100
+
+ ip_tunnel: disable preemption when updating per-cpu tstats
+
+ Drivers like vxlan use the recently introduced
+ udp_tunnel_xmit_skb/udp_tunnel6_xmit_skb APIs. udp_tunnel6_xmit_skb
+ makes use of ip6tunnel_xmit, and ip6tunnel_xmit, after sending the
+ packet, updates the struct stats using the usual
+ u64_stats_update_begin/end calls on this_cpu_ptr(dev->tstats).
+ udp_tunnel_xmit_skb makes use of iptunnel_xmit, which doesn't touch
+ tstats, so drivers like vxlan, immediately after, call
+ iptunnel_xmit_stats, which does the same thing - calls
+ u64_stats_update_begin/end on this_cpu_ptr(dev->tstats).
+
+ While vxlan is probably fine (I don't know?), calling a similar function
+ from, say, an unbound workqueue, on a fully preemptable kernel causes
+ real issues:
+
+ [ 188.434537] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u8:0/6
+ [ 188.435579] caller is debug_smp_processor_id+0x17/0x20
+ [ 188.435583] CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.2.6 #2
+ [ 188.435607] Call Trace:
+ [ 188.435611] [<ffffffff8234e936>] dump_stack+0x4f/0x7b
+ [ 188.435615] [<ffffffff81915f3d>] check_preemption_disabled+0x19d/0x1c0
+ [ 188.435619] [<ffffffff81915f77>] debug_smp_processor_id+0x17/0x20
+
+ The solution would be to protect the whole
+ this_cpu_ptr(dev->tstats)/u64_stats_update_begin/end blocks with
+ disabling preemption and then reenabling it.
+
+ Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/ip6_tunnel.h | 3 ++-
+ include/net/ip_tunnels.h | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+commit 44665148f06b73ea0c253a1a34d15689674d7421
+Author: Mathias Krause <minipli@googlemail.com>
+Date: Fri Nov 6 16:30:38 2015 -0800
+
+ printk: prevent userland from spoofing kernel messages
+
+ The following statement of ABI/testing/dev-kmsg is not quite right:
+
+ It is not possible to inject messages from userspace with the
+ facility number LOG_KERN (0), to make sure that the origin of the
+ messages can always be reliably determined.
+
+ Userland actually can inject messages with a facility of 0 by abusing the
+ fact that the facility is stored in a u8 data type. By using a facility
+ which is a multiple of 256 the assignment of msg->facility in log_store()
+ implicitly truncates it to 0, i.e. LOG_KERN, allowing users of /dev/kmsg
+ to spoof kernel messages as shown below:
+
+ The following call...
+ # printf '<%d>Kernel panic - not syncing: beer empty\n' 0 >/dev/kmsg
+ ...leads to the following log entry (dmesg -x | tail -n 1):
+ user :emerg : [ 66.137758] Kernel panic - not syncing: beer empty
+
+ However, this call...
+ # printf '<%d>Kernel panic - not syncing: beer empty\n' 0x800 >/dev/kmsg
+ ...leads to the slightly different log entry (note the kernel facility):
+ kern :emerg : [ 74.177343] Kernel panic - not syncing: beer empty
+
+ Fix that by limiting the user provided facility to 8 bit right from the
+ beginning and catch the truncation early.
+
+ Fixes: 7ff9554bb578 ("printk: convert byte-buffer to variable-length...")
+ Signed-off-by: Mathias Krause <minipli@googlemail.com>
+ Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Cc: Petr Mladek <pmladek@suse.cz>
+ Cc: Alex Elder <elder@linaro.org>
+ Cc: Joe Perches <joe@perches.com>
+ Cc: Kay Sievers <kay@vrfy.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ kernel/printk/printk.c | 13 ++++++++-----
+ 1 files changed, 8 insertions(+), 5 deletions(-)
+
+commit bef8fb168317597f02c00ab4075ff094dcdfd2c6
+Author: Borislav Petkov <bp@suse.de>
+Date: Thu Nov 5 16:57:56 2015 +0100
+
+ x86/cpu: Call verify_cpu() after having entered long mode too
+
+ When we get loaded by a 64-bit bootloader, kernel entry point is
+ startup_64 in head_64.S. We don't trust any and all bootloaders because
+ some will fiddle with CPU configuration so we go ahead and massage each
+ CPU into sanity again.
+
+ For example, some dell BIOSes have this XD disable feature which set
+ IA32_MISC_ENABLE[34] and disable NX. This might be some dumb workaround
+ for other OSes but Linux sure doesn't need it.
+
+ A similar thing is present in the Surface 3 firmware - see
+ https://bugzilla.kernel.org/show_bug.cgi?id=106051 - which sets this bit
+ only on the BSP:
+
+ # rdmsr -a 0x1a0
+ 400850089
+ 850089
+ 850089
+ 850089
+
+ I know, right?!
+
+ There's not even an off switch in there.
+
+ So fix all those cases by sanitizing the 64-bit entry point too. For
+ that, make verify_cpu() callable in 64-bit mode also.
+
+ Requested-and-debugged-by: "H. Peter Anvin" <hpa@zytor.com>
+ Reported-and-tested-by: Bastien Nocera <bugzilla@hadess.net>
+ Signed-off-by: Borislav Petkov <bp@suse.de>
+ Cc: Matt Fleming <matt@codeblueprint.co.uk>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: stable@vger.kernel.org
+ Link: http://lkml.kernel.org/r/1446739076-21303-1-git-send-email-bp@alien8.de
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ Conflicts:
+
+ arch/x86/kernel/head_64.S
+
+ arch/x86/kernel/head_64.S | 9 +++++++++
+ arch/x86/kernel/verify_cpu.S | 12 +++++++-----
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+commit 9cb084208a9589a6a5be01d2b7df88843f4b01a4
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Nov 10 16:23:15 2015 +0100
+
+ af-unix: fix use-after-free with concurrent readers while splicing
+
+ During splicing an af-unix socket to a pipe we have to drop all
+ af-unix socket locks. While doing so we allow another reader to enter
+ unix_stream_read_generic which can read, copy and finally free another
+ skb. If exactly this skb is just in process of being spliced we get a
+ use-after-free report by kasan.
+
+ First, we must make sure to not have a free while the skb is used during
+ the splice operation. We simply increment its use counter before unlocking
+ the reader lock.
+
+ Stream sockets have the nice characteristic that we don't care about
+ zero length writes and they never reach the peer socket's queue. That
+ said, we can take the UNIXCB.consumed field as the indicator if the
+ skb was already freed from the socket's receive queue. If the skb was
+ fully consumed after we locked the reader side again we know it has been
+ dropped by a second reader. We indicate a short read to user space and
+ abort the current splice operation.
+
+ This bug has been found with syzkaller
+ (http://github.com/google/syzkaller) by Dmitry Vyukov.
+
+ Fixes: 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 18 ++++++++++++++++++
+ 1 files changed, 18 insertions(+), 0 deletions(-)
+
+commit 4e75d2b7d6546add44f0951e78410b131a1e660d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 14 15:08:46 2015 -0500
+
+ switch the default for SIZE_OVERFLOW_KILL to n, later we'll remove
+ the option entirely
+ Distros should make sure their users report all overflows printed to the
+ kernel logs so the underlying issues can be fixed
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2e37eb35e0f1ba5a0feac5264a7b24d89376d0a2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 14 15:07:51 2015 -0500
+
+ Resync with PaX
+
+ fs/btrfs/inode.c | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+commit 2f63d2552f38c700902d17bf9b591d82f39a3fb5
+Merge: 5e0ec21 823b1bc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 14 14:29:16 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 823b1bc5a8e670f7ddfa98ee0d83762bffab28fb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Nov 14 14:28:35 2015 -0500
+
+ Update to pax-linux-4.2.6-test19.patch:
+ - David Sterba updated the fix for one of the previous btrfs problems
+ - Emese and Rasmus Villemoes <linux@rasmusvillemoes.dk> fixed a few bugs in the initify plugin
+ - fixed debian package generation to support building out-of-tree modules with plugins, reported by Elie Roudninski <elie.roudninski@gmail.com>
+
+ fs/btrfs/delayed-inode.c | 3 +-
+ fs/btrfs/delayed-inode.h | 2 +-
+ fs/btrfs/inode.c | 2 +-
+ scripts/package/builddeb | 2 +-
+ tools/gcc/initify_plugin.c | 264 ++++++++++++++++++++++++++++++--------------
+ 5 files changed, 188 insertions(+), 85 deletions(-)
+
+commit 5e0ec21349bb3aeead0701ef51df3086ad377979
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Nov 12 19:54:21 2015 -0500
+
+ Revert https://patchwork.kernel.org/patch/7585611/ for now as it's been reported
+ to cause userland hangs, similar to previous bugs seen in the past
+
+ fs/btrfs/inode.c | 12 ------------
+ 1 files changed, 0 insertions(+), 12 deletions(-)
+
+commit 65402b5a6125cc95c3223a0da8f2817e13bf18ec
+Author: françois romieu <romieu@fr.zoreil.com>
+Date: Wed Nov 11 23:35:18 2015 +0100
+
+ r8169: fix kasan reported skb use-after-free.
+
+ Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+ Reported-by: Dave Jones <davej@codemonkey.org.uk>
+ Fixes: d7d2d89d4b0af ("r8169: Add software counter for multicast packages")
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Corinna Vinschen <vinschen@redhat.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/realtek/r8169.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit bbfcbb7b1e086062aa17358927e14e394830b8a3
+Author: Anthony Lineham <anthony.lineham@alliedtelesis.co.nz>
+Date: Thu Oct 22 11:17:03 2015 +1300
+
+ netfilter: Fix removal of GRE expectation entries created by PPTP
+
+ The uninitialized tuple structure caused incorrect hash calculation
+ and the lookup failed.
+
+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=106441
+ Signed-off-by: Anthony Lineham <anthony.lineham@alliedtelesis.co.nz>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/ipv4/netfilter/nf_nat_pptp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit d7cb19f37a91603021e2bed6417766ecca315bd0
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue Nov 10 09:14:39 2015 +0100
+
+ KVM: svm: unconditionally intercept #DB
+
+ This is needed to avoid the possibility that the guest triggers
+ an infinite stream of #DB exceptions (CVE-2015-8104).
+
+ VMX is not affected: because it does not save DR6 in the VMCS,
+ it already intercepts #DB unconditionally.
+
+ Reported-by: Jan Beulich <jbeulich@suse.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+ arch/x86/kvm/svm.c | 14 +++-----------
+ 1 files changed, 3 insertions(+), 11 deletions(-)
+
+commit 5b241ac6551e1675e1cbbc4a74fa1c698ada28f4
+Author: Eric Northup <digitaleric@google.com>
+Date: Tue Nov 3 18:03:53 2015 +0100
+
+ KVM: x86: work around infinite loop in microcode when #AC is delivered
+
+ It was found that a guest can DoS a host by triggering an infinite
+ stream of "alignment check" (#AC) exceptions. This causes the
+ microcode to enter an infinite loop where the core never receives
+ another interrupt. The host kernel panics pretty quickly due to the
+ effects (CVE-2015-5307).
+
+ Signed-off-by: Eric Northup <digitaleric@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+ arch/x86/include/uapi/asm/svm.h | 1 +
+ arch/x86/kvm/svm.c | 8 ++++++++
+ arch/x86/kvm/vmx.c | 5 ++++-
+ 3 files changed, 13 insertions(+), 1 deletions(-)
+
+commit 6113725aaaf6626522b93732f29dd36370695a89
+Author: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu Nov 5 00:01:51 2015 +0100
+
+ debugfs: fix refcount imbalance in start_creating
+
+ In debugfs' start_creating(), we pin the file system to safely access
+ its root. When we failed to create a file, we unpin the file system via
+ failed_creating() to release the mount count and eventually the reference
+ of the vfsmount.
+
+ However, when we run into an error during lookup_one_len() when still
+ in start_creating(), we only release the parent's mutex but not so the
+ reference on the mount. Looks like it was done in the past, but after
+ splitting portions of __create_file() into start_creating() and
+ end_creating() via 190afd81e4a5 ("debugfs: split the beginning and the
+ end of __create_file() off"), this seemed missed. Noticed during code
+ review.
+
+ Fixes: 190afd81e4a5 ("debugfs: split the beginning and the end of __create_file() off")
+ Cc: stable@vger.kernel.org # v4.0+
+ Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/debugfs/inode.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+commit e91f8a6717837a8a64b6e86317a1373ec9cd6c04
+Author: Maciej W. Rozycki <macro@imgtec.com>
+Date: Mon Oct 26 15:48:19 2015 +0000
+
+ binfmt_elf: Don't clobber passed executable's file header
+
+ Do not clobber the buffer space passed from `search_binary_handler' and
+ originally preloaded by `prepare_binprm' with the executable's file
+ header by overwriting it with its interpreter's file header. Instead
+ keep the buffer space intact and directly use the data structure locally
+ allocated for the interpreter's file header, fixing a bug introduced in
+ 2.1.14 with loadable module support (linux-mips.org commit beb11695
+ [Import of Linux/MIPS 2.1.14], predating kernel.org repo's history).
+ Adjust the amount of data read from the interpreter's file accordingly.
+
+ This was not an issue before loadable module support, because back then
+ `load_elf_binary' was executed only once for a given ELF executable,
+ whether the function succeeded or failed.
+
+ With loadable module support supported and enabled, upon a failure of
+ `load_elf_binary' -- which may for example be caused by architecture
+ code rejecting an executable due to a missing hardware feature requested
+ in the file header -- a module load is attempted and then the function
+ reexecuted by `search_binary_handler'. With the executable's file
+ header replaced with its interpreter's file header the executable can
+ then be erroneously accepted in this subsequent attempt.
+
+ Cc: stable@vger.kernel.org # all the way back
+ Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/binfmt_elf.c | 10 +++++-----
+ 1 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 9c49029fe4cb9a52cb174aebfd5946a9d26b9956
+Merge: 5482e7e 7033393
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 9 19:51:58 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 70333935932c9f3eb333a354dd760b4233efcc37
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 9 19:51:19 2015 -0500
+
+ Update to pax-linux-4.2.6-test18.patch:
+ - cleaned up the last of the FPU changes, by spender
+ - fixed a few KERNEXEC regressions (backported from 4.3)
+ - Emese fixed a few size overflow false positives in kvm, reported by Christian Roessner (https://bugs.gentoo.org/show_bug.cgi?id=558138#c23)
+ - David Sterba fixed a few integer overflows in btrfs caught by the size overflow plugin (https://patchwork.kernel.org/patch/7585611/ and https://patchwork.kernel.org/patch/7582351/), reported by Victor, Stebalien and alan.d (https://forums.grsecurity.net/viewtopic.php?f=1&t=4284)
+
+ arch/x86/include/asm/fpu/internal.h | 2 +-
+ arch/x86/include/asm/fpu/types.h | 1 -
+ arch/x86/kernel/apic/apic.c | 4 ++-
+ arch/x86/kernel/fpu/init.c | 36 --------------------
+ arch/x86/kernel/process_64.c | 6 +--
+ arch/x86/kernel/vsmp_64.c | 13 +++++--
+ drivers/acpi/video_detect.c | 2 +-
+ drivers/lguest/core.c | 2 +-
+ fs/btrfs/file.c | 10 ++++--
+ fs/btrfs/inode.c | 12 ++++++
+ .../disable_size_overflow_hash.data | 5 ++-
+ .../size_overflow_plugin/size_overflow_hash.data | 7 +---
+ 12 files changed, 42 insertions(+), 58 deletions(-)
+
+commit 5482e7eb4ba3c5cc90472ccdb1bfe2cec64413e2
+Merge: 81e2642 682ba19
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 9 18:19:48 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/pci/pci-sysfs.c
+
+commit 682ba19ce305f501c9bc5c42a76f2c7442aa22fc
+Merge: 7755256 1c02865
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 9 18:18:24 2015 -0500
+
+ Merge branch 'linux-4.2.y' into pax-test
+
+commit 81e26429b7a36f0c75de3ab42754256720c0a159
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 9 07:37:30 2015 -0500
+
+ btrfs: fix signed overflow in btrfs_sync_file
+
+ The calculation of range length in btrfs_sync_file leads to signed
+ overflow. This was caught by PaX gcc SIZE_OVERFLOW plugin.
+
+ https://forums.grsecurity.net/viewtopic.php?f=1&t=4284
+
+ The fsync call passes 0 and LLONG_MAX, the range length does not fit to
+ loff_t and overflows, but the value is converted to u64 so it silently
+ works as expected.
+
+ The minimal fix is a typecast to u64, switching functions to take
+ (start, end) instead of (start, len) would be more intrusive.
+
+ Coccinelle script found that there's one more opencoded calculation of
+ the length.
+
+ <smpl>
+ @@
+ loff_t start, end;
+ @@
+ * end - start
+ </smpl>
+
+ CC: stable@vger.kernel.org
+ Signed-off-by: David Sterba <dsterba@suse.com>
+
+ fs/btrfs/file.c | 10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+commit 07fd498a96e2d589ad743851c0dec482a92e0429
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Nov 8 17:04:31 2015 -0500
+
+ Fix an upstream type confusion bug exposed by RANDSTRUCT:
+ at the beginning of each sem_array/shmid_kernel/msg_queue
+ struct is an kern_ipc_perm struct. Unlike every other place in the
+ kernel where some field must be at an explicit location, there's
+ no documentation at all that the kern_ipc_perm must be at the beginning
+ of these structs. Previously, shmid_kernel and kern_ipc_perm were both
+ randomized with RANDSTRUCT. The problem arises due to the show() handler
+ for /proc for msg/sem/shm -- what it is provided is a pointer to
+ a kern_ipc_perm struct (as a void *) which each show() handler then
+ assumes can be implicitly cast to its own particular struct type without
+ any kind of container_of being performed. Fix this by doing the proper
+ type conversions for each via container_of, and randomize the sem and msg
+ structs while we're at it.
+
+ include/linux/msg.h | 2 +-
+ include/linux/sem.h | 2 +-
+ ipc/msg.c | 3 ++-
+ ipc/sem.c | 3 ++-
+ ipc/shm.c | 3 ++-
+ 5 files changed, 8 insertions(+), 5 deletions(-)
+
+commit 6591e1a526c544936975cd3515d8def09e8026f0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Nov 3 19:36:05 2015 -0500
+
+ Properly fix the PCI sysfs node check that was recently improperly fixed
+ upstream (it's under CAP_SYS_ADMIN so it's not really serious)
+ Reported by Mathias Krause
+
+ drivers/pci/pci-sysfs.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit ece03d4d07f29634687b2ea5edb7cab23888cff3
+Merge: 715e674 7755256
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 2 21:32:10 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 775525660a6353feb261ad6232f6acbc23826bf4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 2 21:31:21 2015 -0500
+
+ Update to pax-linux-4.2.5-test17.patch:
+ - Emese fixed a bunch of size overflow reports:
+ - https://forums.grsecurity.net/viewtopic.php?f=3&t=4290
+ - https://forums.grsecurity.net/viewtopic.php?f=3&t=4291
+ - https://forums.grsecurity.net/viewtopic.php?f=3&t=4288
+ - https://forums.grsecurity.net/viewtopic.php?f=3&t=4285
+ - https://forums.grsecurity.net/viewtopic.php?f=3&t=4283
+ - https://forums.grsecurity.net/viewtopic.php?f=3&t=4287
+ - https://forums.grsecurity.net/viewtopic.php?f=3&t=4289
+ - https://bugs.archlinux.org/task/46798
+ - fixed the x86 fpu code some more, reported by spender and others (https://bugs.gentoo.org/show_bug.cgi?id=563804, https://bugs.archlinux.org/task/46764)
+
+ arch/x86/include/asm/fpu/internal.h | 4 +-
+ arch/x86/kernel/fpu/core.c | 2 +-
+ arch/x86/kernel/process.c | 3 +-
+ arch/x86/kernel/process_64.c | 6 +-
+ drivers/usb/class/cdc-acm.h | 2 +-
+ drivers/video/console/fbcon.c | 2 +-
+ fs/dlm/lowcomms.c | 2 +-
+ include/linux/usb.h | 8 +-
+ .../disable_size_overflow_hash.data | 15 +-
+ .../size_overflow_plugin/intentional_overflow.c | 3 +
+ .../size_overflow_plugin/size_overflow_hash.data | 373 ++++++++++++++++----
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 3 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ 13 files changed, 329 insertions(+), 96 deletions(-)
+
+commit 715e674a838f08748044bce459380762e9c1cd29
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Wed Oct 7 11:03:28 2015 -0500
+
+ PCI: Prevent out of bounds access in numa_node override
+
+ 63692df103e9 ("PCI: Allow numa_node override via sysfs") didn't check that
+ the numa node provided by userspace is valid. Passing a node number too
+ high would attempt to access invalid memory and trigger a kernel panic.
+
+ Fixes: 63692df103e9 ("PCI: Allow numa_node override via sysfs")
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+ CC: stable@vger.kernel.org # v3.19+
+
+ drivers/pci/pci-sysfs.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 6abe1bb892fe394df80dd4267a8bd2874d537e4e
+Author: David Howells <dhowells@redhat.com>
+Date: Fri Sep 18 11:45:12 2015 +0100
+
+ ovl: use O_LARGEFILE in ovl_copy_up()
+
+ Open the lower file with O_LARGEFILE in ovl_copy_up().
+
+ Pass O_LARGEFILE unconditionally in ovl_copy_up_data() as it's purely for
+ catching 32-bit userspace dealing with a file large enough that it'll be
+ mishandled if the application isn't aware that there might be an integer
+ overflow. Inside the kernel, there shouldn't be any problems.
+
+ Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+ Cc: <stable@vger.kernel.org> # v3.18+
+
+ fs/overlayfs/copy_up.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit bf5e23398e4a82e28fe0801337a4b78ca951a1d9
+Author: David Howells <dhowells@redhat.com>
+Date: Fri Sep 18 11:45:22 2015 +0100
+
+ ovl: fix dentry reference leak
+
+ In ovl_copy_up_locked(), newdentry is leaked if the function exits through
+ out_cleanup as this just to out after calling ovl_cleanup() - which doesn't
+ actually release the ref on newdentry.
+
+ The out_cleanup segment should instead exit through out2 as certainly
+ newdentry leaks - and possibly upper does also, though this isn't caught
+ given the catch of newdentry.
+
+ Without this fix, something like the following is seen:
+
+ BUG: Dentry ffff880023e9eb20{i=f861,n=#ffff880023e82d90} still in use (1) [unmount of tmpfs tmpfs]
+ BUG: Dentry ffff880023ece640{i=0,n=bigfile} still in use (1) [unmount of tmpfs tmpfs]
+
+ when unmounting the upper layer after an error occurred in copyup.
+
+ An error can be induced by creating a big file in a lower layer with
+ something like:
+
+ dd if=/dev/zero of=/lower/a/bigfile bs=65536 count=1 seek=$((0xf000))
+
+ to create a large file (4.1G). Overlay an upper layer that is too small
+ (on tmpfs might do) and then induce a copy up by opening it writably.
+
+ Reported-by: Ulrich Obergfell <uobergfe@redhat.com>
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+ Cc: <stable@vger.kernel.org> # v3.18+
+
+ fs/overlayfs/copy_up.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit da93976d3355abae09d9fd6a68e7dea77ed619d1
+Author: Miklos Szeredi <miklos@szeredi.hu>
+Date: Mon Oct 12 15:56:20 2015 +0200
+
+ ovl: fix open in stacked overlay
+
+ If two overlayfs filesystems are stacked on top of each other, then we need
+ recursion in ovl_d_select_inode().
+
+ I guess d_backing_inode() is supposed to do that. But currently it doesn't
+ and that functionality is open coded in vfs_open(). This is now copied
+ into ovl_d_select_inode() to fix this regression.
+
+ Reported-by: Alban Crequy <alban.crequy@gmail.com>
+ Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+ Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay...")
+ Cc: David Howells <dhowells@redhat.com>
+ Cc: <stable@vger.kernel.org> # v4.2+
+
+ fs/overlayfs/inode.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 0ddd9cf6149717882b81c946149bf55332d763ae
+Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Mon Aug 24 15:57:18 2015 +0300
+
+ ovl: free stack of paths in ovl_fill_super
+
+ This fixes small memory leak after mount.
+
+ Kmemleak report:
+
+ unreferenced object 0xffff88003683fe00 (size 16):
+ comm "mount", pid 2029, jiffies 4294909563 (age 33.380s)
+ hex dump (first 16 bytes):
+ 20 27 1f bb 00 88 ff ff 40 4b 0f 36 02 88 ff ff '......@K.6....
+ backtrace:
+ [<ffffffff811f8cd4>] create_object+0x124/0x2c0
+ [<ffffffff817a059b>] kmemleak_alloc+0x7b/0xc0
+ [<ffffffff811dffe6>] __kmalloc+0x106/0x340
+ [<ffffffffa01b7a29>] ovl_fill_super+0x389/0x9a0 [overlay]
+ [<ffffffff81200ac4>] mount_nodev+0x54/0xa0
+ [<ffffffffa01b7118>] ovl_mount+0x18/0x20 [overlay]
+ [<ffffffff81201ab3>] mount_fs+0x43/0x170
+ [<ffffffff81220d34>] vfs_kern_mount+0x74/0x170
+ [<ffffffff812233ad>] do_mount+0x22d/0xdf0
+ [<ffffffff812242cb>] SyS_mount+0x7b/0xc0
+ [<ffffffff817b6bee>] entry_SYSCALL_64_fastpath+0x12/0x76
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+ Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+ Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+ Fixes: a78d9f0d5d5c ("ovl: support multiple lower layers")
+ Cc: <stable@vger.kernel.org> # v4.0+
+
+ fs/overlayfs/super.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit b86575c9973b9ad55d659fd8a6be8f864435ad0e
+Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Mon Aug 24 15:57:19 2015 +0300
+
+ ovl: free lower_mnt array in ovl_put_super
+
+ This fixes memory leak after umount.
+
+ Kmemleak report:
+
+ unreferenced object 0xffff8800ba791010 (size 8):
+ comm "mount", pid 2394, jiffies 4294996294 (age 53.920s)
+ hex dump (first 8 bytes):
+ 20 1c 13 02 00 88 ff ff .......
+ backtrace:
+ [<ffffffff811f8cd4>] create_object+0x124/0x2c0
+ [<ffffffff817a059b>] kmemleak_alloc+0x7b/0xc0
+ [<ffffffff811dffe6>] __kmalloc+0x106/0x340
+ [<ffffffffa0152bfc>] ovl_fill_super+0x55c/0x9b0 [overlay]
+ [<ffffffff81200ac4>] mount_nodev+0x54/0xa0
+ [<ffffffffa0152118>] ovl_mount+0x18/0x20 [overlay]
+ [<ffffffff81201ab3>] mount_fs+0x43/0x170
+ [<ffffffff81220d34>] vfs_kern_mount+0x74/0x170
+ [<ffffffff812233ad>] do_mount+0x22d/0xdf0
+ [<ffffffff812242cb>] SyS_mount+0x7b/0xc0
+ [<ffffffff817b6bee>] entry_SYSCALL_64_fastpath+0x12/0x76
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+ Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+ Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
+ Fixes: dd662667e6d3 ("ovl: add mutli-layer infrastructure")
+ Cc: <stable@vger.kernel.org> # v4.0+
+
+ fs/overlayfs/super.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 9f49b5376fae99cd590d13726e2633bc0a53b6db
+Author: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun Nov 1 17:09:15 2015 -0800
+
+ mm: get rid of 'vmalloc_info' from /proc/meminfo
+
+ It turns out that at least some versions of glibc end up reading
+ /proc/meminfo at every single startup, because glibc wants to know the
+ amount of memory the machine has. And while that's arguably insane,
+ it's just how things are.
+
+ And it turns out that it's not all that expensive most of the time, but
+ the vmalloc information statistics (amount of virtual memory used in the
+ vmalloc space, and the biggest remaining chunk) can be rather expensive
+ to compute.
+
+ The 'get_vmalloc_info()' function actually showed up on my profiles as
+ 4% of the CPU usage of "make test" in the git source repository, because
+ the git tests are lots of very short-lived shell-scripts etc.
+
+ It turns out that apparently this same silly vmalloc info gathering
+ shows up on the facebook servers too, according to Dave Jones. So it's
+ not just "make test" for git.
+
+ We had two patches to just cache the information (one by me, one by
+ Ingo) to mitigate this issue, but the whole vmalloc information of of
+ rather dubious value to begin with, and people who *actually* want to
+ know what the situation is wrt the vmalloc area should just look at the
+ much more complete /proc/vmallocinfo instead.
+
+ In fact, according to my testing - and perhaps more importantly,
+ according to that big search engine in the sky: Google - there is
+ nothing out there that actually cares about those two expensive fields:
+ VmallocUsed and VmallocChunk.
+
+ So let's try to just remove them entirely. Actually, this just removes
+ the computation and reports the numbers as zero for now, just to try to
+ be minimally intrusive.
+
+ If this breaks anything, we'll obviously have to re-introduce the code
+ to compute this all and add the caching patches on top. But if given
+ the option, I'd really prefer to just remove this bad idea entirely
+ rather than add even more code to work around our historical mistake
+ that likely nobody really cares about.
+
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/proc/meminfo.c | 7 ++-----
+ include/linux/vmalloc.h | 12 ------------
+ mm/vmalloc.c | 47 -----------------------------------------------
+ 3 files changed, 2 insertions(+), 64 deletions(-)
+
+commit 66425129a550275398f886498d957284539bb331
+Author: Marek Vasut <marex@denx.de>
+Date: Fri Oct 30 13:48:19 2015 +0100
+
+ can: Use correct type in sizeof() in nla_put()
+
+ The sizeof() is invoked on an incorrect variable, likely due to some
+ copy-paste error, and this might result in memory corruption. Fix this.
+
+ Signed-off-by: Marek Vasut <marex@denx.de>
+ Cc: Wolfgang Grandegger <wg@grandegger.com>
+ Cc: netdev@vger.kernel.org
+ Cc: linux-stable <stable@vger.kernel.org>
+ Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+
+ drivers/net/can/dev.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8c8e802a86f8faf2519710db043339e1cc953bc4
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 2 17:20:52 2015 -0500
+
+ Fix the FPU code properly by copying the dynamically-sized FPU state on
+ each clone of the task struct, making it equivalent to the new FPU-in-task-struct code
+
+ Fix is from the PaX Team
+
+ arch/x86/kernel/process.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 036bc2e2231c76f7eb470bfef67b6bc26187aeae
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Nov 2 17:19:43 2015 -0500
+
+ Revert the forced eagerfpu since it's now fixed properly
+
+ arch/x86/kernel/fpu/init.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit a08ab82bcf321704f6a228c7924b860510c6d610
+Author: Carol L Soto <clsoto@linux.vnet.ibm.com>
+Date: Tue Oct 27 17:36:20 2015 +0200
+
+ net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes
+
+ When doing memcpy/memset of EQEs, we should use sizeof struct
+ mlx4_eqe as the base size and not caps.eqe_size which could be bigger.
+
+ If caps.eqe_size is bigger than the struct mlx4_eqe then we corrupt
+ data in the master context.
+
+ When using a 64 byte stride, the memcpy copied over 63 bytes to the
+ slave_eq structure. This resulted in copying over the entire eqe of
+ interest, including its ownership bit -- and also 31 bytes of garbage
+ into the next WQE in the slave EQ -- which did NOT include the ownership
+ bit (and therefore had no impact).
+
+ However, once the stride is increased to 128, we are overwriting the
+ ownership bits of *three* eqes in the slave_eq struct. This results
+ in an incorrect ownership bit for those eqes, which causes the eq to
+ seem to be full. The issue therefore surfaced only once 128-byte EQEs
+ started being used in SRIOV and (overarchitectures that have 128/256
+ byte cache-lines such as PPC) - e.g after commit 77507aa249ae
+ "net/mlx4_core: Enable CQE/EQE stride support".
+
+ Fixes: 08ff32352d6f ('mlx4: 64-byte CQE/EQE support')
+ Signed-off-by: Carol L Soto <clsoto@linux.vnet.ibm.com>
+ Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+ Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ethernet/mellanox/mlx4/cmd.c | 2 +-
+ drivers/net/ethernet/mellanox/mlx4/eq.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 811ab3b52935612def289efa5e9e2aa973f16f26
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed Oct 28 13:21:04 2015 +0100
+
+ ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
+
+ Raw sockets with hdrincl enabled can insert ipv6 extension headers
+ right into the data stream. In case we need to fragment those packets,
+ we reparse the options header to find the place where we can insert
+ the fragment header. If the extension headers exceed the link's MTU we
+ actually cannot make progress in such a case.
+
+ Instead of ending up in broken arithmetic or rounding towards 0 and
+ entering an endless loop in ip6_fragment, just prevent those cases by
+ aborting early and signal -EMSGSIZE to user space.
+
+ This is the second version of the patch which doesn't use the
+ overflow_usub function, which got reverted for now.
+
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit f074980442c7c3ff4a75c711ff18204dfb4131b8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 29 18:19:02 2015 -0400
+
+ Revert "ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues"
+
+ This reverts commit 18d5034650b637ec479f41d98e3912398b3e3efc.
+
+ net/ipv6/ip6_output.c | 6 +-----
+ 1 files changed, 1 insertions(+), 5 deletions(-)
+
+commit 53e629c2d13ed09f4c889925482606f82a65bd1d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 29 18:18:55 2015 -0400
+
+ Revert "overflow-arith: begin to add support for overflow builtin functions"
+
+ This reverts commit cfd0008de8db38841f7f06b979482900994717b9.
+
+ Conflicts:
+
+ include/linux/compiler-gcc.h
+
+ include/linux/compiler-gcc.h | 4 ----
+ include/linux/overflow-arith.h | 18 ------------------
+ 2 files changed, 0 insertions(+), 22 deletions(-)
+
+commit 225122602b5b7fd58ec5c2a4a1a4a9a29fe7a02a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 29 09:00:11 2015 -0400
+
+ Update size_overflow plugin
+
+ .../size_overflow_plugin/intentional_overflow.c | 3 +++
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 2bf85cb1c3df45d59d8b59aeacf63cbbee360175
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 29 08:52:07 2015 -0400
+
+ Temporarily disable the builtin_overflow again as the kernexec plugin also has problems with it
+
+ include/linux/compiler-gcc.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit a41c8c4d880b6005e874bf5440e24713da8483cd
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 28 19:28:30 2015 -0400
+
+ temporarily work around issue with the dynamic FPU state and lazy FPU mode
+ upstream configures FPU mode based on the eagerfpu variable before it's ever actually
+ set by the commandline parser (so eagerfpu= on the commandline has no effect)
+
+ arch/x86/kernel/fpu/init.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 8452f9d5cfabda9228496050a16bc8728c0ebbb7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 28 19:25:55 2015 -0400
+
+ Remove/reorder some code due to the reverting of the FPU-state-in-task_struct code
+
+ arch/x86/include/asm/fpu/types.h | 69 ++++++++++++++++++--------------------
+ arch/x86/include/asm/processor.h | 10 ++----
+ arch/x86/kernel/fpu/init.c | 20 -----------
+ include/linux/sched.h | 4 +-
+ 4 files changed, 38 insertions(+), 65 deletions(-)
+
+commit c2127bd4215f8f02a1391bef3bde55d0bb1c19bc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 27 23:38:11 2015 -0400
+
+ fix typo
+
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c588def7b5713c31fef2b848bfebf0d727791b82
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 27 21:09:04 2015 -0400
+
+ remove the PAGE_SIZE padding from fpregs_state since it's not included as part
+ of the task struct
+
+ arch/x86/include/asm/fpu/types.h | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit 3bd1e5915353fee1f347577f0e80d925910695f9
+Author: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon Oct 19 18:23:57 2015 +0800
+
+ crypto: api - Only abort operations on fatal signal
+
+ Currently a number of Crypto API operations may fail when a signal
+ occurs. This causes nasty problems as the caller of those operations
+ are often not in a good position to restart the operation.
+
+ In fact there is currently no need for those operations to be
+ interrupted by user signals at all. All we need is for them to
+ be killable.
+
+ This patch replaces the relevant calls of signal_pending with
+ fatal_signal_pending, and wait_for_completion_interruptible with
+ wait_for_completion_killable, respectively.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+ crypto/ablkcipher.c | 2 +-
+ crypto/algapi.c | 2 +-
+ crypto/api.c | 6 +++---
+ crypto/crypto_user.c | 2 +-
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+commit 2b278f02de77bd3d0ffb4c64bc56b702d4e27e49
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 27 18:02:42 2015 -0400
+
+ Update a comment
+
+ arch/x86/include/asm/fpu/internal.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 66cbab70d87485c22946485bfd375c3e88140213
+Merge: cad84c5 8610c94
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 27 07:44:23 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 8610c949a76ac2a09b334f41c35cb8e7a04a0ce8
+Merge: a851b41 f69d603
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 27 07:44:14 2015 -0400
+
+ Merge branch 'linux-4.2.y' into pax-test
+
+commit cad84c52f547c8ba47ddcf39d1f260f55350f0c2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Oct 26 07:33:21 2015 -0400
+
+ re-enable builtin_overflow support
+
+ include/linux/compiler-gcc.h | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit 6e281aebbf456c27ce530055d5668bc5829c02a8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Oct 26 07:32:15 2015 -0400
+
+ Update the size_overflow plugin from Emese to fix the ICE on builtin_overflow use
+
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 3 ++-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+commit 75ed97df02fc6eb862df511da6ca690de3d0f15c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Oct 26 07:17:00 2015 -0400
+
+ Fix from Emese for a size_overflow report in the fbcon code on the
+ 'softback_lines' global variable
+
+ drivers/video/console/fbcon.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit b088cabd42c6fe825baa27f40ab450ad75e571d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 25 18:09:55 2015 -0400
+
+ Temporarily work around an ICE on GCC >= 5 reported by Daniel Micay due to
+ backporting of __builtin_usub_overflow
+
+ include/linux/compiler-gcc.h | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit ba858f46865c6751af3ddba03b176e4d5ecf85c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 25 17:59:17 2015 -0400
+
+ Update size_overflow hash table
+
+ .../disable_size_overflow_hash.data | 7 +++++++
+ .../size_overflow_plugin/size_overflow_hash.data | 9 +--------
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+commit ba803bceaea0283b38e91c1d3176bf0671786269
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 25 15:31:17 2015 -0400
+
+ Fix oversight in pipacs' removal of FPU state from the task struct:
+ fpu_copy was performing an OOB copy starting from the address of the 'state'
+ pointer in the fpu struct instead of starting from the address pointed
+ to by the state pointer. Reported at:
+ https://bugs.archlinux.org/task/46764
+
+ arch/x86/include/asm/fpu/internal.h | 4 ++--
+ arch/x86/kernel/fpu/core.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 26e7d31c5b5c970c50297d2b8be165e9c9ab9d83
+Merge: 85d8735 a851b41
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 25 13:39:21 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a851b41415a0402d76f10712b6950ddff3872a22
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 25 13:38:25 2015 -0400
+
+ Update to latest size_overflow plugin release:
+ Temporarily ignore bitfield types: https://bugs.archlinux.org/task/46798
+ Use SI or wider type for the size_overflow type: https://forums.grsecurity.net/viewtopic.php?t=4293&p=15655#p15655
+
+ .../size_overflow_plugin/intentional_overflow.c | 3 +++
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 7 +++++++
+ .../size_overflow_transform_core.c | 2 --
+ 4 files changed, 11 insertions(+), 3 deletions(-)
+
+commit 85d8735a1d1190e3ad2e3f032ae88f811090fdfc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 25 13:01:32 2015 -0400
+
+ fpu doesn't live on the task_struct with PaX, so don't even bother computing some task_size
+ variable that isn't used for anything
+
+ arch/x86/kernel/fpu/init.c | 14 --------------
+ 1 files changed, 0 insertions(+), 14 deletions(-)
+
+commit cfd0008de8db38841f7f06b979482900994717b9
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Oct 16 11:32:42 2015 +0200
+
+ overflow-arith: begin to add support for overflow builtin functions
+
+ The idea of the overflow-arith.h header is to collect overflow checking
+ functions in one central place.
+
+ If gcc compiler supports the __builtin_overflow_* builtins we use them
+ because they might give better performance, otherwise the code falls
+ back to normal overflow checking functions.
+
+ The builtin_overflow functions are supported by gcc-5 and clang. The
+ matter of supporting clang is to just provide a corresponding
+ CC_HAVE_BUILTIN_OVERFLOW, because the specific overflow checking builtins
+ don't differ between gcc and clang.
+
+ I just provide overflow_usub function here as I intend this to get merged
+ into net, more functions will definitely follow as they are needed.
+
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/compiler-gcc.h | 4 ++++
+ include/linux/overflow-arith.h | 18 ++++++++++++++++++
+ 2 files changed, 22 insertions(+), 0 deletions(-)
+
+commit 18d5034650b637ec479f41d98e3912398b3e3efc
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Oct 16 11:32:43 2015 +0200
+
+ ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
+
+ Raw sockets with hdrincl enabled can insert ipv6 extension headers
+ right into the data stream. In case we need to fragment those packets,
+ we reparse the options header to find the place where we can insert
+ the fragment header. If the extension headers exceed the link's MTU we
+ actually cannot make progress in such a case.
+
+ Instead of ending up in broken arithmetic or rounding towards 0 and
+ entering an endless loop in ip6_fragment, just prevent those cases by
+ aborting early and signal -EMSGSIZE to user space.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv6/ip6_output.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+commit 0e1d1c0f1981b4049a70d23dce4c69daf19f020b
+Merge: c81314c 9470e78
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 25 11:51:44 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9470e7893a9a1bf15f9b7d412dc09bebb59105e8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 25 11:50:54 2015 -0400
+
+ Temporary squelching of overflow warning on skb_transport_offset(), will be fixed properly after H2HC
+
+ include/linux/skbuff.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit c81314ce278e9cfa3322881a6133c2c7e53b9430
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 24 23:13:36 2015 -0400
+
+ Update recordmcount/fixdep paths in RPM spec, from Andrew
+
+ scripts/package/mkspec | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 798e4296bd55778b5e77f1db69c1bb972419590f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 24 23:11:22 2015 -0400
+
+ Update size_overflow hash table
+
+ .../disable_size_overflow_hash.data | 3 +++
+ .../size_overflow_plugin/size_overflow_hash.data | 5 +----
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+commit d9ef04f20fc634595883d1c1950c32a8fe04df22
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 24 08:27:29 2015 -0400
+
+ Fix from Emese for https://forums.grsecurity.net/viewtopic.php?f=3&t=4291
+
+ drivers/usb/class/cdc-acm.h | 2 +-
+ include/linux/usb.h | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit eea46f1d247f5f63e3762da91a41cba76567800f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 23 18:24:57 2015 -0400
+
+ Update size_overflow hash tables
+
+ .../disable_size_overflow_hash.data | 5 ++++-
+ .../size_overflow_plugin/size_overflow_hash.data | 5 +----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+commit 8f521b864bd7428f3ad42613416c106d1d619c4d
+Merge: 26adf00 285f0d1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 22 19:41:57 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/gpu/drm/drm_lock.c
+
+commit 285f0d1cda31b45ee217b90861677c032cb6550b
+Merge: d6dc25f 190bd21
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 22 19:40:34 2015 -0400
+
+ Merge branch 'linux-4.2.y' into pax-test
+
+ Conflicts:
+ arch/x86/kernel/process_64.c
+
+commit 26adf00caf8f4ebf155422082d4e8b8e4eb60eef
+Author: Eric W. Biederman <ebiederm@xmission.com>
+Date: Sat Aug 15 13:36:12 2015 -0500
+
+ dcache: Handle escaped paths in prepend_path
+
+ A rename can result in a dentry that by walking up d_parent
+ will never reach it's mnt_root. For lack of a better term
+ I call this an escaped path.
+
+ prepend_path is called by four different functions __d_path,
+ d_absolute_path, d_path, and getcwd.
+
+ __d_path only wants to see paths are connected to the root it passes
+ in. So __d_path needs prepend_path to return an error.
+
+ d_absolute_path similarly wants to see paths that are connected to
+ some root. Escaped paths are not connected to any mnt_root so
+ d_absolute_path needs prepend_path to return an error greater
+ than 1. So escaped paths will be treated like paths on lazily
+ unmounted mounts.
+
+ getcwd needs to prepend "(unreachable)" so getcwd also needs
+ prepend_path to return an error.
+
+ d_path is the interesting hold out. d_path just wants to print
+ something, and does not care about the weird cases. Which raises
+ the question what should be printed?
+
+ Given that <escaped_path>/<anything> should result in -ENOENT I
+ believe it is desirable for escaped paths to be printed as empty
+ paths. As there are not really any meaninful path components when
+ considered from the perspective of a mount tree.
+
+ So tweak prepend_path to return an empty path with an new error
+ code of 3 when it encounters an escaped path.
+
+ Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/dcache.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+commit d402147a7689356c29bfd46a7cfa6594e517ab95
+Author: Salva Peiró <speirofr@gmail.com>
+Date: Wed Oct 14 17:48:02 2015 +0200
+
+ staging/dgnc: fix info leak in ioctl
+
+ The dgnc_mgmt_ioctl() code fails to initialize the 16 _reserved bytes of
+ struct digi_dinfo after the ->dinfo_nboards member. Add an explicit
+ memset(0) before filling the structure to avoid the info leak.
+
+ Signed-off-by: Salva Peiró <speirofr@gmail.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/staging/dgnc/dgnc_mgmt.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit bafc510c4fb4e8a5e69531fdc3a733e58c4bbdbf
+Author: Salva Peiró <speirofr@gmail.com>
+Date: Wed Oct 7 07:09:26 2015 -0300
+
+ [media] media/vivid-osd: fix info leak in ioctl
+
+ The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
+ struct fb_vblank after the ->hcount member. Add an explicit
+ memset(0) before filling the structure to avoid the info leak.
+
+ Signed-off-by: Salva Peiró <speirofr@gmail.com>
+ Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+ Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+
+ drivers/media/platform/vivid/vivid-osd.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 980a903796ae06366fd5acbcd179ee2dc57fbabf
+Author: David Howells <dhowells@redhat.com>
+Date: Mon Oct 19 11:20:28 2015 +0100
+
+ KEYS: Don't permit request_key() to construct a new keyring
+
+ If request_key() is used to find a keyring, only do the search part - don't
+ do the construction part if the keyring was not found by the search. We
+ don't really want keyrings in the negative instantiated state since the
+ rejected/negative instantiation error value in the payload is unioned with
+ keyring metadata.
+
+ Now the kernel gives an error:
+
+ request_key("keyring", "#selinux,bdekeyring", "keyring", KEY_SPEC_USER_SESSION_KEYRING) = -1 EPERM (Operation not permitted)
+
+ Signed-off-by: David Howells <dhowells@redhat.com>
+
+ security/keys/request_key.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit f705c157ed6f8a9c4c0cf552fd5f054d9d500550
+Author: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon Oct 19 13:16:49 2015 +0300
+
+ irda: precedence bug in irlmp_seq_hb_idx()
+
+ This is decrementing the pointer, instead of the value stored in the
+ pointer. KASan detects it as an out of bounds reference.
+
+ Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
+ Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/irda/irlmp.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4a110451298bfce895ed224e6bbd9201d8605b2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 20 19:25:13 2015 -0400
+
+ Ratelimit the dump_stack as well, both to 15s with a burst of 3, enough not to completely
+ flood syslog
+
+ fs/exec.c | 11 +++++++++--
+ 1 files changed, 9 insertions(+), 2 deletions(-)
+
+commit 183fc2ae7d90e077fd27623998d82916260a2223
+Merge: a240939 d6dc25f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 20 19:16:04 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ tools/gcc/size_overflow_plugin/size_overflow_plugin.c
+
+commit d6dc25f193a832e08d8e7cf097d7f70b3dc24776
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 20 19:14:41 2015 -0400
+
+ Update to pax-linux-4.2.3-test16.patch:
+ - fixed undefined integer shift in proc_do_submiturb, reported by Arnaud <arnaud@drno.eu>
+ - fixed integer underflow in scm_detach_fds (similar to 1ac70e7ad24a88710cf9b6d7ababaefa2b575df0 upstream), reported by kdave (https://forums.grsecurity.net/viewtopic.php?f=1&t=4286)
+ - Emese added a temporary workaround for miscompiling the ath10k driver, reported by victor
+ - Emese fixed a false positive that affected the iwlwifi driver among others, reported by victor
+ - Emese disabled size overflow checking in acpi_ex_do_math_op and on acpi_object_integer, reported by xxterry1xx and rfnx (https://forums.grsecurity.net/viewtopic.php?f=3&t=4287)
+
+ drivers/net/wireless/ath/ath10k/ce.c | 2 +-
+ drivers/usb/core/devio.c | 2 +-
+ fs/dlm/lowcomms.c | 2 +-
+ net/core/scm.c | 6 ++-
+ .../disable_size_overflow_hash.data | 4 +-
+ .../size_overflow_plugin/intentional_overflow.c | 44 --------------------
+ tools/gcc/size_overflow_plugin/size_overflow.h | 1 -
+ .../size_overflow_plugin/size_overflow_hash.data | 4 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 3 -
+ .../size_overflow_transform_core.c | 6 +++
+ 11 files changed, 19 insertions(+), 59 deletions(-)
+
+commit a2409394c2b0d97a9f02bf62ca4c0254602e58a6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 20 08:58:25 2015 -0400
+
+ set default to y
+
+ security/Kconfig | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 3abe24117389419654da44adc87a9a03ad7e3f38
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Oct 20 08:08:32 2015 -0400
+
+ Add a new config option from Emese to allow SIZE_OVERFLOW to be enabled
+ while having it not kill the userland process in an overflow condition.
+ This will help us obtain reports over the next few weeks while not making
+ some percentage of users' machines unusable.
+
+ To enable this option, set CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL=y in .config
+
+ fs/exec.c | 5 +++++
+ security/Kconfig | 4 ++++
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 ++--
+ 3 files changed, 11 insertions(+), 2 deletions(-)
+
+commit bcae982f720ce0b3463a81f2b72a4807cb89048b
+Merge: 0e55d80 128d3a5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Oct 19 18:56:09 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 128d3a5452ab001b29235b05eb0be3334fff3998
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Oct 19 18:55:37 2015 -0400
+
+ Update to pax-linux-4.2.3-test14.patch:
+ - Emese fixed a false positive size overflow report, reported by gus (https://forums.grsecurity.net/viewtopic.php?t=4280)
+ - fixed an integer sign mixup in usb_stor_invoke_transport, reported by Arnaud <arnaud@drno.eu>
+
+ drivers/usb/storage/transport.c | 2 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 15 +++-
+ .../size_overflow_transform_core.c | 90 ++++++++++++++-----
+ 4 files changed, 81 insertions(+), 28 deletions(-)
+
+commit 0e55d80a65998266cab71804131a072fcc8ee558
+Merge: a61fd15 9c4310f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 17 23:15:36 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 9c4310fdb2d19f83affc62eb2698d3763ce8c36b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 17 23:15:13 2015 -0400
+
+ Update to pax-linux-4.2.3-test14.patch:
+ - reverted some page table hardening that caused too much slowdown under virtualization, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275)
+
+ arch/x86/include/asm/pgtable-2level.h | 18 ++----------------
+ arch/x86/include/asm/pgtable-3level.h | 10 ----------
+ arch/x86/include/asm/pgtable_32.h | 2 ++
+ arch/x86/include/asm/pgtable_64.h | 18 ++----------------
+ arch/x86/mm/highmem_32.c | 2 ++
+ arch/x86/mm/init_64.c | 2 ++
+ arch/x86/mm/iomap_32.c | 4 ++++
+ arch/x86/mm/pageattr.c | 4 ++++
+ arch/x86/mm/pgtable.c | 2 ++
+ arch/x86/mm/pgtable_32.c | 3 +++
+ mm/highmem.c | 5 +++++
+ mm/vmalloc.c | 7 +++++++
+ 12 files changed, 35 insertions(+), 42 deletions(-)
+
+commit a61fd152e87bd3ed91194b07f6b1fcbcd165093b
+Merge: 00f1afa db7a8e5
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 17 18:33:48 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit db7a8e5c284179889014b5929a40298e1b228fbc
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 17 18:33:22 2015 -0400
+
+ Update to pax-linux-4.2.3-test13.patch:
+ - Emese worked around a sign mixup with wiphy.rts_threshold, reported by gus (https://forums.grsecurity.net/viewtopic.php?f=3&t=4278)
+
+ .../disable_size_overflow_hash.data | 2 ++
+ .../size_overflow_plugin/size_overflow_hash.data | 2 --
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 00f1afa694317365e9bd6dc77d2e3e96ae3a68ec
+Merge: 7098385 57dc21d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 17 11:04:56 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 57dc21d203a9fa1312a4abc608da5b3644d29078
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 17 11:04:34 2015 -0400
+
+ Update to pax-linux-4.2.3-test12.patch:
+ - removed size_overflow_hash.data.prev that was left behind by accident
+ - Emese fixed a false positive overflow report in the megaraid driver due to a gcc limitation, reported by vortex (https://forums.grsecurity.net/viewtopic.php?f=3&t=4277)
+
+ drivers/scsi/megaraid/megaraid_sas.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 7098385851c43dea6692508c71cd5fbcce3187b2
+Merge: bc6d23e 78b0f64
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 16 17:45:06 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ tools/gcc/size_overflow_plugin/intentional_overflow.c
+
+commit 78b0f643d8d2b870e8ad5df075d4ab79befa4266
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 16 17:44:18 2015 -0400
+
+ Update to pax-linux-4.2.3-test11.patch:
+ - Emese fixed a few false positives caused by error codes
+ - simplified the switch_mm code on x86 a bit
+
+ arch/x86/include/asm/mmu_context.h | 118 +++++--------
+ include/drm/drm_mm.h | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 11 +-
+ tools/gcc/size_overflow_plugin/size_overflow.h | 19 ++-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 178 +++++++++-----------
+ .../size_overflow_transform_core.c | 31 ++--
+ 7 files changed, 169 insertions(+), 192 deletions(-)
+
+commit bc6d23e3408e389f8a96134f6bc915e9fc8b370b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 16 17:28:54 2015 -0400
+
+ Update rpm devel spec, thanks to Andrew
+
+ scripts/package/mkspec | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit b3f30cb9207a72a6aa4a78f23f8c5353be0bb27b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 15 20:10:56 2015 -0400
+
+ disable tracing support with GRKERNSEC_KMEM (it forces debugfs support on)
+
+ kernel/trace/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 82a0c12587f14add438ddf3b558e2278fcb7a387
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 15 19:19:43 2015 -0400
+
+ Force DEBUG_FS off the hard way, since 'select' can cause it to be
+ inadvertently enabled. Add a backup check that fails the build if
+ GRKERNSEC_KMEM is enabled with DEBUG_FS
+ Ditto for PROC_PAGE_MONITOR
+
+ arch/arc/Kconfig | 1 +
+ arch/arm/Kconfig.debug | 1 +
+ arch/arm64/Kconfig.debug | 1 +
+ arch/blackfin/Kconfig.debug | 1 +
+ arch/s390/Kconfig.debug | 1 +
+ arch/x86/Kconfig.debug | 2 ++
+ drivers/iommu/Kconfig | 1 +
+ drivers/md/bcache/Kconfig | 1 +
+ drivers/net/wireless/ath/ath9k/Kconfig | 1 -
+ include/linux/grsecurity.h | 6 ++++++
+ init/Kconfig | 1 +
+ kernel/trace/Kconfig | 2 ++
+ lib/Kconfig.debug | 6 +++++-
+ mm/Kconfig | 3 +++
+ net/sunrpc/Kconfig | 1 +
+ 15 files changed, 27 insertions(+), 2 deletions(-)
+
+commit 1b6f8fc8b8100292647638c713326776a0865705
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 15 17:58:59 2015 -0400
+
+ Force DEBUG_FS off in the kernel config, even having it present is a security
+ risk
+
+ Conflicts:
+
+ lib/Kconfig.debug
+
+ lib/Kconfig.debug | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 21057fc30571f96aa46acf8922417311905d0f2b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 15 08:15:33 2015 -0400
+
+ Backport fix from: https://patchwork.kernel.org/patch/6853351/
+ The debug_read_tlb() uses the sprintf() functions directly on the buffer
+ allocated by buf = kmalloc(count), without taking into account the size
+ of the buffer, with the consequence corrupting the heap, depending on
+ the count requested by the user.
+
+ The patch fixes the issue replacing sprintf() by seq_printf().
+
+ Signed-off-by: Salva Peiró <speirofr@gmail.com>
+
+ drivers/iommu/omap-iommu-debug.c | 26 +++++++-------------------
+ drivers/iommu/omap-iommu.c | 28 +++++++++++-----------------
+ drivers/iommu/omap-iommu.h | 3 +--
+ 3 files changed, 19 insertions(+), 38 deletions(-)
+
+commit ba936d19274485bad900a69d679878a50faa50aa
+Author: Joe Perches <joe@perches.com>
+Date: Wed Oct 14 01:09:40 2015 -0700
+
+ ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
+
+ It seems that kernel memory can leak into userspace by a
+ kmalloc, ethtool_get_strings, then copy_to_user sequence.
+
+ Avoid this by using kcalloc to zero fill the copied buffer.
+
+ Signed-off-by: Joe Perches <joe@perches.com>
+ Acked-by: Ben Hutchings <ben@decadent.org.uk>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/ethtool.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit bae0a8209962cede6a0d486cf2414cac1747f91b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 14 19:54:27 2015 -0400
+
+ Update size_overflow hash table
+
+ .../size_overflow_plugin/size_overflow_hash.data | 53 +++++++++++++++++--
+ 1 files changed, 47 insertions(+), 6 deletions(-)
+
+commit 1d840cc98b8f9b62d3c906ae24385f79c9131e29
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 14 19:50:48 2015 -0400
- fs/kernfs/dir.c | 4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
+ Update size_overflow hash table
+
+ .../size_overflow_plugin/size_overflow_hash.data | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit fca9b7af6aebd1d80f364d6d849470e917919004
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 14 19:47:21 2015 -0400
+
+ Update size_overflow hash table
+
+ .../size_overflow_plugin/size_overflow_hash.data | 300 ++++++++++++++++----
+ 1 files changed, 244 insertions(+), 56 deletions(-)
+
+commit 07cadc277ba83222698c99091c7da2c28275981f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 14 19:39:44 2015 -0400
+
+ squelch some informational messages only used by Emese
+
+ .../size_overflow_plugin/intentional_overflow.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 77eeeac20bde1e0ebd72efe0f7b5c52786411bc7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 14 19:15:56 2015 -0400
+
+ Re-enable size_overflow
-commit 312541de06f54e26053a0e9464d79b90d46f545d
-Merge: e1d9042 b17fed7
+ security/Kconfig | 1 -
+ 1 files changed, 0 insertions(+), 1 deletions(-)
+
+commit cb8efa1fd63be1bbcf5e585396cc0ed562d0c624
+Merge: 913cbf6 4c48a7f
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Dec 30 23:43:21 2014 -0500
+Date: Wed Oct 14 17:14:42 2015 -0400
Merge branch 'pax-test' into grsec-test
Conflicts:
- arch/x86/kernel/espfix_64.c
- arch/x86/kernel/paravirt_patch_64.c
- drivers/cpufreq/cpufreq-dt.c
+ tools/gcc/size_overflow_plugin/size_overflow_hash.data
-commit b17fed7d4c5657f71060a50f62169d9aadc8bf7e
+commit 4c48a7fc8df9310f994708b42fe1102a2943917c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Dec 30 23:40:01 2014 -0500
+Date: Wed Oct 14 17:12:54 2015 -0400
- Update to pax-linux-3.18.1-test4.patch:
- - fixed REFCOUNT/arm compilation, by N8Fear
- - fixed LOAD_ARGS on amd64 that broke seccomp, reported by many
- - fixed BPF JIT regression under KERNEXEC
- - spender finally figured out and fixed the UDEREF/PCID/PARAVIRT problem, reported by Marcin Mirosław (https://bugs.gentoo.org/show_bug.cgi?id=522252)
- - fixed wrong refcount operation in uart_open, by Rogelio M. Serrano Jr <rogelios664@gmail.com>
- - fixed ESPFIX crash under per-cpu PGD configs (KERNEXEC/UDEREF on amd64), reported by Andy Lutomirski <luto@amacapital.net>
- - spender fixed a KERNEXEC compile error in cpufreq-dt.c
- - constified a few variables
+ Update to pax-linux-4.2.3-test10.patch:
+ - fixed accidentally dropped csum_partial_copy_generic_to_user entry point for pre-P6 i386 configs, by minipli
+ - Emese fixed a bunch of false positives with the size overflow plugin, let's see how it goes in the real world :)
- arch/arm/include/asm/atomic.h | 13 +++++++------
- arch/x86/include/asm/calling.h | 2 +-
- arch/x86/kernel/entry_64.S | 12 ++++++------
- arch/x86/kernel/espfix_64.c | 13 ++++++++-----
- arch/x86/kernel/paravirt_patch_64.c | 8 ++++++++
- arch/x86/kvm/emulate.c | 2 +-
- arch/x86/net/bpf_jit_comp.c | 7 ++-----
- drivers/cpufreq/cpufreq-dt.c | 4 +++-
- drivers/tty/serial/serial_core.c | 2 +-
- kernel/bpf/core.c | 3 +++
- 10 files changed, 40 insertions(+), 26 deletions(-)
+ arch/x86/include/asm/processor.h | 2 +-
+ arch/x86/include/asm/ptrace.h | 8 +-
+ arch/x86/lib/checksum_32.S | 2 +
+ arch/x86/xen/mmu.c | 2 +-
+ drivers/ata/libahci.c | 2 +-
+ drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
+ drivers/oprofile/oprofile_files.c | 2 +-
+ drivers/spi/spidev.c | 2 +-
+ drivers/tty/n_tty.c | 2 +-
+ drivers/usb/core/message.c | 6 +-
+ fs/binfmt_elf.c | 2 +-
+ fs/ubifs/io.c | 2 +-
+ include/drm/drm_mm.h | 2 +-
+ include/linux/completion.h | 12 +-
+ include/linux/jiffies.h | 10 +-
+ include/linux/kernel.h | 2 +-
+ include/linux/mm.h | 2 +-
+ include/linux/random.h | 4 +-
+ include/linux/sched.h | 2 +-
+ include/linux/usb.h | 2 +-
+ kernel/sched/completion.c | 6 +-
+ kernel/time/timer.c | 2 +-
+ lib/bitmap.c | 2 +-
+ mm/internal.h | 2 +-
+ net/sunrpc/svcauth_unix.c | 2 +-
+ .../disable_size_overflow_hash.data |22980 +++++++++++---------
+ .../insert_size_overflow_asm.c | 7 +
+ .../size_overflow_plugin/intentional_overflow.c | 10 +-
+ tools/gcc/size_overflow_plugin/size_overflow.h | 29 +-
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 20 +-
+ .../size_overflow_plugin/size_overflow_hash.data |14092 ++++++++----
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 252 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ .../size_overflow_plugin_hash.c | 13 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 205 +-
+ .../size_overflow_transform_core.c | 4 +-
+ 36 files changed, 21958 insertions(+), 15740 deletions(-)
-commit e1d90424b9df1471cbf16ca54d1877a22f7f35bb
+commit 913cbf6a23fcad570b776b1a5a71242b909c5c99
+Author: Dave Kleikamp <dave.kleikamp@oracle.com>
+Date: Mon Oct 5 10:08:51 2015 -0500
+
+ crypto: sparc - initialize blkcipher.ivsize
+
+ Some of the crypto algorithms write to the initialization vector,
+ but no space has been allocated for it. This clobbers adjacent memory.
+
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+
+ arch/sparc/crypto/aes_glue.c | 2 ++
+ arch/sparc/crypto/camellia_glue.c | 1 +
+ arch/sparc/crypto/des_glue.c | 2 ++
+ 3 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 7af7ad1e287067b7ea659dc0dd3e2e355588e246
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Dec 28 11:47:06 2014 -0500
+Date: Tue Oct 13 08:03:51 2015 -0400
+
+ Apply fix by Tejun Heo for upstream bug reported on the forums by Fuxino:
+ https://forums.grsecurity.net/viewtopic.php?f=3&t=4276#p15570
+
+ Probably made more easily reproducible via SANITIZE, but we won't know for
+ sure without a full oops report.
+
+ For some reason even though this patch was marked for 4.2+ stable over a month
+ ago, it still hasn't hit Greg's tree.
+
+ block/blk-cgroup.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 8e1f29f9e1af36f71d12213ea6530eb77014c00c
+Author: Dmitry Vyukov <dvyukov@google.com>
+Date: Thu Sep 17 17:17:10 2015 +0200
+
+ tty: fix data race on tty_buffer.commit
+
+ Race on buffer data happens when newly committed data is
+ picked up by an old flush work in the following scenario:
+ __tty_buffer_request_room does a plain write of tail->commit,
+ no barriers were executed before that.
+ At this point flush_to_ldisc reads this new value of commit,
+ and reads buffer data, no barriers in between.
+ The committed buffer data is not necessary visible to flush_to_ldisc.
+
+ Similar bug happens when tty_schedule_flip commits data.
+
+ Update commit with smp_store_release and read commit with
+ smp_load_acquire, as it is commit that signals data readiness.
+ This is orthogonal to the existing synchronization on tty_buffer.next,
+ which is required to not dismiss a buffer with unconsumed data.
+
+ The data race was found with KernelThreadSanitizer (KTSAN).
+
+ Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+ Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/tty_buffer.c | 15 ++++++++++++---
+ 1 files changed, 12 insertions(+), 3 deletions(-)
+
+commit d62db216e7182e24317596471c1a3a2a9fb9d1f5
+Author: Peter Hurley <peter@hurleysoftware.com>
+Date: Sun Jul 12 20:50:49 2015 -0400
+
+ tty: Replace smp_rmb/smp_wmb with smp_load_acquire/smp_store_release
+
+ Clarify flip buffer producer/consumer operation; the use of
+ smp_load_acquire() and smp_store_release() more clearly indicates
+ which memory access requires a barrier.
+
+ Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/tty_buffer.c | 10 ++++------
+ 1 files changed, 4 insertions(+), 6 deletions(-)
+
+commit c6bbe8a6097f869b6a3d3c40d456727180573dd9
+Author: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
+Date: Fri Oct 2 08:27:05 2015 +0000
+
+ tty: fix stall caused by missing memory barrier in drivers/tty/n_tty.c
+
+ My colleague ran into a program stall on a x86_64 server, where
+ n_tty_read() was waiting for data even if there was data in the buffer
+ in the pty. kernel stack for the stuck process looks like below.
+ #0 [ffff88303d107b58] __schedule at ffffffff815c4b20
+ #1 [ffff88303d107bd0] schedule at ffffffff815c513e
+ #2 [ffff88303d107bf0] schedule_timeout at ffffffff815c7818
+ #3 [ffff88303d107ca0] wait_woken at ffffffff81096bd2
+ #4 [ffff88303d107ce0] n_tty_read at ffffffff8136fa23
+ #5 [ffff88303d107dd0] tty_read at ffffffff81368013
+ #6 [ffff88303d107e20] __vfs_read at ffffffff811a3704
+ #7 [ffff88303d107ec0] vfs_read at ffffffff811a3a57
+ #8 [ffff88303d107f00] sys_read at ffffffff811a4306
+ #9 [ffff88303d107f50] entry_SYSCALL_64_fastpath at ffffffff815c86d7
+
+ There seems to be two problems causing this issue.
+
+ First, in drivers/tty/n_tty.c, __receive_buf() stores the data and
+ updates ldata->commit_head using smp_store_release() and then checks
+ the wait queue using waitqueue_active(). However, since there is no
+ memory barrier, __receive_buf() could return without calling
+ wake_up_interactive_poll(), and at the same time, n_tty_read() could
+ start to wait in wait_woken() as in the following chart.
+
+ __receive_buf() n_tty_read()
+ ------------------------------------------------------------------------
+ if (waitqueue_active(&tty->read_wait))
+ /* Memory operations issued after the
+ RELEASE may be completed before the
+ RELEASE operation has completed */
+ add_wait_queue(&tty->read_wait, &wait);
+ ...
+ if (!input_available_p(tty, 0)) {
+ smp_store_release(&ldata->commit_head,
+ ldata->read_head);
+ ...
+ timeout = wait_woken(&wait,
+ TASK_INTERRUPTIBLE, timeout);
+ ------------------------------------------------------------------------
+
+ The second problem is that n_tty_read() also lacks a memory barrier
+ call and could also cause __receive_buf() to return without calling
+ wake_up_interactive_poll(), and n_tty_read() to wait in wait_woken()
+ as in the chart below.
+
+ __receive_buf() n_tty_read()
+ ------------------------------------------------------------------------
+ spin_lock_irqsave(&q->lock, flags);
+ /* from add_wait_queue() */
+ ...
+ if (!input_available_p(tty, 0)) {
+ /* Memory operations issued after the
+ RELEASE may be completed before the
+ RELEASE operation has completed */
+ smp_store_release(&ldata->commit_head,
+ ldata->read_head);
+ if (waitqueue_active(&tty->read_wait))
+ __add_wait_queue(q, wait);
+ spin_unlock_irqrestore(&q->lock,flags);
+ /* from add_wait_queue() */
+ ...
+ timeout = wait_woken(&wait,
+ TASK_INTERRUPTIBLE, timeout);
+ ------------------------------------------------------------------------
+
+ There are also other places in drivers/tty/n_tty.c which have similar
+ calls to waitqueue_active(), so instead of adding many memory barrier
+ calls, this patch simply removes the call to waitqueue_active(),
+ leaving just wake_up*() behind.
+
+ This fixes both problems because, even though the memory access before
+ or after the spinlocks in both wake_up*() and add_wait_queue() can
+ sneak into the critical section, it cannot go past it and the critical
+ section assures that they will be serialized (please see "INTER-CPU
+ ACQUIRING BARRIER EFFECTS" in Documentation/memory-barriers.txt for a
+ better explanation). Moreover, the resulting code is much simpler.
+
+ Latency measurement using a ping-pong test over a pty doesn't show any
+ visible performance drop.
+
+ Signed-off-by: Kosuke Tatsukawa <tatsu@ab.jp.nec.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/n_tty.c | 15 +++++----------
+ 1 files changed, 5 insertions(+), 10 deletions(-)
+
+commit 3af2011ac1a085a3e8c57ca3a840aec393b37db3
+Author: Dmitry Vyukov <dvyukov@google.com>
+Date: Thu Sep 17 17:17:08 2015 +0200
+
+ tty: fix data race in flush_to_ldisc
+
+ flush_to_ldisc reads port->itty and checks that it is not NULL,
+ concurrently release_tty sets port->itty to NULL. It is possible
+ that flush_to_ldisc loads port->itty once, ensures that it is
+ not NULL, but then reloads it again and uses. The second load
+ can already return NULL, which will cause a crash.
+
+ Use READ_ONCE to read port->itty.
+
+ The data race was found with KernelThreadSanitizer (KTSAN).
+
+ Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+ Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/tty_buffer.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4a433f384b0a5b7e39f969ee8df89c56537d078d
+Author: Dmitry Vyukov <dvyukov@google.com>
+Date: Thu Sep 17 17:17:09 2015 +0200
+
+ tty: fix data race in tty_buffer_flush
+
+ tty_buffer_flush frees not acquired buffers.
+ As the result, for example, read of b->size in tty_buffer_free
+ can return garbage value which will lead to a huge buffer
+ hanging in the freelist. This is just the benignest
+ manifestation of freeing of a not acquired object.
+ If the object is passed to kfree, heap can be corrupted.
+
+ Acquire visibility over the buffer before freeing it.
+
+ The data race was found with KernelThreadSanitizer (KTSAN).
+
+ Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+ Reviewed-by: Peter Hurley <peter@hurleysoftware.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ drivers/tty/tty_buffer.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
- Fix a direct userland dereference introduced in the 3.18 port due
- to a variable changing behind the scenes to a userland pointer.
- Caught by UDEREF, reported by slashbeast on IRC
+commit 1477c439d65debf45ac3164a1615504131fad1ff
+Author: Jann Horn <jann@thejh.net>
+Date: Sun Oct 4 19:29:12 2015 +0200
+
+ drivers/tty: require read access for controlling terminal
+
+ This is mostly a hardening fix, given that write-only access to other
+ users' ttys is usually only given through setgid tty executables.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
- fs/namespace.c | 4 ++--
- grsecurity/grsec_mount.c | 4 ++--
- include/linux/grsecurity.h | 2 +-
- 3 files changed, 5 insertions(+), 5 deletions(-)
+ drivers/tty/tty_io.c | 31 +++++++++++++++++++++++++++----
+ 1 files changed, 27 insertions(+), 4 deletions(-)
-commit 0b8c733a613966fc2eb68cbb21b0f1ab3d7c2109
+commit c2d51348729aa244b827216715db7734daf07155
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Dec 28 08:27:25 2014 -0500
+Date: Mon Oct 12 07:19:03 2015 -0400
+
+ Don't auto-enable UDEREF on x64 with a VirtualBox host
+
+ Conflicts:
+
+ security/Kconfig
+
+ security/Kconfig | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
- update size_overflow hash
+commit 45ff0fe97624b7133be6f0280ab8fda4610b7937
+Merge: ca6828e 1c527d2
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 11 17:17:58 2015 -0400
- .../size_overflow_plugin/size_overflow_hash.data | 158 +++++++++++++++++---
- 1 files changed, 137 insertions(+), 21 deletions(-)
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/mm/pgtable.c
-commit cfc17367ad633cf59b51e8770648f433e5291ace
+commit 1c527d25ad2ece4cdb4723047625d96b942a3b91
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Dec 27 21:49:48 2014 -0500
+Date: Sun Oct 11 17:16:49 2015 -0400
- compile fix when building with the constify plugin
+ Update to pax-linux-4.2.3-test9.patch:
+ - really fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272) and quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4275)
+ - fixed a compilation error caused by the above regression, reported by spender
+ - fixed an arm compilation error, reported by Emese
- drivers/cpufreq/cpufreq-dt.c | 6 +++++-
- 1 files changed, 5 insertions(+), 1 deletions(-)
+ arch/arm/kernel/module-plts.c | 7 +------
+ arch/x86/mm/pgtable.c | 21 +++++++++++++++++++--
+ 2 files changed, 20 insertions(+), 8 deletions(-)
+
+commit ca6828e73b10b4a7537b16a37c2c0280523171e1
+Author: Trond Myklebust <trond.myklebust@primarydata.com>
+Date: Fri Oct 9 13:44:34 2015 -0400
+
+ namei: results of d_is_negative() should be checked after dentry revalidation
+
+ Leandro Awa writes:
+ "After switching to version 4.1.6, our parallelized and distributed
+ workflows now fail consistently with errors of the form:
+
+ T34: ./regex.c:39:22: error: config.h: No such file or directory
+
+ From our 'git bisect' testing, the following commit appears to be the
+ possible cause of the behavior we've been seeing: commit 766c4cbfacd8"
+
+ Al Viro says:
+ "What happens is that 766c4cbfacd8 got the things subtly wrong.
+
+ We used to treat d_is_negative() after lookup_fast() as "fall with
+ ENOENT". That was wrong - checking ->d_flags outside of ->d_seq
+ protection is unreliable and failing with hard error on what should've
+ fallen back to non-RCU pathname resolution is a bug.
+
+ Unfortunately, we'd pulled the test too far up and ran afoul of
+ another kind of staleness. The dentry might have been absolutely
+ stable from the RCU point of view (and we might be on UP, etc), but
+ stale from the remote fs point of view. If ->d_revalidate() returns
+ "it's actually stale", dentry gets thrown away and the original code
+ wouldn't even have looked at its ->d_flags.
+
+ What we need is to check ->d_flags where 766c4cbfacd8 does (prior to
+ ->d_seq validation) but only use the result in cases where we do not
+ discard this dentry outright"
+
+ Reported-by: Leandro Awa <lawa@nvidia.com>
+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=104911
+ Fixes: 766c4cbfacd8 ("namei: d_is_negative() should be checked...")
+ Tested-by: Leandro Awa <lawa@nvidia.com>
+ Cc: stable@vger.kernel.org # v4.1+
+ Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
+ Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/namei.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+commit c0181260ce096a814637ad60e45a64c94840fffa
+Author: Matt Fleming <matt.fleming@intel.com>
+Date: Fri Sep 25 23:02:18 2015 +0100
+
+ x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down
+
+ Beginning with UEFI v2.5 EFI_PROPERTIES_TABLE was introduced
+ that signals that the firmware PE/COFF loader supports splitting
+ code and data sections of PE/COFF images into separate EFI
+ memory map entries. This allows the kernel to map those regions
+ with strict memory protections, e.g. EFI_MEMORY_RO for code,
+ EFI_MEMORY_XP for data, etc.
+
+ Unfortunately, an unwritten requirement of this new feature is
+ that the regions need to be mapped with the same offsets
+ relative to each other as observed in the EFI memory map. If
+ this is not done crashes like this may occur,
+
+ BUG: unable to handle kernel paging request at fffffffefe6086dd
+ IP: [<fffffffefe6086dd>] 0xfffffffefe6086dd
+ Call Trace:
+ [<ffffffff8104c90e>] efi_call+0x7e/0x100
+ [<ffffffff81602091>] ? virt_efi_set_variable+0x61/0x90
+ [<ffffffff8104c583>] efi_delete_dummy_variable+0x63/0x70
+ [<ffffffff81f4e4aa>] efi_enter_virtual_mode+0x383/0x392
+ [<ffffffff81f37e1b>] start_kernel+0x38a/0x417
+ [<ffffffff81f37495>] x86_64_start_reservations+0x2a/0x2c
+ [<ffffffff81f37582>] x86_64_start_kernel+0xeb/0xef
+
+ Here 0xfffffffefe6086dd refers to an address the firmware
+ expects to be mapped but which the OS never claimed was mapped.
+ The issue is that included in these regions are relative
+ addresses to other regions which were emitted by the firmware
+ toolchain before the "splitting" of sections occurred at
+ runtime.
+
+ Needless to say, we don't satisfy this unwritten requirement on
+ x86_64 and instead map the EFI memory map entries in reverse
+ order. The above crash is almost certainly triggerable with any
+ kernel newer than v3.13 because that's when we rewrote the EFI
+ runtime region mapping code, in commit d2f7cbe7b26a ("x86/efi:
+ Runtime services virtual mapping"). For kernel versions before
+ v3.13 things may work by pure luck depending on the
+ fragmentation of the kernel virtual address space at the time we
+ map the EFI regions.
+
+ Instead of mapping the EFI memory map entries in reverse order,
+ where entry N has a higher virtual address than entry N+1, map
+ them in the same order as they appear in the EFI memory map to
+ preserve this relative offset between regions.
+
+ This patch has been kept as small as possible with the intention
+ that it should be applied aggressively to stable and
+ distribution kernels. It is very much a bugfix rather than
+ support for a new feature, since when EFI_PROPERTIES_TABLE is
+ enabled we must map things as outlined above to even boot - we
+ have no way of asking the firmware not to split the code/data
+ regions.
+
+ In fact, this patch doesn't even make use of the more strict
+ memory protections available in UEFI v2.5. That will come later.
+
+ Suggested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+ Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+ Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Cc: Borislav Petkov <bp@suse.de>
+ Cc: Chun-Yi <jlee@suse.com>
+ Cc: Dave Young <dyoung@redhat.com>
+ Cc: H. Peter Anvin <hpa@zytor.com>
+ Cc: James Bottomley <JBottomley@Odin.com>
+ Cc: Lee, Chun-Yi <jlee@suse.com>
+ Cc: Leif Lindholm <leif.lindholm@linaro.org>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Cc: Matthew Garrett <mjg59@srcf.ucam.org>
+ Cc: Mike Galbraith <efault@gmx.de>
+ Cc: Peter Jones <pjones@redhat.com>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: linux-kernel@vger.kernel.org
+ Link: http://lkml.kernel.org/r/1443218539-7610-2-git-send-email-matt@codeblueprint.co.uk
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ arch/x86/platform/efi/efi.c | 67 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 66 insertions(+), 1 deletions(-)
+
+commit 9377caab146791c8c587da3750d6eddcd01bdfba
+Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Fri Sep 25 23:02:19 2015 +0100
+
+ arm64/efi: Fix boot crash by not padding between EFI_MEMORY_RUNTIME regions
+
+ The new Properties Table feature introduced in UEFIv2.5 may
+ split memory regions that cover PE/COFF memory images into
+ separate code and data regions. Since these regions only differ
+ in the type (runtime code vs runtime data) and the permission
+ bits, but not in the memory type attributes (UC/WC/WT/WB), the
+ spec does not require them to be aligned to 64 KB.
+
+ Since the relative offset of PE/COFF .text and .data segments
+ cannot be changed on the fly, this means that we can no longer
+ pad out those regions to be mappable using 64 KB pages.
+ Unfortunately, there is no annotation in the UEFI memory map
+ that identifies data regions that were split off from a code
+ region, so we must apply this logic to all adjacent runtime
+ regions whose attributes only differ in the permission bits.
+
+ So instead of rounding each memory region to 64 KB alignment at
+ both ends, only round down regions that are not directly
+ preceded by another runtime region with the same type
+ attributes. Since the UEFI spec does not mandate that the memory
+ map be sorted, this means we also need to sort it first.
+
+ Note that this change will result in all EFI_MEMORY_RUNTIME
+ regions whose start addresses are not aligned to the OS page
+ size to be mapped with executable permissions (i.e., on kernels
+ compiled with 64 KB pages). However, since these mappings are
+ only active during the time that UEFI Runtime Services are being
+ invoked, the window for abuse is rather small.
+
+ Tested-by: Mark Salter <msalter@redhat.com>
+ Tested-by: Mark Rutland <mark.rutland@arm.com> [UEFI 2.4 only]
+ Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+ Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+ Reviewed-by: Mark Salter <msalter@redhat.com>
+ Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+ Cc: <stable@vger.kernel.org> # v4.0+
+ Cc: Catalin Marinas <catalin.marinas@arm.com>
+ Cc: Leif Lindholm <leif.lindholm@linaro.org>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Cc: Mike Galbraith <efault@gmx.de>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Will Deacon <will.deacon@arm.com>
+ Cc: linux-kernel@vger.kernel.org
+ Link: http://lkml.kernel.org/r/1443218539-7610-3-git-send-email-matt@codeblueprint.co.uk
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ arch/arm64/kernel/efi.c | 3 +-
+ drivers/firmware/efi/libstub/arm-stub.c | 88 +++++++++++++++++++++++++-----
+ 2 files changed, 75 insertions(+), 16 deletions(-)
+
+commit 189124f1e733622c44d72060832af3c68d7ee8bc
+Author: Ralf Baechle <ralf@linux-mips.org>
+Date: Fri Oct 2 09:48:57 2015 +0200
+
+ MIPS: BPF: Fix load delay slots.
+
+ The entire bpf_jit_asm.S is written in noreorder mode because "we know
+ better" according to a comment. This also prevented the assembler from
+ throwing in the required NOPs for MIPS I processors which have no
+ load-use interlock, thus the load's consumer might end up using the
+ old value of the register from prior to the load.
+
+ Fixed by putting the assembler in reorder mode for just the affected
+ load instructions. This is not enough for gas to actually try to be
+ clever by looking at the next instruction and inserting a nop only
+ when needed but as the comment said "we know better", so getting gas
+ to unconditionally emit a NOP is just right in this case and prevents
+ adding further ifdefery.
+
+ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+
+ arch/mips/net/bpf_jit_asm.S | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit b4b012d6599fbc3c6e81f0a03cd59eb9f0095ed8
+Author: Lee, Chun-Yi <joeyli.kernel@gmail.com>
+Date: Tue Sep 29 20:58:57 2015 +0800
+
+ x86/kexec: Fix kexec crash in syscall kexec_file_load()
+
+ The original bug is a page fault crash that sometimes happens
+ on big machines when preparing ELF headers:
+
+ BUG: unable to handle kernel paging request at ffffc90613fc9000
+ IP: [<ffffffff8103d645>] prepare_elf64_ram_headers_callback+0x165/0x260
+
+ The bug is caused by us under-counting the number of memory ranges
+ and subsequently not allocating enough ELF header space for them.
+ The bug is typically masked on smaller systems, because the ELF header
+ allocation is rounded up to the next page.
+
+ This patch modifies the code in fill_up_crash_elf_data() by using
+ walk_system_ram_res() instead of walk_system_ram_range() to correctly
+ count the max number of crash memory ranges. That's because the
+ walk_system_ram_range() filters out small memory regions that
+ reside in the same page, but walk_system_ram_res() does not.
+
+ Here's how I found the bug:
+
+ After tracing prepare_elf64_headers() and prepare_elf64_ram_headers_callback(),
+ the code uses walk_system_ram_res() to fill-in crash memory regions information
+ to the program header, so it counts those small memory regions that
+ reside in a page area.
+
+ But, when the kernel was using walk_system_ram_range() in
+ fill_up_crash_elf_data() to count the number of crash memory regions,
+ it filters out small regions.
+
+ I printed those small memory regions, for example:
+
+ kexec: Get nr_ram ranges. vaddr=0xffff880077592258 paddr=0x77592258, sz=0xdc0
+
+ Based on the code in walk_system_ram_range(), this memory region
+ will be filtered out:
+
+ pfn = (0x77592258 + 0x1000 - 1) >> 12 = 0x77593
+ end_pfn = (0x77592258 + 0xfc0 -1 + 1) >> 12 = 0x77593
+ end_pfn - pfn = 0x77593 - 0x77593 = 0 <=== if (end_pfn > pfn) is FALSE
+
+ So, the max_nr_ranges that's counted by the kernel doesn't include
+ small memory regions - causing us to under-allocate the required space.
+ That causes the page fault crash that happens in a later code path
+ when preparing ELF headers.
+
+ This bug is not easy to reproduce on small machines that have few
+ CPUs, because the allocated page aligned ELF buffer has more free
+ space to cover those small memory regions' PT_LOAD headers.
+
+ Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
+ Cc: Andy Lutomirski <luto@kernel.org>
+ Cc: Baoquan He <bhe@redhat.com>
+ Cc: Jiang Liu <jiang.liu@linux.intel.com>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Cc: Mike Galbraith <efault@gmx.de>
+ Cc: Peter Zijlstra <peterz@infradead.org>
+ Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+ Cc: Takashi Iwai <tiwai@suse.de>
+ Cc: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Viresh Kumar <viresh.kumar@linaro.org>
+ Cc: Vivek Goyal <vgoyal@redhat.com>
+ Cc: kexec@lists.infradead.org
+ Cc: linux-kernel@vger.kernel.org
+ Cc: <stable@vger.kernel.org>
+ Link: http://lkml.kernel.org/r/1443531537-29436-1-git-send-email-jlee@suse.com
+ Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+ arch/x86/kernel/crash.c | 7 +++----
+ 1 files changed, 3 insertions(+), 4 deletions(-)
+
+commit bf91f1e0162bdd27ebd1411090a81fd9188daa4f
+Author: Elad Raz <eladr@mellanox.com>
+Date: Sat Aug 22 08:44:11 2015 +0300
-commit 50c8201bd5ad953107babef76a103c049d1940f3
+ netfilter: ipset: Fixing unnamed union init
+
+ In continue to proposed Vinson Lee's post [1], this patch fixes compilation
+ issues founded at gcc 4.4.7. The initialization of .cidr field of unnamed
+ unions causes compilation error in gcc 4.4.x.
+
+ References
+
+ Visible links
+ [1] https://lkml.org/lkml/2015/7/5/74
+
+ Signed-off-by: Elad Raz <eladr@mellanox.com>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ net/netfilter/ipset/ip_set_hash_netnet.c | 20 ++++++++++++++++++--
+ net/netfilter/ipset/ip_set_hash_netportnet.c | 20 ++++++++++++++++++--
+ 2 files changed, 36 insertions(+), 4 deletions(-)
+
+commit fed13a5012b8d7e87a6f9efa2e40e0be28eaecd9
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Dec 27 21:30:59 2014 -0500
+Date: Fri Oct 9 23:12:43 2015 -0400
compile fix
- kernel/kmod.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ arch/x86/mm/pgtable.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 58edc15a668a6dd90b3f66abc84b509f8fba7505
+Author: Daniel Borkmann <daniel@iogearbox.net>
+Date: Mon Aug 31 19:11:02 2015 +0200
+
+ netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths
+
+ Commit 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack
+ templates") migrated templates to the new allocator api, but forgot to
+ update error paths for them in CT and synproxy to use nf_ct_tmpl_free()
+ instead of nf_conntrack_free().
+
+ Due to that, memory is being freed into the wrong kmemcache, but also
+ we drop the per net reference count of ct objects causing an imbalance.
+
+ In Brad's case, this leads to a wrap-around of net->ct.count and thus
+ lets __nf_conntrack_alloc() refuse to create a new ct object:
+
+ [ 10.340913] xt_addrtype: ipv6 does not support BROADCAST matching
+ [ 10.810168] nf_conntrack: table full, dropping packet
+ [ 11.917416] r8169 0000:07:00.0 eth0: link up
+ [ 11.917438] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
+ [ 12.815902] nf_conntrack: table full, dropping packet
+ [ 15.688561] nf_conntrack: table full, dropping packet
+ [ 15.689365] nf_conntrack: table full, dropping packet
+ [ 15.690169] nf_conntrack: table full, dropping packet
+ [ 15.690967] nf_conntrack: table full, dropping packet
+ [...]
+
+ With slab debugging, it also reports the wrong kmemcache (kmalloc-512 vs.
+ nf_conntrack_ffffffff81ce75c0) and reports poison overwrites, etc. Thus,
+ to fix the problem, export and use nf_ct_tmpl_free() instead.
+
+ Fixes: 0838aa7fcfcd ("netfilter: fix netns dependencies with conntrack templates")
+ Reported-by: Brad Jackson <bjackson0971@gmail.com>
+ Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ include/net/netfilter/nf_conntrack.h | 1 +
+ net/netfilter/nf_conntrack_core.c | 3 ++-
+ net/netfilter/nf_synproxy_core.c | 2 +-
+ net/netfilter/xt_CT.c | 2 +-
+ 4 files changed, 5 insertions(+), 3 deletions(-)
-commit cca21c02a2fbd37d799d02a8d22621b772999a58
+commit 37d26e44573aaa9c3b1f0c36ec9d4bddc008fc03
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Dec 27 21:26:45 2014 -0500
+Date: Fri Oct 9 18:22:54 2015 -0400
- compile fix
+ Fix BUG() in scatterwalk_map_and_copy caused by virt_to_page being
+ called on the KSTACKOVERFLOW's vmalloc'd stack. Thanks to
+ Yves-Alexis Perez for the report
+
+ crypto/scatterwalk.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+commit 8137d53d2b60023587a48004f0b67946ed6db4a8
+Merge: 147420b a9c991f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 9 18:20:32 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+commit a9c991f727bb8daf15838296e301683791c17071
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 9 18:20:07 2015 -0400
+
+ Update to pax-linux-4.2.3-test8.patch:
+ - fixed vsyscall/pvclock regression caused by the recent page table hardening, reported by kamil (https://forums.grsecurity.net/viewtopic.php?f=3&t=4272)
+
+ arch/x86/kernel/espfix_64.c | 4 +---
+ arch/x86/kernel/kvmclock.c | 20 ++++++--------------
+ arch/x86/mm/highmem_32.c | 2 ++
+ arch/x86/mm/pgtable.c | 33 +++++++++++++++++++++++++++++++++
+ 4 files changed, 42 insertions(+), 17 deletions(-)
+
+commit 147420b0f00c7f20f354e1dfa460b904a3af432b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Oct 9 08:54:24 2015 -0400
+
+ Properly fix the bug reported at:
+ https://code.google.com/p/android/issues/detail?id=187973
+
+ drivers/net/slip/slhc.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 4918a68ea80e1185ec8f3a94d3a2210552ed0bb5
+Merge: 4e736d9 7e02f35
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 7 20:57:21 2015 -0400
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ arch/x86/kernel/espfix_64.c
+
+commit 7e02f35880fd6bdb2f4e7ba07a13d6df1d121008
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Oct 7 20:54:36 2015 -0400
+
+ Update to pax-linux-4.2.3-test7.patch:
+ - backported vanilla commits b763ec17ac762470eec5be8ebcc43e4f8b2c2b82 and 176fc2d5770a0990eebff903ba680d2edd32e718
+ - constified a few more page tables for ESPFIX/amd64
+ - fixed xen and the recently added level1_modules_pgt page tables on amd64
+
+ arch/x86/include/asm/pgtable_64.h | 1 +
+ arch/x86/kernel/espfix_64.c | 35 +++++++++++++++++++++++----------
+ arch/x86/xen/mmu.c | 4 +++
+ drivers/base/regmap/regmap-debugfs.c | 14 +++++-------
+ 4 files changed, 35 insertions(+), 19 deletions(-)
+
+commit 4e736d9e568f6cc0d08dfe7519abf9a5d58a5418
+Author: Robin Murphy <robin.murphy@arm.com>
+Date: Thu Oct 1 15:37:19 2015 -0700
+
+ dmapool: fix overflow condition in pool_find_page()
+
+ If a DMA pool lies at the very top of the dma_addr_t range (as may
+ happen with an IOMMU involved), the calculated end address of the pool
+ wraps around to zero, and page lookup always fails.
+
+ Tweak the relevant calculation to be overflow-proof.
+
+ Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+ Cc: Arnd Bergmann <arnd@arndb.de>
+ Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+ Cc: Sumit Semwal <sumit.semwal@linaro.org>
+ Cc: Sakari Ailus <sakari.ailus@iki.fi>
+ Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/dmapool.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
- include/linux/grsecurity.h | 10 ----------
- include/linux/mm.h | 10 ++++++++++
- 2 files changed, 10 insertions(+), 10 deletions(-)
+commit 96a101a9b4208a6e5f2a0db7599881142e70ba43
+Author: Greg Thelen <gthelen@google.com>
+Date: Thu Oct 1 15:37:05 2015 -0700
-commit b32189fdf83a7d458c6bb636faf4a9829efa5844
+ memcg: make mem_cgroup_read_stat() unsigned
+
+ mem_cgroup_read_stat() returns a page count by summing per cpu page
+ counters. The summing is racy wrt. updates, so a transient negative
+ sum is possible. Callers don't want negative values:
+
+ - mem_cgroup_wb_stats() doesn't want negative nr_dirty or nr_writeback.
+ This could confuse dirty throttling.
+
+ - oom reports and memory.stat shouldn't show confusing negative usage.
+
+ - tree_usage() already avoids negatives.
+
+ Avoid returning negative page counts from mem_cgroup_read_stat() and
+ convert it to unsigned.
+
+ [akpm@linux-foundation.org: fix old typo while we're in there]
+ Signed-off-by: Greg Thelen <gthelen@google.com>
+ Cc: Johannes Weiner <hannes@cmpxchg.org>
+ Acked-by: Michal Hocko <mhocko@suse.com>
+ Cc: <stable@vger.kernel.org> [4.2+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ mm/memcontrol.c | 30 ++++++++++++++++++------------
+ 1 files changed, 18 insertions(+), 12 deletions(-)
+
+commit b7808c46650d5f4c09f071566de991af36eb9d37
+Author: Daniel Borkmann <daniel@iogearbox.net>
+Date: Fri Oct 2 12:06:03 2015 +0200
+
+ bpf: fix panic in SO_GET_FILTER with native ebpf programs
+
+ When sockets have a native eBPF program attached through
+ setsockopt(sk, SOL_SOCKET, SO_ATTACH_BPF, ...), and then try to
+ dump these over getsockopt(sk, SOL_SOCKET, SO_GET_FILTER, ...),
+ the following panic appears:
+
+ [49904.178642] BUG: unable to handle kernel NULL pointer dereference at (null)
+ [49904.178762] IP: [<ffffffff81610fd9>] sk_get_filter+0x39/0x90
+ [49904.182000] PGD 86fc9067 PUD 531a1067 PMD 0
+ [49904.185196] Oops: 0000 [#1] SMP
+ [...]
+ [49904.224677] Call Trace:
+ [49904.226090] [<ffffffff815e3d49>] sock_getsockopt+0x319/0x740
+ [49904.227535] [<ffffffff812f59e3>] ? sock_has_perm+0x63/0x70
+ [49904.228953] [<ffffffff815e2fc8>] ? release_sock+0x108/0x150
+ [49904.230380] [<ffffffff812f5a43>] ? selinux_socket_getsockopt+0x23/0x30
+ [49904.231788] [<ffffffff815dff36>] SyS_getsockopt+0xa6/0xc0
+ [49904.233267] [<ffffffff8171b9ae>] entry_SYSCALL_64_fastpath+0x12/0x71
+
+ The underlying issue is the very same as in commit b382c0865600
+ ("sock, diag: fix panic in sock_diag_put_filterinfo"), that is,
+ native eBPF programs don't store an original program since this
+ is only needed in cBPF ones.
+
+ However, sk_get_filter() wasn't updated to test for this at the
+ time when eBPF could be attached. Just throw an error to the user
+ to indicate that eBPF cannot be dumped over this interface.
+ That way, it can also be known that a program _is_ attached (as
+ opposed to just return 0), and a different (future) method needs
+ to be consulted for a dump.
+
+ Fixes: 89aa075832b0 ("net: sock: allow eBPF programs to be attached to sockets")
+ Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+ Acked-by: Alexei Starovoitov <ast@plumgrid.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/filter.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+commit 40853c884afb5fc2dcb9f7fc34ef446162566fcc
+Author: Steve French <smfrench@gmail.com>
+Date: Mon Sep 28 17:21:07 2015 -0500
+
+ [SMB3] Do not fall back to SMBWriteX in set_file_size error cases
+
+ The error paths in set_file_size for cifs and smb3 are incorrect.
+
+ In the unlikely event that a server did not support set file info
+ of the file size, the code incorrectly falls back to trying SMBWriteX
+ (note that only the original core SMB Write, used for example by DOS,
+ can set the file size this way - this actually does not work for the more
+ recent SMBWriteX). The idea was since the old DOS SMB Write could set
+ the file size if you write zero bytes at that offset then use that if
+ server rejects the normal set file info call.
+
+ Fortunately the SMBWriteX will never be sent on the wire (except when
+ file size is zero) since the length and offset fields were reversed
+ in the two places in this function that call SMBWriteX causing
+ the fall back path to return an error. It is also important to never call
+ an SMB request from an SMB2/sMB3 session (which theoretically would
+ be possible, and can cause a brief session drop, although the client
+ recovers) so this should be fixed. In practice this path does not happen
+ with modern servers but the error fall back to SMBWriteX is clearly wrong.
+
+ Removing the calls to SMBWriteX in the error paths in cifs_set_file_size
+
+ Pointed out by PaX/grsecurity team
+
+ Signed-off-by: Steve French <steve.french@primarydata.com>
+ Reported-by: PaX Team <pageexec@freemail.hu>
+ CC: Emese Revfy <re.emese@gmail.com>
+ CC: Brad Spengler <spender@grsecurity.net>
+ CC: Stable <stable@vger.kernel.org>
+
+ fs/cifs/inode.c | 34 ----------------------------------
+ 1 files changed, 0 insertions(+), 34 deletions(-)
+
+commit f5fad97c967a08f4a89513969598b1d3c8232a38
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Dec 27 21:19:27 2014 -0500
+Date: Wed Oct 7 18:22:40 2015 -0400
- Initial import of grsecurity for 3.18.1
+ Initial import of grsecurity for Linux 4.2.3
+ Note that size_overflow is currently marked BROKEN
Documentation/dontdiff | 2 +
- Documentation/kernel-parameters.txt | 4 +
+ Documentation/kernel-parameters.txt | 7 +
+ Documentation/sysctl/kernel.txt | 15 +
Makefile | 18 +-
arch/alpha/include/asm/cache.h | 4 +-
arch/alpha/kernel/osf_sys.c | 12 +-
arch/arm/mm/Kconfig | 2 +-
arch/arm/mm/fault.c | 40 +-
arch/arm/mm/mmap.c | 8 +-
- arch/arm/net/bpf_jit_32.c | 4 +
+ arch/arm/net/bpf_jit_32.c | 51 +-
arch/avr32/include/asm/cache.h | 4 +-
arch/blackfin/include/asm/cache.h | 3 +-
arch/cris/include/arch-v10/arch/cache.h | 3 +-
arch/mips/Kconfig | 1 +
arch/mips/include/asm/cache.h | 3 +-
arch/mips/include/asm/thread_info.h | 11 +-
- arch/mips/kernel/irq.c | 4 +
+ arch/mips/kernel/irq.c | 3 +
arch/mips/kernel/ptrace.c | 9 +
arch/mips/mm/mmap.c | 4 +-
arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
arch/powerpc/kernel/ptrace.c | 14 +
arch/powerpc/kernel/traps.c | 5 +
arch/powerpc/mm/slice.c | 2 +-
- arch/powerpc/platforms/cell/celleb_scc_pciex.c | 4 +-
arch/s390/include/asm/cache.h | 4 +-
arch/score/include/asm/cache.h | 4 +-
arch/sh/include/asm/cache.h | 3 +-
arch/tile/mm/hugetlbpage.c | 2 +
arch/um/include/asm/cache.h | 3 +-
arch/unicore32/include/asm/cache.h | 6 +-
- arch/x86/Kconfig | 5 +
+ arch/x86/Kconfig | 21 +
+ arch/x86/entry/entry_32.S | 2 +-
+ arch/x86/entry/entry_64.S | 2 +-
arch/x86/ia32/ia32_aout.c | 2 +
arch/x86/include/asm/floppy.h | 20 +-
arch/x86/include/asm/io.h | 2 +-
- arch/x86/include/asm/kvm_host.h | 1 +
arch/x86/include/asm/page.h | 12 +-
arch/x86/include/asm/paravirt_types.h | 23 +-
arch/x86/include/asm/processor.h | 2 +-
arch/x86/include/asm/thread_info.h | 8 +-
- arch/x86/include/uapi/asm/ldt.h | 7 +
arch/x86/kernel/dumpstack.c | 10 +-
arch/x86/kernel/dumpstack_32.c | 2 +-
arch/x86/kernel/dumpstack_64.c | 2 +-
- arch/x86/kernel/entry_32.S | 2 +-
- arch/x86/kernel/entry_64.S | 2 +-
- arch/x86/kernel/espfix_64.c | 14 +-
+ arch/x86/kernel/espfix_64.c | 2 +-
+ arch/x86/kernel/fpu/init.c | 4 +-
arch/x86/kernel/ioport.c | 13 +
arch/x86/kernel/irq_32.c | 3 +
arch/x86/kernel/irq_64.c | 4 +
- arch/x86/kernel/kvm.c | 9 +-
- arch/x86/kernel/kvmclock.c | 1 -
+ arch/x86/kernel/ldt.c | 18 +
arch/x86/kernel/msr.c | 10 +
- arch/x86/kernel/paravirt_patch_64.c | 4 +
arch/x86/kernel/ptrace.c | 28 +
arch/x86/kernel/signal.c | 9 +-
arch/x86/kernel/sys_i386_32.c | 9 +-
arch/x86/kernel/sys_x86_64.c | 8 +-
- arch/x86/kernel/tls.c | 39 +
arch/x86/kernel/traps.c | 5 +
arch/x86/kernel/verify_cpu.S | 1 +
arch/x86/kernel/vm86_32.c | 16 +
- arch/x86/kvm/emulate.c | 2 +-
- arch/x86/kvm/x86.c | 2 +
arch/x86/mm/fault.c | 12 +-
arch/x86/mm/hugetlbpage.c | 15 +-
arch/x86/mm/init.c | 66 +-
arch/x86/xen/Kconfig | 1 +
arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
- arch/xtensa/variants/s6000/include/variant/core.h | 3 +-
drivers/acpi/acpica/hwxfsleep.c | 11 +-
drivers/acpi/custom_method.c | 4 +
drivers/block/cciss.h | 30 +-
drivers/char/random.c | 5 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 2 -
drivers/firewire/ohci.c | 4 +
+ drivers/gpu/drm/drm_context.c | 50 +-
+ drivers/gpu/drm/drm_drv.c | 11 +-
+ drivers/gpu/drm/drm_lock.c | 18 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 3 +-
drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
+ drivers/gpu/drm/virtio/virtgpu_ttm.c | 10 +-
drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
- drivers/hid/hid-logitech-dj.c | 6 +
- drivers/hid/hid-sony.c | 147 +-
drivers/hid/hid-wiimote-debug.c | 2 +-
drivers/infiniband/hw/nes/nes_cm.c | 22 +-
drivers/iommu/amd_iommu.c | 14 +-
drivers/scsi/bfa/bfa_fcs.c | 19 +-
drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
drivers/scsi/bfa/bfa_modules.h | 12 +-
- drivers/scsi/hpsa.h | 50 +-
- drivers/staging/line6/driver.c | 17 +-
+ drivers/scsi/hpsa.h | 40 +-
drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
- drivers/staging/lustre/lustre/llite/dir.c | 2 +-
+ drivers/staging/sm750fb/sm750.c | 3 +
+ drivers/tty/serial/uartlite.c | 4 +-
drivers/tty/sysrq.c | 2 +-
drivers/tty/vt/keyboard.c | 22 +-
drivers/uio/uio.c | 6 +-
drivers/usb/gadget/function/f_uac1.c | 1 +
drivers/usb/gadget/function/u_uac1.c | 1 +
drivers/usb/host/hwa-hc.c | 9 +-
+ drivers/usb/usbip/vhci_sysfs.c | 2 +-
drivers/video/fbdev/arcfb.c | 2 +-
drivers/video/fbdev/matrox/matroxfb_DAC1064.c | 10 +-
drivers/video/fbdev/matrox/matroxfb_Ti3026.c | 5 +-
drivers/video/fbdev/sh_mobile_lcdcfb.c | 6 +-
- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------
+ drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++-----
drivers/xen/xenfs/xenstored.c | 5 +
+ firmware/Makefile | 2 +
+ firmware/WHENCE | 20 +-
+ firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 +++++++++++++++++
+ firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 ++++++++++++++++++++
fs/attr.c | 1 +
fs/autofs4/waitq.c | 9 +
fs/binfmt_aout.c | 7 +
fs/binfmt_elf.c | 40 +-
- fs/btrfs/ioctl.c | 6 +-
fs/compat.c | 20 +-
fs/coredump.c | 17 +-
- fs/debugfs/inode.c | 4 +
- fs/exec.c | 216 ++-
+ fs/dcache.c | 3 +
+ fs/debugfs/inode.c | 11 +-
+ fs/exec.c | 218 +-
fs/ext2/balloc.c | 4 +-
fs/ext2/super.c | 8 +-
fs/ext3/balloc.c | 4 +-
fs/fhandle.c | 3 +-
fs/file.c | 4 +
fs/filesystems.c | 4 +
- fs/fs_struct.c | 13 +-
+ fs/fs_struct.c | 20 +-
fs/hugetlbfs/inode.c | 5 +-
- fs/inode.c | 6 +-
- fs/isofs/rock.c | 6 +
+ fs/inode.c | 8 +-
+ fs/kernfs/dir.c | 6 +
fs/mount.h | 4 +-
- fs/namei.c | 235 ++-
- fs/namespace.c | 26 +
+ fs/namei.c | 285 +-
+ fs/namespace.c | 24 +
fs/nfsd/nfscache.c | 2 +-
fs/open.c | 38 +
+ fs/overlayfs/inode.c | 3 +
+ fs/overlayfs/super.c | 6 +-
fs/pipe.c | 2 +-
fs/posix_acl.c | 15 +-
fs/proc/Kconfig | 10 +-
fs/proc/array.c | 66 +-
- fs/proc/base.c | 161 ++-
+ fs/proc/base.c | 168 +-
fs/proc/cmdline.c | 4 +
fs/proc/devices.c | 4 +
fs/proc/fd.c | 17 +-
- fs/proc/generic.c | 69 +-
+ fs/proc/generic.c | 64 +
fs/proc/inode.c | 17 +
fs/proc/internal.h | 11 +-
fs/proc/interrupts.c | 4 +
fs/proc/proc_sysctl.c | 52 +-
fs/proc/root.c | 8 +
fs/proc/stat.c | 69 +-
- fs/proc/task_mmu.c | 74 +-
+ fs/proc/task_mmu.c | 66 +-
fs/readdir.c | 19 +
fs/reiserfs/item_ops.c | 24 +-
fs/reiserfs/super.c | 4 +
fs/select.c | 2 +
- fs/seq_file.c | 33 +-
+ fs/seq_file.c | 30 +-
fs/stat.c | 20 +-
- fs/sysfs/dir.c | 24 +-
+ fs/sysfs/dir.c | 30 +-
fs/utimes.c | 7 +
- fs/xattr.c | 34 +-
- grsecurity/Kconfig | 1166 +++++++++
+ fs/xattr.c | 26 +-
+ grsecurity/Kconfig | 1182 ++++
grsecurity/Makefile | 54 +
- grsecurity/gracl.c | 2703 +++++++++++++++++++
+ grsecurity/gracl.c | 2757 +++++++++
grsecurity/gracl_alloc.c | 105 +
grsecurity/gracl_cap.c | 127 +
- grsecurity/gracl_compat.c | 270 ++
- grsecurity/gracl_fs.c | 445 ++++
- grsecurity/gracl_ip.c | 386 +++
- grsecurity/gracl_learn.c | 207 ++
- grsecurity/gracl_policy.c | 1782 +++++++++++++
+ grsecurity/gracl_compat.c | 269 +
+ grsecurity/gracl_fs.c | 448 ++
+ grsecurity/gracl_ip.c | 386 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_policy.c | 1786 ++++++
grsecurity/gracl_res.c | 68 +
- grsecurity/gracl_segv.c | 313 +++
+ grsecurity/gracl_segv.c | 304 +
grsecurity/gracl_shm.c | 40 +
grsecurity/grsec_chdir.c | 19 +
- grsecurity/grsec_chroot.c | 385 +++
- grsecurity/grsec_disabled.c | 440 ++++
- grsecurity/grsec_exec.c | 188 ++
- grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_chroot.c | 467 ++
+ grsecurity/grsec_disabled.c | 445 ++
+ grsecurity/grsec_exec.c | 189 +
+ grsecurity/grsec_fifo.c | 26 +
grsecurity/grsec_fork.c | 23 +
- grsecurity/grsec_init.c | 286 ++
+ grsecurity/grsec_init.c | 290 +
grsecurity/grsec_ipc.c | 48 +
- grsecurity/grsec_link.c | 58 +
- grsecurity/grsec_log.c | 341 +++
+ grsecurity/grsec_link.c | 65 +
+ grsecurity/grsec_log.c | 340 +
grsecurity/grsec_mem.c | 48 +
grsecurity/grsec_mount.c | 65 +
- grsecurity/grsec_pax.c | 45 +
+ grsecurity/grsec_pax.c | 47 +
grsecurity/grsec_proc.c | 20 +
grsecurity/grsec_ptrace.c | 30 +
- grsecurity/grsec_sig.c | 236 ++
- grsecurity/grsec_sock.c | 244 ++
- grsecurity/grsec_sysctl.c | 479 ++++
+ grsecurity/grsec_sig.c | 236 +
+ grsecurity/grsec_sock.c | 244 +
+ grsecurity/grsec_sysctl.c | 488 ++
grsecurity/grsec_time.c | 16 +
grsecurity/grsec_tpe.c | 78 +
grsecurity/grsec_usb.c | 15 +
grsecurity/grsum.c | 64 +
- include/asm-generic/io.h | 2 +-
+ include/drm/drmP.h | 23 +-
include/linux/binfmts.h | 5 +-
- include/linux/capability.h | 5 +
- include/linux/compiler-gcc4.h | 5 +
+ include/linux/capability.h | 13 +
+ include/linux/compiler-gcc.h | 5 +
include/linux/compiler.h | 8 +
include/linux/cred.h | 8 +-
- include/linux/dcache.h | 2 +-
+ include/linux/dcache.h | 5 +-
include/linux/fs.h | 24 +-
include/linux/fs_struct.h | 2 +-
include/linux/fsnotify.h | 6 +
- include/linux/gracl.h | 340 +++
- include/linux/gracl_compat.h | 156 ++
+ include/linux/gracl.h | 342 +
+ include/linux/gracl_compat.h | 156 +
include/linux/gralloc.h | 9 +
include/linux/grdefs.h | 140 +
- include/linux/grinternal.h | 229 ++
- include/linux/grmsg.h | 117 +
- include/linux/grsecurity.h | 254 ++
+ include/linux/grinternal.h | 230 +
+ include/linux/grmsg.h | 118 +
+ include/linux/grsecurity.h | 249 +
include/linux/grsock.h | 19 +
+ include/linux/ipc.h | 2 +-
include/linux/ipc_namespace.h | 2 +-
include/linux/kallsyms.h | 18 +-
include/linux/kmod.h | 5 +
include/linux/kobject.h | 2 +-
- include/linux/mm.h | 2 +
+ include/linux/lsm_hooks.h | 4 +-
+ include/linux/mm.h | 12 +
include/linux/mm_types.h | 4 +-
- include/linux/module.h | 4 +-
+ include/linux/module.h | 5 +-
include/linux/mount.h | 2 +-
include/linux/netfilter/xt_gradm.h | 9 +
include/linux/path.h | 4 +-
include/linux/perf_event.h | 13 +-
include/linux/pid_namespace.h | 2 +-
- include/linux/printk.h | 3 +-
+ include/linux/printk.h | 2 +-
include/linux/proc_fs.h | 22 +-
include/linux/proc_ns.h | 2 +-
include/linux/random.h | 2 +-
include/linux/rbtree_augmented.h | 4 +-
- include/linux/scatterlist.h | 7 +
- include/linux/sched.h | 104 +-
+ include/linux/scatterlist.h | 12 +-
+ include/linux/sched.h | 110 +-
include/linux/security.h | 3 +-
include/linux/seq_file.h | 5 +
- include/linux/shm.h | 4 +
+ include/linux/shm.h | 6 +-
include/linux/skbuff.h | 3 +
include/linux/slab.h | 9 -
- include/linux/sysctl.h | 4 +-
+ include/linux/sysctl.h | 8 +-
include/linux/thread_info.h | 6 +-
include/linux/tty.h | 2 +-
include/linux/tty_driver.h | 4 +-
include/linux/user_namespace.h | 2 +-
include/linux/utsname.h | 2 +-
include/linux/vermagic.h | 16 +-
- include/linux/vmalloc.h | 4 +
+ include/linux/vmalloc.h | 8 +
include/net/af_unix.h | 2 +-
include/net/ip.h | 2 +-
include/net/neighbour.h | 2 +-
include/net/net_namespace.h | 2 +-
- include/net/sock.h | 4 +-
+ include/net/sock.h | 2 +-
include/trace/events/fs.h | 53 +
+ include/uapi/drm/i915_drm.h | 1 +
include/uapi/linux/personality.h | 1 +
init/Kconfig | 3 +-
- init/main.c | 25 +-
+ init/main.c | 35 +-
ipc/mqueue.c | 1 +
- ipc/shm.c | 23 +
- ipc/util.c | 6 +
+ ipc/msg.c | 14 +-
+ ipc/shm.c | 36 +-
+ ipc/util.c | 14 +-
+ kernel/auditsc.c | 2 +-
kernel/bpf/syscall.c | 8 +-
kernel/capability.c | 41 +-
kernel/cgroup.c | 5 +-
kernel/compat.c | 1 +
kernel/configs.c | 11 +
- kernel/cred.c | 113 +-
+ kernel/cred.c | 112 +-
kernel/events/core.c | 14 +-
kernel/exit.c | 10 +-
kernel/fork.c | 86 +-
kernel/futex.c | 4 +-
kernel/kallsyms.c | 9 +
kernel/kcmp.c | 4 +
- kernel/kmod.c | 94 +-
+ kernel/kexec.c | 2 +-
+ kernel/kmod.c | 95 +-
kernel/kprobes.c | 7 +-
kernel/ksysfs.c | 2 +
kernel/locking/lockdep_proc.c | 10 +-
- kernel/module.c | 106 +-
+ kernel/module.c | 108 +-
kernel/panic.c | 4 +-
kernel/pid.c | 19 +-
kernel/power/Kconfig | 2 +
- kernel/printk/printk.c | 5 +
+ kernel/printk/printk.c | 7 +-
kernel/ptrace.c | 20 +-
kernel/resource.c | 10 +
kernel/sched/core.c | 11 +-
kernel/signal.c | 37 +-
kernel/sys.c | 64 +-
- kernel/sysctl.c | 71 +-
+ kernel/sysctl.c | 180 +-
kernel/taskstats.c | 6 +
kernel/time/posix-timers.c | 8 +
kernel/time/time.c | 5 +
kernel/time/timekeeping.c | 3 +
- kernel/time/timer_list.c | 12 +
+ kernel/time/timer_list.c | 13 +-
kernel/time/timer_stats.c | 10 +-
kernel/trace/trace_syscalls.c | 8 +
kernel/user_namespace.c | 15 +
lib/Kconfig.debug | 7 +-
lib/is_single_threaded.c | 3 +
lib/list_debug.c | 65 +-
+ lib/nlattr.c | 2 +
lib/rbtree.c | 4 +-
- lib/vsprintf.c | 37 +-
+ lib/vsprintf.c | 39 +-
localversion-grsec | 1 +
mm/Kconfig | 5 +-
+ mm/Kconfig.debug | 1 +
mm/filemap.c | 1 +
+ mm/hugetlb.c | 8 +
mm/kmemleak.c | 4 +-
- mm/memory.c | 4 +-
+ mm/memory.c | 2 +-
mm/mempolicy.c | 12 +-
mm/migrate.c | 3 +-
mm/mlock.c | 6 +-
mm/mmap.c | 93 +-
mm/mprotect.c | 8 +
+ mm/page_alloc.c | 2 +-
mm/process_vm_access.c | 6 +
mm/shmem.c | 2 +-
- mm/slab.c | 2 +-
+ mm/slab.c | 27 +-
mm/slab_common.c | 2 +-
- mm/slub.c | 22 +-
+ mm/slob.c | 12 +
+ mm/slub.c | 33 +-
mm/util.c | 3 +
- mm/vmalloc.c | 68 +-
+ mm/vmalloc.c | 80 +-
mm/vmstat.c | 29 +-
net/appletalk/atalk_proc.c | 2 +-
net/atm/lec.c | 6 +-
net/atm/mpoa_caches.c | 42 +-
- net/bluetooth/6lowpan.c | 1 -
- net/bluetooth/bnep/core.c | 3 +
- net/bluetooth/cmtp/core.c | 3 +
- net/bluetooth/hidp/core.c | 3 +-
net/can/bcm.c | 2 +-
net/can/proc.c | 2 +-
net/core/dev_ioctl.c | 7 +-
net/core/filter.c | 8 +-
net/core/net-procfs.c | 17 +-
net/core/pktgen.c | 2 +-
- net/core/sock_diag.c | 7 +
+ net/core/sock.c | 3 +-
net/core/sysctl_net_core.c | 2 +-
net/decnet/dn_dev.c | 2 +-
net/ipv4/devinet.c | 6 +-
net/netfilter/xt_gradm.c | 51 +
net/netfilter/xt_hashlimit.c | 4 +-
net/netfilter/xt_recent.c | 2 +-
- net/socket.c | 72 +-
+ net/socket.c | 71 +-
net/sunrpc/cache.c | 2 +-
net/sunrpc/stats.c | 2 +-
net/sysctl_net.c | 2 +-
- net/unix/af_unix.c | 31 +-
+ net/unix/af_unix.c | 52 +-
net/vmw_vsock/vmci_transport_notify.c | 30 +-
net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +-
net/x25/sysctl_net_x25.c | 2 +-
net/x25/x25_proc.c | 2 +-
scripts/package/Makefile | 2 +-
scripts/package/mkspec | 38 +-
- security/Kconfig | 363 +++-
+ security/Kconfig | 370 +-
security/apparmor/file.c | 4 +-
security/apparmor/lsm.c | 8 +-
security/commoncap.c | 29 +
security/min_addr.c | 2 +
security/tomoyo/file.c | 12 +-
security/tomoyo/mount.c | 4 +
- security/tomoyo/tomoyo.c | 22 +-
+ security/tomoyo/tomoyo.c | 20 +-
security/yama/Kconfig | 2 +-
- sound/core/seq/oss/seq_oss.c | 4 +-
- sound/core/seq/seq_midi.c | 4 +-
- sound/drivers/opl3/opl3_seq.c | 4 +-
- sound/drivers/opl4/opl4_seq.c | 4 +-
- sound/isa/sb/emu8000_synth.c | 4 +-
- sound/pci/emu10k1/emu10k1_synth.c | 4 +-
sound/synth/emux/emux_seq.c | 14 +-
+ sound/usb/line6/driver.c | 40 +-
+ sound/usb/line6/toneport.c | 12 +-
tools/gcc/.gitignore | 1 +
tools/gcc/Makefile | 12 +
tools/gcc/gen-random-seed.sh | 8 +
- tools/gcc/randomize_layout_plugin.c | 915 +++++++
- tools/gcc/size_overflow_plugin/.gitignore | 2 +
- .../size_overflow_plugin/size_overflow_hash.data | 1 +
- 459 files changed, 19226 insertions(+), 2801 deletions(-)
+ tools/gcc/randomize_layout_plugin.c | 930 +++
+ tools/gcc/size_overflow_plugin/.gitignore | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 320 +-
+ 466 files changed, 32295 insertions(+), 2907 deletions(-)
+
+commit fc19197ab5a42069863a7d88f1d41eb687697fe9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 4 20:43:51 2015 -0400
+
+ Update to pax-linux-4.2.3-test6.patch:
+ - fixed a KERNEXEC/x86 and early ioremap regression, reported by spender
+ - sanitized a few more top level page table entries on amd64
+
+ arch/x86/kernel/espfix_64.c | 2 +-
+ arch/x86/kernel/head_64.S | 8 ++++----
+ arch/x86/mm/ioremap.c | 6 +++++-
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+commit 23ac5415b9ef394e10b1516d3b314c742c6a3e59
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 4 17:47:37 2015 -0400
+
+ Resync with pax-linux-4.2.3-test5.patch
+
+ arch/x86/include/asm/pgtable-2level.h | 20 ++++++++++++++++----
+ arch/x86/include/asm/pgtable-3level.h | 8 ++++++++
+ arch/x86/include/asm/pgtable_32.h | 2 --
+ arch/x86/include/asm/pgtable_64.h | 20 ++++++++++++++++----
+ arch/x86/mm/highmem_32.c | 2 --
+ arch/x86/mm/init_64.c | 2 --
+ arch/x86/mm/iomap_32.c | 4 ----
+ arch/x86/mm/ioremap.c | 2 +-
+ arch/x86/mm/pgtable.c | 2 --
+ arch/x86/mm/pgtable_32.c | 3 ---
+ mm/highmem.c | 6 +-----
+ mm/vmalloc.c | 12 +-----------
+ .../size_overflow_plugin/size_overflow_hash.data | 2 --
+ 13 files changed, 43 insertions(+), 42 deletions(-)
+
+commit 25f4bed80f0d87783793a70d6c20080031a1fd38
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Oct 4 13:06:32 2015 -0400
+
+ Update to pax-linux-4.2.3-test5.patch:
+ - forward port to 4.2.3
+ - fixed integer sign conversion errors caused by ieee80211_tx_rate_control.max_rate_idx, caught by the size overflow plugin
+ - fixed a bug in try_preserve_large_page that caused unnecessary large page split ups
+ - increased the number of statically allocated kernel page tables under KERNEXEC/amd64
+
+ arch/x86/include/asm/pgtable-2level.h | 2 ++
+ arch/x86/include/asm/pgtable-3level.h | 5 +++++
+ arch/x86/include/asm/pgtable_64.h | 2 ++
+ arch/x86/kernel/cpu/bugs_64.c | 2 ++
+ arch/x86/kernel/head_64.S | 28 +++++++++++++++++++++++-----
+ arch/x86/kernel/vmlinux.lds.S | 8 +++++++-
+ arch/x86/mm/init.c | 18 ++++++++++++++----
+ arch/x86/mm/ioremap.c | 8 ++++++--
+ arch/x86/mm/pageattr.c | 5 ++---
+ arch/x86/mm/pgtable.c | 2 ++
+ include/asm-generic/sections.h | 1 +
+ include/asm-generic/vmlinux.lds.h | 2 ++
+ include/net/mac80211.h | 2 +-
+ mm/vmalloc.c | 7 ++++++-
+ 14 files changed, 75 insertions(+), 17 deletions(-)
+
+commit a2dce7cb2e3c389b7ef6c76c15ccdbf506007ddd
+Merge: d113ff6 fcba09f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Oct 3 09:12:31 2015 -0400
+
+ Merge branch 'linux-4.2.y' into pax-test
+
+commit d113ff6e7835e89e2b954503b1a100750ddb43c7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Thu Oct 1 21:34:12 2015 -0400
-commit 0f40ebc1077b768d5ae559097efe5666b219ded5
+ Update to pax-linux-4.2.2-test5.patch:
+ - fixed a RANDKSTACK regression, reported by spender
+ - fixed some more compiler warnings due to the ktla_ktva changes, reported by spender
+
+ arch/x86/entry/entry_64.S | 2 ++
+ arch/x86/kernel/process.c | 1 +
+ drivers/hv/hv.c | 2 +-
+ drivers/lguest/x86/core.c | 4 ++--
+ drivers/misc/kgdbts.c | 4 ++--
+ drivers/video/fbdev/uvesafb.c | 4 ++--
+ fs/binfmt_elf_fdpic.c | 2 +-
+ 7 files changed, 11 insertions(+), 8 deletions(-)
+
+commit 149e32a4dddfae46e2490f011870cd4492ca946c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Sep 29 16:31:50 2015 -0400
+
+ Update to pax-linux-4.2.2-test4.patch:
+ - fixed a few compiler warnings caused by the recently reworked ktla_ktva/ktva_ktla functions, reported by spender
+ - Emese fixed a size overflow false positive in the IDE driver, reported by spender
+
+ arch/x86/lib/insn.c | 2 +-
+ drivers/ide/ide-disk.c | 2 +-
+ drivers/video/fbdev/vesafb.c | 4 ++--
+ fs/binfmt_elf.c | 2 +-
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 ++--
+ .../size_overflow_transform_core.c | 11 +++++------
+ 6 files changed, 12 insertions(+), 13 deletions(-)
+
+commit 02c41b848fbaddf82ce98690b23d3d85a94d55fe
+Merge: b8b2f5b 7659db3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Sep 29 15:50:40 2015 -0400
+
+ Merge branch 'linux-4.2.y' into pax-test
+
+ Conflicts:
+ fs/nfs/inode.c
+
+commit b8b2f5bc93ced0ca9a8366d0f3fa09abd1ca7ac6
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Dec 27 18:26:26 2014 -0500
+Date: Tue Sep 29 09:13:54 2015 -0400
- Initial import of PaX for 3.18.1
+ Initial import of pax-linux-4.2.1-test3.patch
Documentation/dontdiff | 47 +-
Documentation/kbuild/makefiles.txt | 39 +-
Documentation/kernel-parameters.txt | 28 +
- Makefile | 106 +-
+ Makefile | 108 +-
arch/alpha/include/asm/atomic.h | 10 +
arch/alpha/include/asm/elf.h | 7 +
arch/alpha/include/asm/pgalloc.h | 6 +
arch/alpha/kernel/osf_sys.c | 8 +-
arch/alpha/mm/fault.c | 141 +-
arch/arm/Kconfig | 2 +-
- arch/arm/include/asm/atomic.h | 296 +-
+ arch/arm/include/asm/atomic.h | 319 +-
arch/arm/include/asm/barrier.h | 2 +-
arch/arm/include/asm/cache.h | 5 +-
arch/arm/include/asm/cacheflush.h | 2 +-
arch/arm/include/asm/checksum.h | 14 +-
- arch/arm/include/asm/cmpxchg.h | 2 +
+ arch/arm/include/asm/cmpxchg.h | 4 +
+ arch/arm/include/asm/cpuidle.h | 2 +-
arch/arm/include/asm/domain.h | 33 +-
- arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/elf.h | 9 +-
arch/arm/include/asm/fncpy.h | 2 +
arch/arm/include/asm/futex.h | 10 +
arch/arm/include/asm/kmap_types.h | 2 +-
arch/arm/include/asm/mach/map.h | 16 +-
arch/arm/include/asm/outercache.h | 2 +-
arch/arm/include/asm/page.h | 3 +-
- arch/arm/include/asm/pgalloc.h | 22 +-
- arch/arm/include/asm/pgtable-2level-hwdef.h | 5 +
+ arch/arm/include/asm/pgalloc.h | 20 +
+ arch/arm/include/asm/pgtable-2level-hwdef.h | 4 +-
arch/arm/include/asm/pgtable-2level.h | 3 +
- arch/arm/include/asm/pgtable-3level-hwdef.h | 1 +
arch/arm/include/asm/pgtable-3level.h | 3 +
arch/arm/include/asm/pgtable.h | 54 +-
arch/arm/include/asm/psci.h | 2 +-
arch/arm/include/asm/smp.h | 2 +-
arch/arm/include/asm/thread_info.h | 6 +-
arch/arm/include/asm/tls.h | 3 +
- arch/arm/include/asm/uaccess.h | 96 +-
+ arch/arm/include/asm/uaccess.h | 100 +-
arch/arm/include/uapi/asm/ptrace.h | 2 +-
arch/arm/kernel/armksyms.c | 8 +-
+ arch/arm/kernel/cpuidle.c | 2 +-
arch/arm/kernel/entry-armv.S | 110 +-
arch/arm/kernel/entry-common.S | 40 +-
arch/arm/kernel/entry-header.S | 60 +
arch/arm/kernel/fiq.c | 3 +
arch/arm/kernel/head.S | 2 +-
- arch/arm/kernel/module.c | 31 +-
+ arch/arm/kernel/module.c | 38 +-
arch/arm/kernel/patch.c | 2 +
- arch/arm/kernel/process.c | 83 +-
+ arch/arm/kernel/process.c | 90 +-
arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/reboot.c | 1 +
arch/arm/kernel/setup.c | 20 +-
arch/arm/kernel/signal.c | 35 +-
arch/arm/kernel/smp.c | 2 +-
arch/arm/kernel/tcm.c | 4 +-
arch/arm/kernel/traps.c | 6 +-
- arch/arm/kernel/vmlinux.lds.S | 24 +-
+ arch/arm/kernel/vmlinux.lds.S | 6 +-
arch/arm/kvm/arm.c | 10 +-
arch/arm/lib/clear_user.S | 6 +-
arch/arm/lib/copy_from_user.S | 6 +-
arch/arm/lib/copy_to_user.S | 6 +-
arch/arm/lib/csumpartialcopyuser.S | 4 +-
arch/arm/lib/delay.c | 2 +-
- arch/arm/lib/uaccess_with_memcpy.c | 4 +-
- arch/arm/mach-at91/setup.c | 2 +-
- arch/arm/mach-keystone/keystone.c | 2 +-
+ arch/arm/lib/uaccess_with_memcpy.c | 8 +-
+ arch/arm/mach-exynos/suspend.c | 6 +-
arch/arm/mach-mvebu/coherency.c | 4 +-
arch/arm/mach-omap2/board-n8x0.c | 2 +-
- arch/arm/mach-omap2/gpmc.c | 22 +-
arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +-
+ arch/arm/mach-omap2/omap-smp.c | 1 +
arch/arm/mach-omap2/omap-wakeupgen.c | 2 +-
arch/arm/mach-omap2/omap_device.c | 4 +-
arch/arm/mach-omap2/omap_device.h | 4 +-
arch/arm/mach-omap2/omap_hwmod.c | 4 +-
arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +-
arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-shmobile/platsmp-apmu.c | 5 +-
+ arch/arm/mach-shmobile/pm-r8a7740.c | 5 +-
+ arch/arm/mach-shmobile/pm-sh73a0.c | 5 +-
arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
- arch/arm/mach-ux500/setup.h | 7 -
+ arch/arm/mach-tegra/irq.c | 1 +
+ arch/arm/mach-ux500/pm.c | 1 +
+ arch/arm/mach-zynq/platsmp.c | 1 +
arch/arm/mm/Kconfig | 6 +-
arch/arm/mm/alignment.c | 8 +
arch/arm/mm/cache-l2x0.c | 2 +-
arch/arm/mm/context.c | 10 +-
arch/arm/mm/fault.c | 146 +
arch/arm/mm/fault.h | 12 +
- arch/arm/mm/init.c | 41 +
+ arch/arm/mm/init.c | 39 +
arch/arm/mm/ioremap.c | 4 +-
arch/arm/mm/mmap.c | 30 +-
arch/arm/mm/mmu.c | 182 +-
arch/arm/net/bpf_jit_32.c | 3 +
arch/arm/plat-iop/setup.c | 2 +-
arch/arm/plat-omap/sram.c | 2 +
- arch/arm/plat-samsung/include/plat/dma-ops.h | 2 +-
+ arch/arm64/include/asm/atomic.h | 10 +
arch/arm64/include/asm/barrier.h | 2 +-
+ arch/arm64/include/asm/percpu.h | 8 +-
+ arch/arm64/include/asm/pgalloc.h | 5 +
arch/arm64/include/asm/uaccess.h | 1 +
+ arch/arm64/mm/dma-mapping.c | 2 +-
arch/avr32/include/asm/elf.h | 8 +-
arch/avr32/include/asm/kmap_types.h | 4 +-
arch/avr32/mm/fault.c | 27 +
arch/ia64/include/asm/pgtable.h | 13 +-
arch/ia64/include/asm/spinlock.h | 2 +-
arch/ia64/include/asm/uaccess.h | 27 +-
- arch/ia64/kernel/module.c | 48 +-
+ arch/ia64/kernel/module.c | 45 +-
arch/ia64/kernel/palinfo.c | 2 +-
arch/ia64/kernel/sys_ia64.c | 7 +
arch/ia64/kernel/vmlinux.lds.S | 2 +-
arch/m32r/lib/usercopy.c | 6 +
arch/metag/include/asm/barrier.h | 2 +-
arch/mips/cavium-octeon/dma-octeon.c | 2 +-
- arch/mips/include/asm/atomic.h | 346 +-
+ arch/mips/include/asm/atomic.h | 355 +-
arch/mips/include/asm/barrier.h | 2 +-
- arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/elf.h | 7 +
arch/mips/include/asm/exec.h | 2 +-
arch/mips/include/asm/hw_irq.h | 2 +-
arch/mips/include/asm/local.h | 57 +
arch/mips/kernel/irq.c | 6 +-
arch/mips/kernel/pm-cps.c | 2 +-
arch/mips/kernel/process.c | 12 -
- arch/mips/kernel/reset.c | 4 +
arch/mips/kernel/sync-r4k.c | 24 +-
arch/mips/kernel/traps.c | 13 +-
arch/mips/kvm/mips.c | 2 +-
arch/mips/mm/fault.c | 25 +
arch/mips/mm/mmap.c | 51 +-
- arch/mips/pci/pci-octeon.c | 4 +-
- arch/mips/pci/pcie-octeon.c | 12 +-
arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
arch/mips/sni/rm200.c | 2 +-
arch/mips/vr41xx/common/icu.c | 2 +-
arch/parisc/mm/fault.c | 140 +-
arch/powerpc/include/asm/atomic.h | 329 +-
arch/powerpc/include/asm/barrier.h | 2 +-
- arch/powerpc/include/asm/elf.h | 19 +-
+ arch/powerpc/include/asm/elf.h | 12 +
arch/powerpc/include/asm/exec.h | 2 +-
arch/powerpc/include/asm/kmap_types.h | 2 +-
arch/powerpc/include/asm/local.h | 46 +
arch/powerpc/include/asm/smp.h | 2 +-
arch/powerpc/include/asm/spinlock.h | 42 +-
arch/powerpc/include/asm/uaccess.h | 141 +-
+ arch/powerpc/kernel/Makefile | 5 +
arch/powerpc/kernel/exceptions-64e.S | 4 +-
arch/powerpc/kernel/exceptions-64s.S | 2 +-
arch/powerpc/kernel/module_32.c | 15 +-
- arch/powerpc/kernel/process.c | 55 -
+ arch/powerpc/kernel/process.c | 46 -
arch/powerpc/kernel/signal_32.c | 2 +-
arch/powerpc/kernel/signal_64.c | 2 +-
arch/powerpc/kernel/traps.c | 21 +
arch/powerpc/kernel/vdso.c | 5 +-
arch/powerpc/kvm/powerpc.c | 2 +-
arch/powerpc/lib/usercopy_64.c | 18 -
- arch/powerpc/mm/fault.c | 54 +-
- arch/powerpc/mm/mmap.c | 24 +-
+ arch/powerpc/mm/fault.c | 56 +-
+ arch/powerpc/mm/mmap.c | 16 +
arch/powerpc/mm/slice.c | 13 +-
arch/powerpc/platforms/cell/spufs/file.c | 4 +-
arch/s390/include/asm/atomic.h | 10 +
arch/s390/include/asm/barrier.h | 2 +-
- arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/elf.h | 7 +
arch/s390/include/asm/exec.h | 2 +-
arch/s390/include/asm/uaccess.h | 13 +-
arch/s390/kernel/module.c | 22 +-
- arch/s390/kernel/process.c | 34 -
- arch/s390/mm/mmap.c | 24 +
+ arch/s390/kernel/process.c | 24 -
+ arch/s390/mm/mmap.c | 16 +
arch/score/include/asm/exec.h | 2 +-
arch/score/kernel/process.c | 5 -
arch/sh/mm/mmap.c | 22 +-
arch/sparc/include/asm/pgtsrmmu.h | 5 +
arch/sparc/include/asm/setup.h | 4 +-
arch/sparc/include/asm/spinlock_64.h | 35 +-
- arch/sparc/include/asm/thread_info_32.h | 2 +
+ arch/sparc/include/asm/thread_info_32.h | 1 +
arch/sparc/include/asm/thread_info_64.h | 2 +
arch/sparc/include/asm/uaccess.h | 1 +
- arch/sparc/include/asm/uaccess_32.h | 27 +-
- arch/sparc/include/asm/uaccess_64.h | 19 +-
+ arch/sparc/include/asm/uaccess_32.h | 28 +-
+ arch/sparc/include/asm/uaccess_64.h | 24 +-
arch/sparc/kernel/Makefile | 2 +-
arch/sparc/kernel/prom_common.c | 2 +-
arch/sparc/kernel/smp_64.c | 8 +-
arch/sparc/lib/ksyms.c | 6 +-
arch/sparc/mm/Makefile | 2 +-
arch/sparc/mm/fault_32.c | 292 +
- arch/sparc/mm/fault_64.c | 486 ++
+ arch/sparc/mm/fault_64.c | 486 +
arch/sparc/mm/hugetlbpage.c | 22 +-
arch/sparc/mm/init_64.c | 10 +-
arch/tile/include/asm/atomic_64.h | 10 +
arch/um/include/asm/page.h | 3 +
arch/um/include/asm/pgtable-3level.h | 1 +
arch/um/kernel/process.c | 16 -
- arch/x86/Kconfig | 11 +-
+ arch/x86/Kconfig | 15 +-
arch/x86/Kconfig.cpu | 6 +-
arch/x86/Kconfig.debug | 4 +-
arch/x86/Makefile | 13 +-
arch/x86/boot/boot.h | 2 +-
arch/x86/boot/compressed/Makefile | 3 +
arch/x86/boot/compressed/efi_stub_32.S | 16 +-
+ arch/x86/boot/compressed/efi_thunk_64.S | 4 +-
arch/x86/boot/compressed/head_32.S | 4 +-
arch/x86/boot/compressed/head_64.S | 12 +-
arch/x86/boot/compressed/misc.c | 11 +-
arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +-
arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +-
- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 4 +-
arch/x86/crypto/ghash-clmulni-intel_asm.S | 4 +
arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +-
arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/entry/calling.h | 92 +-
+ arch/x86/entry/entry_32.S | 360 +-
+ arch/x86/entry/entry_64.S | 636 +-
+ arch/x86/entry/entry_64_compat.S | 159 +-
+ arch/x86/entry/thunk_64.S | 2 +
+ arch/x86/entry/vdso/Makefile | 2 +-
+ arch/x86/entry/vdso/vdso2c.h | 4 +-
+ arch/x86/entry/vdso/vma.c | 41 +-
+ arch/x86/entry/vsyscall/vsyscall_64.c | 16 +-
arch/x86/ia32/ia32_signal.c | 23 +-
- arch/x86/ia32/ia32entry.S | 172 +-
- arch/x86/ia32/sys_ia32.c | 4 +-
- arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/ia32/sys_ia32.c | 42 +-
+ arch/x86/include/asm/alternative-asm.h | 43 +-
arch/x86/include/asm/alternative.h | 4 +-
arch/x86/include/asm/apic.h | 2 +-
arch/x86/include/asm/apm.h | 4 +-
- arch/x86/include/asm/atomic.h | 271 +-
+ arch/x86/include/asm/atomic.h | 269 +-
arch/x86/include/asm/atomic64_32.h | 100 +
arch/x86/include/asm/atomic64_64.h | 164 +-
arch/x86/include/asm/barrier.h | 4 +-
arch/x86/include/asm/bitops.h | 18 +-
- arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/boot.h | 2 +-
arch/x86/include/asm/cache.h | 5 +-
- arch/x86/include/asm/cacheflush.h | 2 +-
- arch/x86/include/asm/calling.h | 120 +-
arch/x86/include/asm/checksum_32.h | 12 +-
arch/x86/include/asm/cmpxchg.h | 39 +
arch/x86/include/asm/compat.h | 2 +-
- arch/x86/include/asm/cpufeature.h | 16 +-
+ arch/x86/include/asm/cpufeature.h | 17 +-
arch/x86/include/asm/desc.h | 78 +-
arch/x86/include/asm/desc_defs.h | 6 +
arch/x86/include/asm/div64.h | 2 +-
- arch/x86/include/asm/elf.h | 36 +-
+ arch/x86/include/asm/elf.h | 33 +-
arch/x86/include/asm/emergency-restart.h | 2 +-
- arch/x86/include/asm/fpu-internal.h | 8 +-
+ arch/x86/include/asm/fpu/internal.h | 36 +-
+ arch/x86/include/asm/fpu/types.h | 5 +-
arch/x86/include/asm/futex.h | 14 +-
arch/x86/include/asm/hw_irq.h | 4 +-
arch/x86/include/asm/i8259.h | 2 +-
- arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/io.h | 22 +-
arch/x86/include/asm/irqflags.h | 5 +
arch/x86/include/asm/kprobes.h | 9 +-
arch/x86/include/asm/local.h | 106 +-
arch/x86/include/asm/mman.h | 15 +
- arch/x86/include/asm/mmu.h | 16 +-
- arch/x86/include/asm/mmu_context.h | 136 +-
+ arch/x86/include/asm/mmu.h | 14 +-
+ arch/x86/include/asm/mmu_context.h | 138 +-
arch/x86/include/asm/module.h | 17 +-
arch/x86/include/asm/nmi.h | 19 +-
arch/x86/include/asm/page.h | 1 +
- arch/x86/include/asm/page_64.h | 4 +-
+ arch/x86/include/asm/page_32.h | 12 +-
+ arch/x86/include/asm/page_64.h | 14 +-
arch/x86/include/asm/paravirt.h | 46 +-
arch/x86/include/asm/paravirt_types.h | 15 +-
arch/x86/include/asm/pgalloc.h | 23 +
arch/x86/include/asm/pgtable-2level.h | 2 +
arch/x86/include/asm/pgtable-3level.h | 4 +
- arch/x86/include/asm/pgtable.h | 126 +-
+ arch/x86/include/asm/pgtable.h | 128 +-
arch/x86/include/asm/pgtable_32.h | 14 +-
- arch/x86/include/asm/pgtable_32_types.h | 15 +-
- arch/x86/include/asm/pgtable_64.h | 20 +-
+ arch/x86/include/asm/pgtable_32_types.h | 24 +-
+ arch/x86/include/asm/pgtable_64.h | 22 +-
arch/x86/include/asm/pgtable_64_types.h | 5 +
arch/x86/include/asm/pgtable_types.h | 26 +-
arch/x86/include/asm/preempt.h | 2 +-
- arch/x86/include/asm/processor.h | 79 +-
- arch/x86/include/asm/ptrace.h | 26 +-
+ arch/x86/include/asm/processor.h | 59 +-
+ arch/x86/include/asm/ptrace.h | 21 +-
arch/x86/include/asm/qrwlock.h | 4 +-
arch/x86/include/asm/realmode.h | 4 +-
arch/x86/include/asm/reboot.h | 10 +-
arch/x86/include/asm/rmwcc.h | 84 +-
arch/x86/include/asm/rwsem.h | 60 +-
- arch/x86/include/asm/segment.h | 29 +-
- arch/x86/include/asm/smap.h | 64 +-
+ arch/x86/include/asm/segment.h | 27 +-
+ arch/x86/include/asm/smap.h | 43 +
arch/x86/include/asm/smp.h | 14 +-
arch/x86/include/asm/stackprotector.h | 4 +-
arch/x86/include/asm/stacktrace.h | 32 +-
arch/x86/include/asm/switch_to.h | 4 +-
- arch/x86/include/asm/thread_info.h | 31 +-
- arch/x86/include/asm/tlbflush.h | 73 +-
- arch/x86/include/asm/uaccess.h | 182 +-
- arch/x86/include/asm/uaccess_32.h | 24 +-
- arch/x86/include/asm/uaccess_64.h | 173 +-
+ arch/x86/include/asm/sys_ia32.h | 6 +-
+ arch/x86/include/asm/thread_info.h | 27 +-
+ arch/x86/include/asm/tlbflush.h | 77 +-
+ arch/x86/include/asm/uaccess.h | 192 +-
+ arch/x86/include/asm/uaccess_32.h | 28 +-
+ arch/x86/include/asm/uaccess_64.h | 169 +-
arch/x86/include/asm/word-at-a-time.h | 2 +-
arch/x86/include/asm/x86_init.h | 10 +-
arch/x86/include/asm/xen/page.h | 2 +-
- arch/x86/include/asm/xsave.h | 14 +-
arch/x86/include/uapi/asm/e820.h | 2 +-
- arch/x86/include/uapi/asm/ptrace-abi.h | 1 -
arch/x86/kernel/Makefile | 2 +-
arch/x86/kernel/acpi/boot.c | 4 +-
arch/x86/kernel/acpi/sleep.c | 4 +
arch/x86/kernel/acpi/wakeup_32.S | 6 +-
- arch/x86/kernel/alternative.c | 74 +-
+ arch/x86/kernel/alternative.c | 124 +-
arch/x86/kernel/apic/apic.c | 4 +-
arch/x86/kernel/apic/apic_flat_64.c | 4 +-
arch/x86/kernel/apic/apic_noop.c | 2 +-
arch/x86/kernel/apic/bigsmp_32.c | 2 +-
arch/x86/kernel/apic/io_apic.c | 8 +-
+ arch/x86/kernel/apic/msi.c | 2 +-
arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/vector.c | 4 +-
arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
arch/x86/kernel/apic/x2apic_phys.c | 2 +-
arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
- arch/x86/kernel/apm_32.c | 19 +-
+ arch/x86/kernel/apm_32.c | 21 +-
arch/x86/kernel/asm-offsets.c | 20 +
arch/x86/kernel/asm-offsets_64.c | 1 +
arch/x86/kernel/cpu/Makefile | 4 -
arch/x86/kernel/cpu/amd.c | 2 +-
- arch/x86/kernel/cpu/common.c | 134 +-
- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
+ arch/x86/kernel/cpu/common.c | 202 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 14 +-
arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
arch/x86/kernel/cpu/mcheck/p5.c | 3 +
arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
arch/x86/kernel/cpu/microcode/intel.c | 4 +-
arch/x86/kernel/cpu/mtrr/main.c | 2 +-
arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
- arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event.c | 10 +-
arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_bts.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_cqm.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_pt.c | 44 +-
arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
arch/x86/kernel/cpuid.c | 2 +-
- arch/x86/kernel/crash.c | 2 +-
arch/x86/kernel/crash_dump_64.c | 2 +-
arch/x86/kernel/doublefault.c | 8 +-
- arch/x86/kernel/dumpstack.c | 30 +-
- arch/x86/kernel/dumpstack_32.c | 29 +-
- arch/x86/kernel/dumpstack_64.c | 60 +-
+ arch/x86/kernel/dumpstack.c | 24 +-
+ arch/x86/kernel/dumpstack_32.c | 25 +-
+ arch/x86/kernel/dumpstack_64.c | 62 +-
arch/x86/kernel/e820.c | 4 +-
arch/x86/kernel/early_printk.c | 1 +
- arch/x86/kernel/entry_32.S | 358 +-
- arch/x86/kernel/entry_64.S | 735 +++-
- arch/x86/kernel/espfix_64.c | 2 +-
- arch/x86/kernel/ftrace.c | 8 +-
- arch/x86/kernel/head64.c | 13 +-
- arch/x86/kernel/head_32.S | 228 +-
- arch/x86/kernel/head_64.S | 139 +-
+ arch/x86/kernel/espfix_64.c | 13 +-
+ arch/x86/kernel/fpu/core.c | 22 +-
+ arch/x86/kernel/fpu/init.c | 8 +-
+ arch/x86/kernel/fpu/regset.c | 22 +-
+ arch/x86/kernel/fpu/signal.c | 20 +-
+ arch/x86/kernel/fpu/xstate.c | 8 +-
+ arch/x86/kernel/ftrace.c | 18 +-
+ arch/x86/kernel/head64.c | 14 +-
+ arch/x86/kernel/head_32.S | 235 +-
+ arch/x86/kernel/head_64.S | 149 +-
arch/x86/kernel/i386_ksyms_32.c | 12 +
- arch/x86/kernel/i387.c | 2 +-
arch/x86/kernel/i8259.c | 10 +-
arch/x86/kernel/io_delay.c | 2 +-
arch/x86/kernel/ioport.c | 2 +-
arch/x86/kernel/irq.c | 8 +-
- arch/x86/kernel/irq_32.c | 47 +-
- arch/x86/kernel/irq_64.c | 2 +-
- arch/x86/kernel/jump_label.c | 8 +-
- arch/x86/kernel/kgdb.c | 25 +-
- arch/x86/kernel/kprobes/core.c | 32 +-
+ arch/x86/kernel/irq_32.c | 45 +-
+ arch/x86/kernel/jump_label.c | 10 +-
+ arch/x86/kernel/kgdb.c | 21 +-
+ arch/x86/kernel/kprobes/core.c | 28 +-
arch/x86/kernel/kprobes/opt.c | 16 +-
arch/x86/kernel/ksysfs.c | 2 +-
- arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/ldt.c | 25 +
+ arch/x86/kernel/livepatch.c | 12 +-
arch/x86/kernel/machine_kexec_32.c | 6 +-
arch/x86/kernel/mcount_64.S | 19 +-
arch/x86/kernel/module.c | 78 +-
arch/x86/kernel/nmi_selftest.c | 4 +-
arch/x86/kernel/paravirt-spinlocks.c | 2 +-
arch/x86/kernel/paravirt.c | 45 +-
+ arch/x86/kernel/paravirt_patch_64.c | 8 +
arch/x86/kernel/pci-calgary_64.c | 2 +-
arch/x86/kernel/pci-iommu_table.c | 2 +-
arch/x86/kernel/pci-swiotlb.c | 2 +-
- arch/x86/kernel/process.c | 55 +-
- arch/x86/kernel/process_32.c | 32 +-
- arch/x86/kernel/process_64.c | 20 +-
+ arch/x86/kernel/process.c | 71 +-
+ arch/x86/kernel/process_32.c | 30 +-
+ arch/x86/kernel/process_64.c | 19 +-
arch/x86/kernel/ptrace.c | 20 +-
arch/x86/kernel/pvclock.c | 8 +-
- arch/x86/kernel/reboot.c | 42 +-
+ arch/x86/kernel/reboot.c | 44 +-
arch/x86/kernel/reboot_fixups_32.c | 2 +-
arch/x86/kernel/relocate_kernel_64.S | 3 +-
- arch/x86/kernel/setup.c | 63 +-
+ arch/x86/kernel/setup.c | 29 +-
arch/x86/kernel/setup_percpu.c | 29 +-
arch/x86/kernel/signal.c | 17 +-
arch/x86/kernel/smp.c | 2 +-
arch/x86/kernel/smpboot.c | 29 +-
- arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/step.c | 6 +-
arch/x86/kernel/sys_i386_32.c | 184 +
arch/x86/kernel/sys_x86_64.c | 22 +-
- arch/x86/kernel/tboot.c | 12 +-
- arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 8 +-
arch/x86/kernel/tls.c | 7 +-
arch/x86/kernel/tracepoint.c | 4 +-
- arch/x86/kernel/traps.c | 64 +-
+ arch/x86/kernel/traps.c | 53 +-
arch/x86/kernel/tsc.c | 2 +-
- arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/uprobes.c | 2 +-
arch/x86/kernel/vm86_32.c | 6 +-
arch/x86/kernel/vmlinux.lds.S | 147 +-
- arch/x86/kernel/vsyscall_64.c | 12 +-
arch/x86/kernel/x8664_ksyms_64.c | 6 +-
arch/x86/kernel/x86_init.c | 6 +-
- arch/x86/kernel/xsave.c | 10 +-
arch/x86/kvm/cpuid.c | 21 +-
+ arch/x86/kvm/emulate.c | 2 +-
arch/x86/kvm/lapic.c | 2 +-
arch/x86/kvm/paging_tmpl.h | 2 +-
arch/x86/kvm/svm.c | 8 +
- arch/x86/kvm/vmx.c | 67 +-
- arch/x86/kvm/x86.c | 8 +-
+ arch/x86/kvm/vmx.c | 82 +-
+ arch/x86/kvm/x86.c | 44 +-
arch/x86/lguest/boot.c | 3 +-
arch/x86/lib/atomic64_386_32.S | 164 +
- arch/x86/lib/atomic64_cx8_32.S | 103 +-
- arch/x86/lib/checksum_32.S | 100 +-
- arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/atomic64_cx8_32.S | 98 +-
+ arch/x86/lib/checksum_32.S | 97 +-
+ arch/x86/lib/clear_page_64.S | 3 +
arch/x86/lib/cmpxchg16b_emu.S | 3 +
- arch/x86/lib/copy_page_64.S | 20 +-
- arch/x86/lib/copy_user_64.S | 81 +-
- arch/x86/lib/copy_user_nocache_64.S | 14 +
- arch/x86/lib/csum-copy_64.S | 18 +-
+ arch/x86/lib/copy_page_64.S | 14 +-
+ arch/x86/lib/copy_user_64.S | 66 +-
+ arch/x86/lib/csum-copy_64.S | 14 +-
arch/x86/lib/csum-wrappers_64.c | 8 +-
arch/x86/lib/getuser.S | 74 +-
- arch/x86/lib/insn.c | 6 +-
+ arch/x86/lib/insn.c | 8 +-
arch/x86/lib/iomap_copy_64.S | 2 +
- arch/x86/lib/memcpy_64.S | 10 +-
- arch/x86/lib/memmove_64.S | 4 +-
- arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/memcpy_64.S | 6 +
+ arch/x86/lib/memmove_64.S | 3 +-
+ arch/x86/lib/memset_64.S | 3 +
arch/x86/lib/mmx_32.c | 243 +-
arch/x86/lib/msr-reg.S | 2 +
- arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/putuser.S | 87 +-
arch/x86/lib/rwsem.S | 6 +-
- arch/x86/lib/thunk_64.S | 12 +-
- arch/x86/lib/usercopy_32.c | 357 +-
- arch/x86/lib/usercopy_64.c | 18 +-
+ arch/x86/lib/usercopy_32.c | 359 +-
+ arch/x86/lib/usercopy_64.c | 20 +-
+ arch/x86/math-emu/fpu_aux.c | 2 +-
+ arch/x86/math-emu/fpu_entry.c | 4 +-
+ arch/x86/math-emu/fpu_system.h | 2 +-
arch/x86/mm/Makefile | 4 +
- arch/x86/mm/extable.c | 25 +-
- arch/x86/mm/fault.c | 568 ++-
+ arch/x86/mm/extable.c | 26 +-
+ arch/x86/mm/fault.c | 570 +-
arch/x86/mm/gup.c | 6 +-
arch/x86/mm/highmem_32.c | 4 +
arch/x86/mm/hugetlbpage.c | 24 +-
arch/x86/mm/init.c | 101 +-
arch/x86/mm/init_32.c | 111 +-
- arch/x86/mm/init_64.c | 50 +-
+ arch/x86/mm/init_64.c | 46 +-
arch/x86/mm/iomap_32.c | 4 +
- arch/x86/mm/ioremap.c | 17 +-
+ arch/x86/mm/ioremap.c | 44 +-
arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
- arch/x86/mm/mmap.c | 36 +-
+ arch/x86/mm/mmap.c | 40 +-
arch/x86/mm/mmio-mod.c | 10 +-
arch/x86/mm/numa.c | 2 +-
arch/x86/mm/pageattr.c | 33 +-
arch/x86/mm/pat.c | 12 +-
arch/x86/mm/pat_rbtree.c | 2 +-
arch/x86/mm/pf_in.c | 10 +-
- arch/x86/mm/pgtable.c | 151 +-
+ arch/x86/mm/pgtable.c | 162 +-
arch/x86/mm/pgtable_32.c | 3 +
- arch/x86/mm/physaddr.c | 4 +-
arch/x86/mm/setup_nx.c | 7 +
arch/x86/mm/tlb.c | 4 +
arch/x86/mm/uderef_64.c | 37 +
arch/x86/net/bpf_jit.S | 11 +
- arch/x86/net/bpf_jit_comp.c | 6 +-
- arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/net/bpf_jit_comp.c | 13 +-
+ arch/x86/oprofile/backtrace.c | 6 +-
arch/x86/oprofile/nmi_int.c | 8 +-
arch/x86/oprofile/op_model_amd.c | 8 +-
arch/x86/oprofile/op_model_ppro.c | 7 +-
arch/x86/pci/irq.c | 8 +-
arch/x86/pci/pcbios.c | 144 +-
arch/x86/platform/efi/efi_32.c | 24 +
- arch/x86/platform/efi/efi_64.c | 27 +-
+ arch/x86/platform/efi/efi_64.c | 26 +-
arch/x86/platform/efi/efi_stub_32.S | 64 +-
- arch/x86/platform/efi/efi_stub_64.S | 6 +-
- arch/x86/platform/intel-mid/intel-mid.c | 3 +-
+ arch/x86/platform/efi/efi_stub_64.S | 2 +
+ arch/x86/platform/intel-mid/intel-mid.c | 5 +-
arch/x86/platform/intel-mid/intel_mid_weak_decls.h | 6 +-
arch/x86/platform/intel-mid/mfld.c | 4 +-
arch/x86/platform/intel-mid/mrfl.c | 2 +-
+ arch/x86/platform/intel-quark/imr_selftest.c | 2 +-
arch/x86/platform/olpc/olpc_dt.c | 2 +-
arch/x86/power/cpu.c | 11 +-
arch/x86/realmode/init.c | 10 +-
arch/x86/realmode/rm/Makefile | 3 +
arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/reboot.S | 4 +
arch/x86/realmode/rm/trampoline_32.S | 12 +-
arch/x86/realmode/rm/trampoline_64.S | 3 +-
arch/x86/realmode/rm/wakeup_asm.S | 5 +-
arch/x86/tools/Makefile | 2 +-
- arch/x86/tools/relocs.c | 94 +-
+ arch/x86/tools/relocs.c | 96 +-
arch/x86/um/mem_32.c | 2 +-
arch/x86/um/tls_32.c | 2 +-
- arch/x86/vdso/Makefile | 2 +-
- arch/x86/vdso/vdso2c.h | 2 +-
- arch/x86/vdso/vdso32-setup.c | 1 +
- arch/x86/vdso/vma.c | 39 +-
- arch/x86/xen/enlighten.c | 45 +-
- arch/x86/xen/mmu.c | 13 +-
- arch/x86/xen/smp.c | 21 +-
+ arch/x86/xen/enlighten.c | 50 +-
+ arch/x86/xen/mmu.c | 17 +-
+ arch/x86/xen/smp.c | 16 +-
arch/x86/xen/xen-asm_32.S | 2 +-
arch/x86/xen/xen-head.S | 11 +
arch/x86/xen/xen-ops.h | 2 -
- block/bio.c | 6 +-
+ block/bio.c | 4 +-
block/blk-iopoll.c | 2 +-
block/blk-map.c | 2 +-
block/blk-softirq.c | 2 +-
block/scsi_ioctl.c | 29 +-
crypto/cryptd.c | 4 +-
crypto/pcrypt.c | 2 +-
+ crypto/zlib.c | 4 +-
+ drivers/acpi/acpi_video.c | 2 +-
drivers/acpi/apei/apei-internal.h | 2 +-
drivers/acpi/apei/ghes.c | 4 +-
drivers/acpi/bgrt.c | 6 +-
drivers/acpi/blacklist.c | 4 +-
+ drivers/acpi/bus.c | 4 +-
drivers/acpi/device_pm.c | 4 +-
+ drivers/acpi/ec.c | 2 +-
+ drivers/acpi/pci_slot.c | 2 +-
+ drivers/acpi/processor_driver.c | 2 +-
drivers/acpi/processor_idle.c | 2 +-
+ drivers/acpi/processor_pdc.c | 2 +-
+ drivers/acpi/sleep.c | 2 +-
drivers/acpi/sysfs.c | 4 +-
+ drivers/acpi/thermal.c | 2 +-
+ drivers/acpi/video_detect.c | 7 +-
drivers/ata/libahci.c | 2 +-
drivers/ata/libata-core.c | 12 +-
drivers/ata/libata-scsi.c | 2 +-
drivers/base/bus.c | 4 +-
drivers/base/devtmpfs.c | 8 +-
drivers/base/node.c | 2 +-
- drivers/base/power/domain.c | 4 +-
+ drivers/base/power/domain.c | 11 +-
drivers/base/power/sysfs.c | 2 +-
drivers/base/power/wakeup.c | 8 +-
drivers/base/syscore.c | 4 +-
drivers/block/cpqarray.c | 28 +-
drivers/block/cpqarray.h | 2 +-
drivers/block/drbd/drbd_bitmap.c | 2 +-
- drivers/block/drbd/drbd_int.h | 10 +-
+ drivers/block/drbd/drbd_int.h | 8 +-
drivers/block/drbd/drbd_main.c | 12 +-
drivers/block/drbd/drbd_nl.c | 4 +-
drivers/block/drbd/drbd_receiver.c | 34 +-
drivers/block/drbd/drbd_worker.c | 8 +-
- drivers/block/loop.c | 2 +-
- drivers/block/nvme-core.c | 6 +-
drivers/block/pktcdvd.c | 4 +-
+ drivers/block/rbd.c | 2 +-
drivers/bluetooth/btwilink.c | 2 +-
drivers/cdrom/cdrom.c | 11 +-
drivers/cdrom/gdrom.c | 1 -
drivers/char/agp/compat_ioctl.c | 2 +-
drivers/char/agp/frontend.c | 4 +-
+ drivers/char/agp/intel-gtt.c | 4 +-
drivers/char/hpet.c | 2 +-
drivers/char/ipmi/ipmi_msghandler.c | 8 +-
drivers/char/ipmi/ipmi_si_intf.c | 8 +-
- drivers/char/mem.c | 43 +-
+ drivers/char/mem.c | 47 +-
drivers/char/nvram.c | 2 +-
drivers/char/pcmcia/synclink_cs.c | 16 +-
drivers/char/random.c | 12 +-
- drivers/char/sonypi.c | 9 +-
+ drivers/char/sonypi.c | 11 +-
drivers/char/tpm/tpm_acpi.c | 3 +-
drivers/char/tpm/tpm_eventlog.c | 7 +-
drivers/char/virtio_console.c | 4 +-
drivers/clk/clk-composite.c | 2 +-
+ drivers/clk/samsung/clk.h | 2 +-
drivers/clk/socfpga/clk-gate.c | 9 +-
drivers/clk/socfpga/clk-pll.c | 9 +-
drivers/cpufreq/acpi-cpufreq.c | 17 +-
+ drivers/cpufreq/cpufreq-dt.c | 4 +-
drivers/cpufreq/cpufreq.c | 26 +-
- drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq_governor.c | 2 +-
drivers/cpufreq/cpufreq_governor.h | 4 +-
drivers/cpufreq/cpufreq_ondemand.c | 10 +-
drivers/cpufreq/intel_pstate.c | 33 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 67 +-
drivers/cpufreq/speedstep-centrino.c | 7 +-
drivers/cpuidle/driver.c | 2 +-
+ drivers/cpuidle/dt_idle_states.c | 2 +-
drivers/cpuidle/governor.c | 2 +-
drivers/cpuidle/sysfs.c | 2 +-
drivers/crypto/hifn_795x.c | 4 +-
drivers/dma/sh/shdma-base.c | 4 +-
drivers/dma/sh/shdmac.c | 2 +-
drivers/edac/edac_device.c | 4 +-
- drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_mc_sysfs.c | 2 +-
drivers/edac/edac_pci.c | 4 +-
drivers/edac/edac_pci_sysfs.c | 22 +-
drivers/edac/mce_amd.h | 2 +-
drivers/firewire/core-transaction.c | 1 +
drivers/firewire/core.h | 1 +
drivers/firmware/dmi-id.c | 2 +-
- drivers/firmware/dmi_scan.c | 2 +-
+ drivers/firmware/dmi_scan.c | 12 +-
drivers/firmware/efi/cper.c | 8 +-
drivers/firmware/efi/efi.c | 12 +-
drivers/firmware/efi/efivars.c | 2 +-
- drivers/firmware/google/memconsole.c | 5 +-
+ drivers/firmware/efi/runtime-map.c | 2 +-
+ drivers/firmware/google/gsmi.c | 2 +-
+ drivers/firmware/google/memconsole.c | 7 +-
+ drivers/firmware/memmap.c | 2 +-
+ drivers/gpio/gpio-davinci.c | 6 +-
drivers/gpio/gpio-em.c | 2 +-
drivers/gpio/gpio-ich.c | 2 +-
+ drivers/gpio/gpio-omap.c | 4 +-
drivers/gpio/gpio-rcar.c | 2 +-
drivers/gpio/gpio-vr41xx.c | 2 +-
drivers/gpio/gpiolib.c | 13 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 +-
+ .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 90 +-
+ .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.h | 8 +-
+ .../drm/amd/amdkfd/kfd_device_queue_manager_cik.c | 14 +-
+ .../drm/amd/amdkfd/kfd_device_queue_manager_vi.c | 14 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c | 4 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h | 2 +-
+ .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 16 +-
drivers/gpu/drm/drm_crtc.c | 2 +-
drivers/gpu/drm/drm_drv.c | 2 +-
drivers/gpu/drm/drm_fops.c | 12 +-
drivers/gpu/drm/drm_info.c | 13 +-
drivers/gpu/drm/drm_ioc32.c | 13 +-
drivers/gpu/drm/drm_ioctl.c | 2 +-
+ drivers/gpu/drm/gma500/mdfld_dsi_dpi.c | 10 +-
drivers/gpu/drm/i810/i810_drv.h | 4 +-
+ drivers/gpu/drm/i915/i915_debugfs.c | 2 +-
drivers/gpu/drm/i915/i915_dma.c | 2 +-
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
- drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 32 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.h | 16 +-
+ drivers/gpu/drm/i915/i915_gem_stolen.c | 2 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 16 +-
drivers/gpu/drm/i915/intel_display.c | 26 +-
+ drivers/gpu/drm/imx/imx-drm-core.c | 2 +-
drivers/gpu/drm/mga/mga_drv.h | 4 +-
- drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 10 +-
drivers/gpu/drm/mga/mga_irq.c | 8 +-
drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/omapdrm/Makefile | 2 +-
drivers/gpu/drm/qxl/qxl_cmd.c | 12 +-
drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +-
drivers/gpu/drm/qxl/qxl_drv.h | 8 +-
drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
drivers/gpu/drm/r128/r128_cce.c | 2 +-
drivers/gpu/drm/r128/r128_drv.h | 4 +-
- drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 10 +-
drivers/gpu/drm/r128/r128_irq.c | 4 +-
drivers/gpu/drm/r128/r128_state.c | 4 +-
drivers/gpu/drm/radeon/mkregtable.c | 4 +-
drivers/gpu/drm/radeon/radeon_device.c | 2 +-
drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 12 +-
drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
drivers/gpu/drm/radeon/radeon_state.c | 4 +-
drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
drivers/gpu/drm/tegra/dc.c | 2 +-
drivers/gpu/drm/tegra/dsi.c | 2 +-
drivers/gpu/drm/tegra/hdmi.c | 2 +-
+ drivers/gpu/drm/tegra/sor.c | 7 +-
+ drivers/gpu/drm/tilcdc/Makefile | 6 +-
drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
drivers/gpu/drm/ttm/ttm_page_alloc.c | 18 +-
drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 18 +-
drivers/gpu/drm/udl/udl_fb.c | 1 -
drivers/gpu/drm/via/via_drv.h | 4 +-
drivers/gpu/drm/via/via_irq.c | 18 +-
+ drivers/gpu/drm/virtio/virtgpu_debugfs.c | 2 +-
+ drivers/gpu/drm/virtio/virtgpu_fence.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
drivers/gpu/vga/vga_switcheroo.c | 4 +-
drivers/hid/hid-core.c | 4 +-
- drivers/hv/channel.c | 4 +-
+ drivers/hid/hid-sensor-custom.c | 2 +-
+ drivers/hv/channel.c | 2 +-
drivers/hv/hv.c | 4 +-
drivers/hv/hv_balloon.c | 18 +-
drivers/hv/hyperv_vmbus.h | 2 +-
- drivers/hv/vmbus_drv.c | 4 +-
- drivers/hwmon/acpi_power_meter.c | 4 +-
+ drivers/hwmon/acpi_power_meter.c | 6 +-
drivers/hwmon/applesmc.c | 2 +-
drivers/hwmon/asus_atk0110.c | 10 +-
drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/dell-smm-hwmon.c | 2 +-
drivers/hwmon/ibmaem.c | 2 +-
drivers/hwmon/iio_hwmon.c | 2 +-
drivers/hwmon/nct6683.c | 6 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/ide/ide-cd.c | 2 +-
drivers/iio/industrialio-core.c | 2 +-
+ drivers/iio/magnetometer/ak8975.c | 2 +-
drivers/infiniband/core/cm.c | 32 +-
drivers/infiniband/core/fmr_pool.c | 20 +-
+ drivers/infiniband/core/uverbs_cmd.c | 3 +
drivers/infiniband/hw/cxgb4/mem.c | 4 +-
drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
drivers/input/mousedev.c | 2 +-
drivers/input/serio/serio.c | 4 +-
drivers/input/serio/serio_raw.c | 4 +-
- drivers/iommu/arm-smmu.c | 2 +-
+ drivers/input/touchscreen/htcpen.c | 2 +-
+ drivers/iommu/arm-smmu.c | 43 +-
+ drivers/iommu/io-pgtable-arm.c | 101 +-
+ drivers/iommu/io-pgtable.c | 11 +-
+ drivers/iommu/io-pgtable.h | 19 +-
drivers/iommu/iommu.c | 2 +-
- drivers/iommu/irq_remapping.c | 12 +-
- drivers/irqchip/irq-gic.c | 4 +-
+ drivers/iommu/ipmmu-vmsa.c | 13 +-
+ drivers/iommu/irq_remapping.c | 2 +-
+ drivers/irqchip/irq-gic.c | 2 +-
+ drivers/irqchip/irq-renesas-intc-irqpin.c | 2 +-
drivers/irqchip/irq-renesas-irqc.c | 2 +-
drivers/isdn/capi/capi.c | 10 +-
drivers/isdn/gigaset/interface.c | 8 +-
drivers/isdn/i4l/isdn_tty.c | 22 +-
drivers/isdn/icn/icn.c | 2 +-
drivers/isdn/mISDN/dsp_cmx.c | 2 +-
- drivers/leds/leds-clevo-mail.c | 2 +-
- drivers/leds/leds-ss4200.c | 2 +-
drivers/lguest/core.c | 10 +-
drivers/lguest/page_tables.c | 2 +-
drivers/lguest/x86/core.c | 12 +-
drivers/md/bcache/closure.h | 2 +-
drivers/md/bitmap.c | 2 +-
drivers/md/dm-ioctl.c | 2 +-
- drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-raid1.c | 18 +-
drivers/md/dm-stats.c | 6 +-
drivers/md/dm-stripe.c | 10 +-
drivers/md/dm-table.c | 2 +-
drivers/md/persistent-data/dm-space-map.h | 1 +
drivers/md/raid1.c | 4 +-
drivers/md/raid10.c | 16 +-
- drivers/md/raid5.c | 10 +-
+ drivers/md/raid5.c | 22 +-
drivers/media/dvb-core/dvbdev.c | 2 +-
drivers/media/dvb-frontends/af9033.h | 2 +-
drivers/media/dvb-frontends/dib3000.h | 2 +-
drivers/media/radio/radio-shark.c | 2 +-
drivers/media/radio/radio-shark2.c | 2 +-
drivers/media/radio/radio-si476x.c | 2 +-
- drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ drivers/media/radio/wl128x/fmdrv_common.c | 2 +-
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 12 +-
drivers/media/v4l2-core/v4l2-device.c | 4 +-
drivers/media/v4l2-core/v4l2-ioctl.c | 13 +-
+ drivers/memory/omap-gpmc.c | 21 +-
drivers/message/fusion/mptsas.c | 34 +-
- drivers/message/i2o/i2o_proc.c | 67 +-
- drivers/message/i2o/iop.c | 8 +-
drivers/mfd/ab8500-debugfs.c | 2 +-
+ drivers/mfd/kempld-core.c | 2 +-
drivers/mfd/max8925-i2c.c | 2 +-
drivers/mfd/tps65910.c | 2 +-
drivers/mfd/twl4030-irq.c | 9 +-
drivers/misc/kgdbts.c | 4 +-
drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/mic/scif/scif_rb.c | 8 +-
drivers/misc/sgi-gru/gruhandles.c | 4 +-
drivers/misc/sgi-gru/gruprocfs.c | 8 +-
drivers/misc/sgi-gru/grutables.h | 154 +-
drivers/misc/sgi-xp/xp.h | 2 +-
drivers/misc/sgi-xp/xpc.h | 3 +-
- drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/misc/sgi-xp/xpc_main.c | 2 +-
drivers/mmc/card/block.c | 2 +-
- drivers/mmc/core/mmc_ops.c | 2 +-
drivers/mmc/host/dw_mmc.h | 2 +-
drivers/mmc/host/mmci.c | 4 +-
drivers/mmc/host/omap_hsmmc.c | 4 +-
drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 2 +-
drivers/mtd/nftlmount.c | 1 +
drivers/mtd/sm_ftl.c | 2 +-
- drivers/net/bonding/bond_main.c | 2 +-
drivers/net/bonding/bond_netlink.c | 2 +-
drivers/net/caif/caif_hsi.c | 2 +-
drivers/net/can/Kconfig | 2 +-
drivers/net/ethernet/altera/altera_tse_main.c | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-common.h | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-dcb.c | 4 +-
- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 29 +-
- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 137 +-
- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 60 +-
- drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 6 +-
- drivers/net/ethernet/amd/xgbe/xgbe-main.c | 11 +-
- drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 27 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 143 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 64 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 10 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-main.c | 15 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 27 +-
drivers/net/ethernet/amd/xgbe/xgbe-ptp.c | 4 +-
- drivers/net/ethernet/amd/xgbe/xgbe.h | 7 +-
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 10 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/cavium/liquidio/lio_ethtool.c | 6 +-
+ drivers/net/ethernet/cavium/liquidio/lio_main.c | 11 +-
drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
drivers/net/ethernet/faraday/ftgmac100.c | 2 +
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_tx.c | 4 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +-
drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
drivers/net/ethernet/realtek/r8169.c | 8 +-
drivers/net/ethernet/sfc/ptp.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
+ drivers/net/ethernet/via/via-rhine.c | 2 +-
drivers/net/hyperv/hyperv_net.h | 2 +-
drivers/net/hyperv/rndis_filter.c | 4 +-
- drivers/net/ieee802154/fakehard.c | 2 +-
drivers/net/ifb.c | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
drivers/net/macvlan.c | 20 +-
drivers/net/macvtap.c | 6 +-
drivers/net/nlmon.c | 2 +-
+ drivers/net/phy/phy_device.c | 6 +-
drivers/net/ppp/ppp_generic.c | 4 +-
drivers/net/slip/slhc.c | 2 +-
drivers/net/team/team.c | 4 +-
drivers/net/wireless/ti/wl12xx/main.c | 8 +-
drivers/net/wireless/ti/wl18xx/main.c | 6 +-
drivers/nfc/nfcwilink.c | 2 +-
+ drivers/of/fdt.c | 4 +-
drivers/oprofile/buffer_sync.c | 8 +-
drivers/oprofile/event_buffer.c | 2 +-
drivers/oprofile/oprof.c | 2 +-
drivers/oprofile/oprofilefs.c | 6 +-
drivers/oprofile/timer_int.c | 2 +-
drivers/parport/procfs.c | 4 +-
+ drivers/pci/host/pci-host-generic.c | 24 +-
drivers/pci/hotplug/acpiphp_ibm.c | 4 +-
drivers/pci/hotplug/cpcihp_generic.c | 6 +-
drivers/pci/hotplug/cpcihp_zt5550.c | 14 +-
drivers/pci/hotplug/cpqphp_nvram.c | 2 +
drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
drivers/pci/hotplug/pciehp_core.c | 2 +-
- drivers/pci/msi.c | 6 +-
+ drivers/pci/msi.c | 21 +-
drivers/pci/pci-sysfs.c | 6 +-
drivers/pci/pci.h | 2 +-
drivers/pci/pcie/aspm.c | 6 +-
+ drivers/pci/pcie/portdrv_pci.c | 2 +-
drivers/pci/probe.c | 2 +-
- drivers/platform/chrome/chromeos_laptop.c | 2 +-
+ drivers/pinctrl/pinctrl-at91.c | 5 +-
+ drivers/platform/chrome/chromeos_pstore.c | 2 +-
drivers/platform/x86/alienware-wmi.c | 4 +-
- drivers/platform/x86/msi-laptop.c | 14 +-
+ drivers/platform/x86/compal-laptop.c | 2 +-
+ drivers/platform/x86/hdaps.c | 2 +-
+ drivers/platform/x86/ibm_rtl.c | 2 +-
+ drivers/platform/x86/intel_oaktrail.c | 2 +-
+ drivers/platform/x86/msi-laptop.c | 16 +-
drivers/platform/x86/msi-wmi.c | 2 +-
- drivers/platform/x86/sony-laptop.c | 12 +-
- drivers/platform/x86/thinkpad_acpi.c | 4 +-
+ drivers/platform/x86/samsung-laptop.c | 2 +-
+ drivers/platform/x86/samsung-q10.c | 2 +-
+ drivers/platform/x86/sony-laptop.c | 14 +-
+ drivers/platform/x86/thinkpad_acpi.c | 2 +-
drivers/pnp/pnpbios/bioscalls.c | 14 +-
+ drivers/pnp/pnpbios/core.c | 2 +-
drivers/power/pda_power.c | 7 +-
drivers/power/power_supply.h | 4 +-
drivers/power/power_supply_core.c | 7 +-
drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/power/reset/at91-reset.c | 9 +-
drivers/powercap/powercap_sys.c | 136 +-
drivers/ptp/ptp_private.h | 2 +-
drivers/ptp/ptp_sysfs.c | 2 +-
drivers/regulator/core.c | 4 +-
drivers/regulator/max8660.c | 6 +-
- drivers/regulator/max8973-regulator.c | 8 +-
- drivers/regulator/mc13892-regulator.c | 6 +-
+ drivers/regulator/max8973-regulator.c | 16 +-
+ drivers/regulator/mc13892-regulator.c | 8 +-
+ drivers/rtc/rtc-armada38x.c | 7 +-
drivers/rtc/rtc-cmos.c | 4 +-
drivers/rtc/rtc-ds1307.c | 2 +-
drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/rtc/rtc-test.c | 6 +-
+ drivers/scsi/be2iscsi/be_main.c | 2 +-
drivers/scsi/bfa/bfa_fcpim.h | 2 +-
drivers/scsi/bfa/bfa_ioc.h | 4 +-
drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
drivers/scsi/qla4xxx/ql4_def.h | 2 +-
drivers/scsi/qla4xxx/ql4_os.c | 6 +-
drivers/scsi/scsi.c | 2 +-
- drivers/scsi/scsi_lib.c | 6 +-
+ drivers/scsi/scsi_lib.c | 8 +-
drivers/scsi/scsi_sysfs.c | 2 +-
drivers/scsi/scsi_transport_fc.c | 8 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/scsi/scsi_transport_srp.c | 6 +-
- drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sd.c | 6 +-
drivers/scsi/sg.c | 2 +-
+ drivers/scsi/sr.c | 21 +-
drivers/soc/tegra/fuse/fuse-tegra.c | 2 +-
drivers/spi/spi.c | 2 +-
+ drivers/spi/spidev.c | 2 +-
drivers/staging/android/timed_output.c | 6 +-
+ drivers/staging/comedi/comedi_fops.c | 8 +-
+ drivers/staging/fbtft/fbtft-core.c | 2 +-
+ drivers/staging/fbtft/fbtft.h | 2 +-
drivers/staging/gdm724x/gdm_tty.c | 2 +-
- drivers/staging/imx-drm/imx-drm-core.c | 2 +-
+ drivers/staging/iio/accel/lis3l02dq_ring.c | 2 +-
+ drivers/staging/iio/adc/ad7280a.c | 4 +-
drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +-
drivers/staging/lustre/lnet/selftest/framework.c | 4 -
drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
drivers/staging/lustre/lustre/include/obd.h | 2 +-
- .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +-
+ drivers/staging/lustre/lustre/libcfs/module.c | 6 +-
drivers/staging/octeon/ethernet-rx.c | 12 +-
drivers/staging/octeon/ethernet.c | 8 +-
drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
drivers/staging/rtl8712/rtl871x_io.h | 2 +-
- drivers/staging/unisys/visorchipset/visorchipset.h | 4 +-
- drivers/staging/vt6655/hostap.c | 7 +-
+ drivers/staging/sm750fb/sm750.c | 14 +-
+ drivers/staging/unisys/visorbus/visorbus_private.h | 4 +-
drivers/target/sbp/sbp_target.c | 4 +-
drivers/target/target_core_device.c | 2 +-
drivers/target/target_core_transport.c | 2 +-
+ drivers/thermal/cpu_cooling.c | 9 +-
drivers/thermal/int340x_thermal/int3400_thermal.c | 6 +-
- drivers/thermal/of-thermal.c | 13 +-
+ drivers/thermal/of-thermal.c | 17 +-
+ drivers/thermal/x86_pkg_temp_thermal.c | 2 +-
drivers/tty/cyclades.c | 6 +-
drivers/tty/hvc/hvc_console.c | 14 +-
drivers/tty/hvc/hvcs.c | 21 +-
drivers/tty/n_tty.c | 5 +-
drivers/tty/pty.c | 4 +-
drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/8250/8250_core.c | 10 +-
+ drivers/tty/serial/ifx6x60.c | 2 +-
drivers/tty/serial/ioc4_serial.c | 6 +-
drivers/tty/serial/kgdb_nmi.c | 4 +-
drivers/tty/serial/kgdboc.c | 32 +-
drivers/usb/core/usb.c | 2 +-
drivers/usb/early/ehci-dbgp.c | 16 +-
drivers/usb/gadget/function/u_serial.c | 22 +-
+ drivers/usb/gadget/udc/dummy_hcd.c | 2 +-
+ drivers/usb/host/ehci-hcd.c | 2 +-
drivers/usb/host/ehci-hub.c | 4 +-
+ drivers/usb/host/ehci-q.c | 4 +-
+ drivers/usb/host/fotg210-hcd.c | 2 +-
+ drivers/usb/host/fusbh200-hcd.c | 2 +-
+ drivers/usb/host/hwa-hc.c | 2 +-
+ drivers/usb/host/ohci-hcd.c | 2 +-
+ drivers/usb/host/r8a66597.h | 2 +-
+ drivers/usb/host/uhci-hcd.c | 2 +-
+ drivers/usb/host/xhci-pci.c | 2 +-
+ drivers/usb/host/xhci.c | 2 +-
drivers/usb/misc/appledisplay.c | 4 +-
drivers/usb/serial/console.c | 8 +-
+ drivers/usb/storage/usb.c | 2 +-
drivers/usb/storage/usb.h | 2 +-
drivers/usb/usbip/vhci.h | 2 +-
drivers/usb/usbip/vhci_hcd.c | 6 +-
drivers/video/fbdev/core/fbmem.c | 2 +-
drivers/video/fbdev/hyperv_fb.c | 4 +-
drivers/video/fbdev/i810/i810_accel.c | 1 +
+ drivers/video/fbdev/matrox/matroxfb_base.c | 2 +-
drivers/video/fbdev/mb862xx/mb862xxfb_accel.c | 16 +-
drivers/video/fbdev/nvidia/nvidia.c | 27 +-
drivers/video/fbdev/omap2/dss/display.c | 8 +-
drivers/video/fbdev/uvesafb.c | 52 +-
drivers/video/fbdev/vesafb.c | 58 +-
drivers/video/fbdev/via/via_clock.h | 2 +-
- fs/9p/vfs_addr.c | 2 +-
- fs/9p/vfs_inode.c | 2 +-
+ drivers/xen/events/events_base.c | 6 +-
+ drivers/xen/evtchn.c | 4 +-
fs/Kconfig.binfmt | 2 +-
fs/afs/inode.c | 4 +-
fs/aio.c | 2 +-
fs/autofs4/waitq.c | 2 +-
fs/befs/endian.h | 6 +-
fs/binfmt_aout.c | 23 +-
- fs/binfmt_elf.c | 674 +++-
+ fs/binfmt_elf.c | 672 +-
+ fs/binfmt_elf_fdpic.c | 2 +-
fs/block_dev.c | 2 +-
fs/btrfs/ctree.c | 9 +-
fs/btrfs/delayed-inode.c | 6 +-
fs/cachefiles/internal.h | 12 +-
fs/cachefiles/namei.c | 2 +-
fs/cachefiles/proc.c | 12 +-
- fs/ceph/dir.c | 11 +-
+ fs/ceph/dir.c | 12 +-
fs/ceph/super.c | 4 +-
fs/cifs/cifs_debug.c | 12 +-
fs/cifs/cifsfs.c | 8 +-
fs/compat_ioctl.c | 12 +-
fs/configfs/dir.c | 10 +-
fs/coredump.c | 16 +-
- fs/dcache.c | 43 +-
+ fs/dcache.c | 51 +-
fs/ecryptfs/inode.c | 2 +-
fs/ecryptfs/miscdev.c | 2 +-
- fs/exec.c | 362 ++-
+ fs/exec.c | 362 +-
fs/ext2/xattr.c | 5 +-
fs/ext3/xattr.c | 5 +-
fs/ext4/ext4.h | 20 +-
fs/ext4/mballoc.c | 44 +-
fs/ext4/mmp.c | 2 +-
+ fs/ext4/resize.c | 16 +-
fs/ext4/super.c | 4 +-
fs/ext4/xattr.c | 5 +-
fs/fhandle.c | 3 +-
fs/file.c | 4 +-
fs/fs_struct.c | 8 +-
fs/fscache/cookie.c | 40 +-
- fs/fscache/internal.h | 200 +-
+ fs/fscache/internal.h | 202 +-
fs/fscache/object.c | 26 +-
- fs/fscache/operation.c | 30 +-
+ fs/fscache/operation.c | 38 +-
fs/fscache/page.c | 110 +-
- fs/fscache/stats.c | 344 +-
+ fs/fscache/stats.c | 348 +-
fs/fuse/cuse.c | 10 +-
fs/fuse/dev.c | 4 +-
- fs/fuse/dir.c | 2 +-
- fs/hostfs/hostfs_kern.c | 2 +-
+ fs/gfs2/glock.c | 22 +-
+ fs/gfs2/glops.c | 4 +-
+ fs/gfs2/quota.c | 6 +-
fs/hugetlbfs/inode.c | 13 +-
fs/inode.c | 4 +-
fs/jffs2/erase.c | 3 +-
fs/jffs2/wbuf.c | 3 +-
fs/jfs/super.c | 2 +-
fs/kernfs/dir.c | 2 +-
- fs/kernfs/file.c | 16 +-
- fs/kernfs/symlink.c | 2 +-
- fs/libfs.c | 12 +-
+ fs/kernfs/file.c | 20 +-
+ fs/libfs.c | 10 +-
fs/lockd/clntproc.c | 4 +-
- fs/locks.c | 8 +-
fs/namei.c | 16 +-
fs/namespace.c | 16 +-
fs/nfs/callback_xdr.c | 2 +-
fs/notify/fanotify/fanotify_user.c | 4 +-
fs/notify/notification.c | 4 +-
fs/ntfs/dir.c | 2 +-
- fs/ntfs/file.c | 2 +-
fs/ntfs/super.c | 6 +-
fs/ocfs2/localalloc.c | 2 +-
fs/ocfs2/ocfs2.h | 10 +-
fs/ocfs2/suballoc.c | 12 +-
fs/ocfs2/super.c | 20 +-
- fs/pipe.c | 59 +-
+ fs/pipe.c | 72 +-
fs/posix_acl.c | 4 +-
fs/proc/array.c | 20 +
fs/proc/base.c | 4 +-
- fs/proc/kcore.c | 32 +-
+ fs/proc/kcore.c | 34 +-
fs/proc/meminfo.c | 2 +-
fs/proc/nommu.c | 2 +-
- fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/proc_sysctl.c | 26 +-
fs/proc/task_mmu.c | 39 +-
fs/proc/task_nommu.c | 4 +-
fs/proc/vmcore.c | 16 +-
fs/reiserfs/reiserfs.h | 4 +-
fs/seq_file.c | 4 +-
fs/splice.c | 43 +-
+ fs/squashfs/xattr.c | 12 +-
fs/sysv/sysv.h | 2 +-
+ fs/tracefs/inode.c | 8 +-
fs/ubifs/io.c | 2 +-
fs/udf/misc.c | 2 +-
fs/ufs/swab.h | 4 +-
include/asm-generic/bitops/__fls.h | 2 +-
include/asm-generic/bitops/fls.h | 2 +-
include/asm-generic/bitops/fls64.h | 4 +-
+ include/asm-generic/bug.h | 6 +-
include/asm-generic/cache.h | 4 +-
include/asm-generic/emergency-restart.h | 2 +-
include/asm-generic/kmap_types.h | 4 +-
include/asm-generic/pgtable-nopud.h | 15 +-
include/asm-generic/pgtable.h | 16 +
include/asm-generic/uaccess.h | 16 +
- include/asm-generic/vmlinux.lds.h | 10 +-
+ include/asm-generic/vmlinux.lds.h | 13 +-
include/crypto/algapi.h | 2 +-
include/drm/drmP.h | 16 +-
include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/drm_mm.h | 2 +-
include/drm/i915_pciids.h | 2 +-
+ include/drm/intel-gtt.h | 4 +-
include/drm/ttm/ttm_memory.h | 2 +-
include/drm/ttm/ttm_page_alloc.h | 1 +
include/keys/asymmetric-subtype.h | 2 +-
include/linux/atmdev.h | 4 +-
+ include/linux/atomic.h | 2 +-
include/linux/audit.h | 2 +-
include/linux/binfmts.h | 3 +-
- include/linux/bitops.h | 6 +-
+ include/linux/bitmap.h | 2 +-
+ include/linux/bitops.h | 8 +-
include/linux/blkdev.h | 2 +-
include/linux/blktrace_api.h | 2 +-
include/linux/cache.h | 8 +
include/linux/cdrom.h | 1 -
include/linux/cleancache.h | 2 +-
include/linux/clk-provider.h | 1 +
- include/linux/compat.h | 4 +-
- include/linux/compiler-gcc4.h | 20 +
- include/linux/compiler.h | 65 +-
+ include/linux/compat.h | 6 +-
+ include/linux/compiler-gcc.h | 28 +-
+ include/linux/compiler.h | 95 +-
include/linux/completion.h | 12 +-
include/linux/configfs.h | 2 +-
include/linux/cpufreq.h | 3 +-
include/linux/cpuidle.h | 5 +-
- include/linux/cpumask.h | 12 +-
- include/linux/crypto.h | 6 +-
+ include/linux/cpumask.h | 14 +-
+ include/linux/crypto.h | 4 +-
include/linux/ctype.h | 2 +-
+ include/linux/dcache.h | 4 +-
include/linux/decompress/mm.h | 2 +-
include/linux/devfreq.h | 2 +-
include/linux/device.h | 7 +-
include/linux/dma-mapping.h | 2 +-
- include/linux/dmaengine.h | 4 +-
include/linux/efi.h | 1 +
include/linux/elf.h | 2 +
include/linux/err.h | 4 +-
include/linux/extcon.h | 2 +-
- include/linux/fb.h | 2 +-
+ include/linux/fb.h | 3 +-
include/linux/fdtable.h | 2 +-
- include/linux/frontswap.h | 2 +-
- include/linux/fs.h | 3 +-
+ include/linux/fs.h | 5 +-
include/linux/fs_struct.h | 2 +-
- include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache-cache.h | 2 +-
include/linux/fscache.h | 2 +-
include/linux/fsnotify.h | 2 +-
include/linux/genhd.h | 4 +-
include/linux/genl_magic_func.h | 2 +-
include/linux/gfp.h | 12 +-
- include/linux/hash.h | 2 +-
include/linux/highmem.h | 12 +
include/linux/hwmon-sysfs.h | 6 +-
include/linux/i2c.h | 1 +
- include/linux/i2o.h | 2 +-
include/linux/if_pppox.h | 2 +-
include/linux/init.h | 12 +-
include/linux/init_task.h | 7 +
include/linux/interrupt.h | 6 +-
include/linux/iommu.h | 2 +-
include/linux/ioport.h | 2 +-
- include/linux/irq.h | 3 +-
- include/linux/irqchip/arm-gic.h | 4 +-
- include/linux/jiffies.h | 14 +-
+ include/linux/ipc.h | 2 +-
+ include/linux/irq.h | 5 +-
+ include/linux/irqdesc.h | 2 +-
+ include/linux/irqdomain.h | 3 +
+ include/linux/jiffies.h | 30 +-
+ include/linux/kernel.h | 2 +-
include/linux/key-type.h | 2 +-
include/linux/kgdb.h | 6 +-
+ include/linux/kmemleak.h | 4 +-
include/linux/kobject.h | 3 +-
include/linux/kobject_ns.h | 2 +-
include/linux/kref.h | 2 +-
include/linux/libata.h | 2 +-
include/linux/linkage.h | 1 +
include/linux/list.h | 15 +
- include/linux/lockref.h | 32 +
+ include/linux/lockref.h | 26 +-
include/linux/math64.h | 10 +-
include/linux/mempolicy.h | 7 +
include/linux/mm.h | 104 +-
include/linux/mmiotrace.h | 4 +-
include/linux/mmzone.h | 2 +-
include/linux/mod_devicetable.h | 4 +-
- include/linux/module.h | 60 +-
+ include/linux/module.h | 69 +-
include/linux/moduleloader.h | 16 +
include/linux/moduleparam.h | 4 +-
- include/linux/namei.h | 6 +-
include/linux/net.h | 2 +-
include/linux/netdevice.h | 7 +-
include/linux/netfilter.h | 2 +-
include/linux/oprofile.h | 4 +-
include/linux/padata.h | 2 +-
include/linux/pci_hotplug.h | 3 +-
- include/linux/perf_event.h | 10 +-
+ include/linux/percpu.h | 2 +-
+ include/linux/perf_event.h | 12 +-
include/linux/pipe_fs_i.h | 8 +-
include/linux/pm.h | 1 +
include/linux/pm_domain.h | 4 +-
include/linux/proc_ns.h | 2 +-
include/linux/quota.h | 2 +-
include/linux/random.h | 23 +-
- include/linux/rculist.h | 20 +-
- include/linux/rcupdate.h | 2 +-
+ include/linux/rculist.h | 16 +
include/linux/reboot.h | 14 +-
include/linux/regset.h | 3 +-
include/linux/relay.h | 2 +-
include/linux/rio.h | 2 +-
include/linux/rmap.h | 4 +-
- include/linux/sched.h | 70 +-
+ include/linux/sched.h | 74 +-
include/linux/sched/sysctl.h | 1 +
- include/linux/security.h | 2 -
include/linux/semaphore.h | 2 +-
include/linux/seq_file.h | 1 +
include/linux/signal.h | 2 +-
- include/linux/skbuff.h | 8 +-
- include/linux/slab.h | 46 +-
+ include/linux/skbuff.h | 10 +-
+ include/linux/slab.h | 47 +-
include/linux/slab_def.h | 14 +-
include/linux/slub_def.h | 2 +-
include/linux/smp.h | 2 +
include/linux/sunrpc/svc_rdma.h | 18 +-
include/linux/sunrpc/svcauth.h | 2 +-
include/linux/swiotlb.h | 3 +-
- include/linux/syscalls.h | 18 +-
+ include/linux/syscalls.h | 21 +-
include/linux/syscore_ops.h | 2 +-
include/linux/sysctl.h | 3 +-
include/linux/sysfs.h | 9 +-
include/linux/sysrq.h | 3 +-
+ include/linux/tcp.h | 14 +-
include/linux/thread_info.h | 7 +
include/linux/tty.h | 4 +-
include/linux/tty_driver.h | 2 +-
include/linux/uaccess.h | 6 +-
include/linux/uio_driver.h | 2 +-
include/linux/unaligned/access_ok.h | 24 +-
- include/linux/usb.h | 4 +-
+ include/linux/usb.h | 6 +-
+ include/linux/usb/hcd.h | 1 +
include/linux/usb/renesas_usbhs.h | 2 +-
include/linux/vermagic.h | 21 +-
include/linux/vga_switcheroo.h | 8 +-
include/media/v4l2-device.h | 2 +-
include/net/9p/transport.h | 2 +-
include/net/bluetooth/l2cap.h | 2 +-
+ include/net/bonding.h | 2 +-
include/net/caif/cfctrl.h | 6 +-
include/net/flow.h | 2 +-
include/net/genetlink.h | 2 +-
include/net/gro_cells.h | 2 +-
include/net/inet_connection_sock.h | 2 +-
+ include/net/inet_sock.h | 2 +-
include/net/inetpeer.h | 2 +-
include/net/ip_fib.h | 2 +-
include/net/ip_vs.h | 8 +-
include/net/llc_s_st.h | 2 +-
include/net/mac80211.h | 2 +-
include/net/neighbour.h | 2 +-
- include/net/net_namespace.h | 16 +-
+ include/net/net_namespace.h | 18 +-
include/net/netlink.h | 2 +-
include/net/netns/conntrack.h | 6 +-
include/net/netns/ipv4.h | 4 +-
include/net/sctp/checksum.h | 4 +-
include/net/sctp/sm.h | 4 +-
include/net/sctp/structs.h | 2 +-
- include/net/sock.h | 8 +-
+ include/net/sock.h | 12 +-
include/net/tcp.h | 8 +-
include/net/xfrm.h | 13 +-
include/rdma/iw_cm.h | 2 +-
include/scsi/libfc.h | 3 +-
include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_driver.h | 2 +-
include/scsi/scsi_transport_fc.h | 3 +-
+ include/scsi/sg.h | 2 +-
include/sound/compress_driver.h | 2 +-
include/sound/soc.h | 4 +-
include/target/target_core_base.h | 2 +-
include/uapi/linux/a.out.h | 8 +
include/uapi/linux/bcache.h | 5 +-
include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/connector.h | 2 +-
include/uapi/linux/elf.h | 28 +
include/uapi/linux/screen_info.h | 3 +-
include/uapi/linux/swab.h | 6 +-
- include/uapi/linux/sysctl.h | 2 -
include/uapi/linux/xattr.h | 4 +
include/video/udlfb.h | 8 +-
include/video/uvesafb.h | 1 +
init/do_mounts_md.c | 6 +-
init/init_task.c | 4 +
init/initramfs.c | 38 +-
- init/main.c | 78 +-
- ipc/compat.c | 2 +-
- ipc/ipc_sysctl.c | 10 +-
+ init/main.c | 30 +-
+ ipc/compat.c | 4 +-
+ ipc/ipc_sysctl.c | 8 +-
ipc/mq_sysctl.c | 4 +-
+ ipc/sem.c | 4 +-
ipc/shm.c | 6 +
kernel/audit.c | 8 +-
kernel/auditsc.c | 4 +-
- kernel/bpf/core.c | 4 +-
+ kernel/bpf/core.c | 7 +-
kernel/capability.c | 3 +
kernel/compat.c | 38 +-
kernel/debug/debug_core.c | 16 +-
kernel/debug/kdb/kdb_main.c | 4 +-
- kernel/events/core.c | 28 +-
+ kernel/events/core.c | 26 +-
kernel/events/internal.h | 10 +-
kernel/events/uprobes.c | 2 +-
kernel/exit.c | 2 +-
- kernel/fork.c | 166 +-
+ kernel/fork.c | 165 +-
kernel/futex.c | 11 +-
kernel/futex_compat.c | 2 +-
kernel/gcov/base.c | 7 +-
+ kernel/irq/manage.c | 2 +-
+ kernel/irq/msi.c | 20 +-
+ kernel/irq/spurious.c | 2 +-
kernel/jump_label.c | 5 +
kernel/kallsyms.c | 37 +-
kernel/kexec.c | 3 +-
kernel/kprobes.c | 4 +-
kernel/ksysfs.c | 2 +-
kernel/locking/lockdep.c | 7 +-
- kernel/locking/mcs_spinlock.c | 10 +-
- kernel/locking/mcs_spinlock.h | 2 +-
kernel/locking/mutex-debug.c | 12 +-
kernel/locking/mutex-debug.h | 4 +-
kernel/locking/mutex.c | 6 +-
kernel/locking/rtmutex-tester.c | 24 +-
- kernel/module.c | 334 +-
+ kernel/module.c | 422 +-
kernel/notifier.c | 17 +-
kernel/padata.c | 4 +-
kernel/panic.c | 5 +-
kernel/ptrace.c | 8 +-
kernel/rcu/rcutorture.c | 60 +-
kernel/rcu/tiny.c | 4 +-
- kernel/rcu/tiny_plugin.h | 6 +-
- kernel/rcu/tree.c | 106 +-
+ kernel/rcu/tree.c | 66 +-
kernel/rcu/tree.h | 26 +-
- kernel/rcu/tree_plugin.h | 46 +-
+ kernel/rcu/tree_plugin.h | 14 +-
kernel/rcu/tree_trace.c | 22 +-
- kernel/rcu/update.c | 10 +-
kernel/sched/auto_group.c | 4 +-
kernel/sched/completion.c | 6 +-
kernel/sched/core.c | 45 +-
- kernel/sched/fair.c | 4 +-
+ kernel/sched/fair.c | 2 +-
kernel/sched/sched.h | 2 +-
kernel/signal.c | 12 +-
kernel/smpboot.c | 4 +-
kernel/sys.c | 10 +-
kernel/sysctl.c | 34 +-
kernel/time/alarmtimer.c | 2 +-
- kernel/time/hrtimer.c | 2 +-
kernel/time/posix-cpu-timers.c | 4 +-
kernel/time/posix-timers.c | 24 +-
kernel/time/timer.c | 4 +-
kernel/time/timer_stats.c | 10 +-
- kernel/torture.c | 10 +-
kernel/trace/blktrace.c | 6 +-
kernel/trace/ftrace.c | 15 +-
- kernel/trace/ring_buffer.c | 76 +-
+ kernel/trace/ring_buffer.c | 96 +-
kernel/trace/trace.c | 2 +-
kernel/trace/trace.h | 2 +-
kernel/trace/trace_clock.c | 4 +-
kernel/user_namespace.c | 2 +-
kernel/utsname_sysctl.c | 2 +-
kernel/watchdog.c | 2 +-
- kernel/workqueue.c | 2 +-
+ kernel/workqueue.c | 4 +-
lib/Kconfig.debug | 8 +-
lib/Makefile | 2 +-
lib/average.c | 2 +-
- lib/bitmap.c | 8 +-
+ lib/bitmap.c | 10 +-
lib/bug.c | 2 +
lib/debugobjects.c | 2 +-
+ lib/decompress_bunzip2.c | 3 +-
+ lib/decompress_unlzma.c | 4 +-
lib/div64.c | 4 +-
lib/dma-debug.c | 4 +-
- lib/hash.c | 2 +-
lib/inflate.c | 2 +-
lib/ioremap.c | 4 +-
lib/kobject.c | 4 +-
lib/list_debug.c | 126 +-
- lib/lockref.c | 20 +-
+ lib/lockref.c | 44 +-
lib/percpu-refcount.c | 2 +-
lib/radix-tree.c | 2 +-
lib/random32.c | 2 +-
mm/Kconfig | 6 +-
mm/backing-dev.c | 4 +-
mm/filemap.c | 2 +-
- mm/fremap.c | 5 +
mm/gup.c | 13 +-
mm/highmem.c | 7 +-
mm/hugetlb.c | 70 +-
mm/internal.h | 3 +-
- mm/iov_iter.c | 6 +-
mm/maccess.c | 4 +-
- mm/madvise.c | 41 +
- mm/memory-failure.c | 30 +-
- mm/memory.c | 410 ++-
+ mm/madvise.c | 37 +
+ mm/memory-failure.c | 34 +-
+ mm/memory.c | 425 +-
mm/mempolicy.c | 25 +
mm/mlock.c | 15 +-
- mm/mmap.c | 579 ++-
+ mm/mm_init.c | 2 +-
+ mm/mmap.c | 582 +-
mm/mprotect.c | 137 +-
mm/mremap.c | 44 +-
mm/nommu.c | 21 +-
mm/page-writeback.c | 2 +-
- mm/page_alloc.c | 48 +-
+ mm/page_alloc.c | 49 +-
mm/percpu.c | 2 +-
mm/process_vm_access.c | 14 +-
- mm/rmap.c | 44 +-
+ mm/rmap.c | 45 +-
mm/shmem.c | 19 +-
- mm/slab.c | 105 +-
+ mm/slab.c | 109 +-
mm/slab.h | 22 +-
- mm/slab_common.c | 84 +-
- mm/slob.c | 214 +-
- mm/slub.c | 97 +-
+ mm/slab_common.c | 86 +-
+ mm/slob.c | 218 +-
+ mm/slub.c | 102 +-
mm/sparse-vmemmap.c | 4 +-
mm/sparse.c | 2 +-
- mm/swap.c | 3 +
+ mm/swap.c | 2 +
mm/swapfile.c | 12 +-
mm/util.c | 6 +
- mm/vmalloc.c | 75 +-
+ mm/vmalloc.c | 112 +-
mm/vmstat.c | 12 +-
net/8021q/vlan.c | 5 +-
net/8021q/vlan_netlink.c | 2 +-
- net/9p/client.c | 6 +-
net/9p/mod.c | 4 +-
net/9p/trans_fd.c | 2 +-
net/atm/atm_misc.c | 8 +-
net/can/af_can.c | 2 +-
net/can/gw.c | 6 +-
net/ceph/messenger.c | 4 +-
- net/compat.c | 34 +-
+ net/compat.c | 24 +-
net/core/datagram.c | 2 +-
- net/core/dev.c | 18 +-
+ net/core/dev.c | 16 +-
net/core/filter.c | 2 +-
net/core/flow.c | 6 +-
- net/core/iovec.c | 4 +-
net/core/neighbour.c | 4 +-
net/core/net-sysfs.c | 2 +-
net/core/net_namespace.c | 8 +-
net/core/scm.c | 8 +-
net/core/skbuff.c | 8 +-
net/core/sock.c | 28 +-
- net/core/sock_diag.c | 9 +-
- net/core/sysctl_net_core.c | 20 +-
+ net/core/sock_diag.c | 15 +-
+ net/core/sysctl_net_core.c | 22 +-
net/decnet/af_decnet.c | 1 +
net/decnet/sysctl_net_decnet.c | 4 +-
+ net/dsa/dsa.c | 2 +-
net/hsr/hsr_netlink.c | 2 +-
- net/ieee802154/6lowpan_rtnl.c | 2 +-
- net/ieee802154/reassembly.c | 14 +-
+ net/ieee802154/6lowpan/core.c | 2 +-
+ net/ieee802154/6lowpan/reassembly.c | 14 +-
net/ipv4/af_inet.c | 2 +-
net/ipv4/devinet.c | 18 +-
net/ipv4/fib_frontend.c | 6 +-
net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 4 +-
+ net/ipv4/inet_timewait_sock.c | 2 +-
net/ipv4/inetpeer.c | 2 +-
net/ipv4/ip_fragment.c | 15 +-
net/ipv4/ip_gre.c | 6 +-
net/ipv4/raw.c | 14 +-
net/ipv4/route.c | 32 +-
net/ipv4/sysctl_net_ipv4.c | 22 +-
- net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_input.c | 6 +-
net/ipv4/tcp_probe.c | 2 +-
net/ipv4/udp.c | 10 +-
net/ipv4/xfrm4_policy.c | 18 +-
- net/ipv6/addrconf.c | 12 +-
+ net/ipv6/addrconf.c | 16 +-
net/ipv6/af_inet6.c | 2 +-
net/ipv6/datagram.c | 2 +-
net/ipv6/icmp.c | 2 +-
net/ipv6/sit.c | 4 +-
net/ipv6/sysctl_net_ipv6.c | 2 +-
net/ipv6/udp.c | 6 +-
- net/ipv6/xfrm6_policy.c | 19 +-
+ net/ipv6/xfrm6_policy.c | 23 +-
net/irda/ircomm/ircomm_tty.c | 18 +-
net/iucv/af_iucv.c | 4 +-
net/iucv/iucv.c | 2 +-
net/key/af_key.c | 4 +-
net/l2tp/l2tp_eth.c | 38 +-
+ net/l2tp/l2tp_ip.c | 2 +-
+ net/l2tp/l2tp_ip6.c | 2 +-
net/mac80211/cfg.c | 8 +-
net/mac80211/ieee80211_i.h | 3 +-
- net/mac80211/iface.c | 16 +-
+ net/mac80211/iface.c | 20 +-
net/mac80211/main.c | 2 +-
- net/mac80211/pm.c | 6 +-
+ net/mac80211/pm.c | 4 +-
net/mac80211/rate.c | 2 +-
- net/mac80211/util.c | 4 +-
+ net/mac80211/sta_info.c | 2 +-
+ net/mac80211/util.c | 8 +-
+ net/mpls/af_mpls.c | 6 +-
net/netfilter/ipset/ip_set_core.c | 2 +-
net/netfilter/ipvs/ip_vs_conn.c | 6 +-
net/netfilter/ipvs/ip_vs_core.c | 4 +-
net/netfilter/nf_log.c | 10 +-
net/netfilter/nf_sockopt.c | 4 +-
net/netfilter/nfnetlink_log.c | 4 +-
+ net/netfilter/nft_compat.c | 9 +-
net/netfilter/xt_statistic.c | 8 +-
net/netlink/af_netlink.c | 4 +-
net/openvswitch/vport-internal_dev.c | 2 +-
net/openvswitch/vport.c | 16 +-
net/openvswitch/vport.h | 8 +-
- net/packet/af_packet.c | 10 +-
+ net/packet/af_packet.c | 8 +-
net/phonet/pep.c | 6 +-
net/phonet/socket.c | 2 +-
net/phonet/sysctl.c | 2 +-
net/sctp/sm_sideeffect.c | 2 +-
net/sctp/socket.c | 21 +-
net/sctp/sysctl.c | 10 +-
- net/socket.c | 20 +-
+ net/socket.c | 18 +-
net/sunrpc/auth_gss/svcauth_gss.c | 4 +-
net/sunrpc/clnt.c | 4 +-
net/sunrpc/sched.c | 4 +-
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 +-
net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
net/sunrpc/xprtrdma/svc_rdma_transport.c | 10 +-
+ net/tipc/netlink_compat.c | 12 +-
net/tipc/subscr.c | 2 +-
+ net/unix/af_unix.c | 7 +-
net/unix/sysctl_net_unix.c | 2 +-
net/wireless/wext-core.c | 19 +-
net/xfrm/xfrm_policy.c | 16 +-
net/xfrm/xfrm_state.c | 33 +-
net/xfrm/xfrm_sysctl.c | 2 +-
+ scripts/Kbuild.include | 2 +-
scripts/Makefile.build | 2 +-
scripts/Makefile.clean | 3 +-
scripts/Makefile.host | 63 +-
scripts/basic/fixdep.c | 12 +-
+ scripts/dtc/checks.c | 14 +-
+ scripts/dtc/data.c | 6 +-
+ scripts/dtc/flattree.c | 8 +-
+ scripts/dtc/livetree.c | 4 +-
scripts/gcc-plugin.sh | 51 +
scripts/headers_install.sh | 1 +
+ scripts/kallsyms.c | 4 +-
+ scripts/kconfig/lkc.h | 5 +-
+ scripts/kconfig/menu.c | 2 +-
+ scripts/kconfig/symbol.c | 6 +-
scripts/link-vmlinux.sh | 2 +-
scripts/mod/file2alias.c | 14 +-
scripts/mod/modpost.c | 25 +-
scripts/pnmtologo.c | 6 +-
scripts/sortextable.h | 6 +-
scripts/tags.sh | 2 +-
- security/Kconfig | 691 +++-
- security/apparmor/lsm.c | 2 +-
+ security/Kconfig | 691 +-
security/integrity/ima/ima.h | 4 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/ima/ima_fs.c | 4 +-
security/integrity/ima/ima_queue.c | 2 +-
- security/keys/compat.c | 2 +-
- security/keys/internal.h | 2 +-
security/keys/key.c | 18 +-
- security/keys/keyctl.c | 8 +-
- security/security.c | 9 +-
security/selinux/avc.c | 6 +-
- security/selinux/hooks.c | 11 +-
security/selinux/include/xfrm.h | 2 +-
- security/smack/smack_lsm.c | 2 +-
- security/tomoyo/tomoyo.c | 2 +-
- security/yama/yama_lsm.c | 22 +-
+ security/yama/yama_lsm.c | 2 +-
sound/aoa/codecs/onyx.c | 7 +-
sound/aoa/codecs/onyx.h | 1 +
sound/core/oss/pcm_oss.c | 18 +-
sound/core/pcm_compat.c | 2 +-
sound/core/pcm_native.c | 4 +-
- sound/core/seq/seq_device.c | 8 +-
sound/core/sound.c | 2 +-
sound/drivers/mts64.c | 14 +-
sound/drivers/opl4/opl4_lib.c | 2 +-
sound/firewire/scs1x.c | 8 +-
sound/oss/sb_audio.c | 2 +-
sound/oss/swarm_cs4297a.c | 6 +-
- sound/pci/hda/hda_codec.c | 10 +-
+ sound/pci/hda/hda_codec.c | 2 +-
sound/pci/ymfpci/ymfpci.h | 2 +-
sound/pci/ymfpci/ymfpci_main.c | 12 +-
- sound/soc/soc-core.c | 6 +-
- tools/gcc/Makefile | 40 +
+ sound/soc/soc-ac97.c | 6 +-
+ sound/soc/xtensa/xtfpga-i2s.c | 2 +-
+ tools/gcc/Makefile | 42 +
tools/gcc/checker_plugin.c | 150 +
- tools/gcc/colorize_plugin.c | 210 +
- tools/gcc/constify_plugin.c | 557 ++
- tools/gcc/gcc-common.h | 295 +
- tools/gcc/kallocstat_plugin.c | 183 +
- tools/gcc/kernexec_plugin.c | 522 ++
- tools/gcc/latent_entropy_plugin.c | 466 ++
- tools/gcc/size_overflow_plugin/.gitignore | 1 +
- tools/gcc/size_overflow_plugin/Makefile | 20 +
- .../generate_size_overflow_hash.sh | 102 +
- .../insert_size_overflow_asm.c | 748 +++
- .../insert_size_overflow_check_core.c | 943 ++++
- .../insert_size_overflow_check_ipa.c | 1141 ++++
- .../size_overflow_plugin/intentional_overflow.c | 736 +++
- tools/gcc/size_overflow_plugin/misc.c | 203 +
- .../size_overflow_plugin/remove_unnecessary_dup.c | 138 +
- tools/gcc/size_overflow_plugin/size_overflow.h | 127 +
- .../gcc/size_overflow_plugin/size_overflow_debug.c | 116 +
- .../size_overflow_plugin/size_overflow_hash.data | 5911 ++++++++++++++++++++
+ tools/gcc/colorize_plugin.c | 215 +
+ tools/gcc/constify_plugin.c | 564 +
+ tools/gcc/gcc-common.h | 790 +
+ tools/gcc/initify_plugin.c | 450 +
+ tools/gcc/kallocstat_plugin.c | 188 +
+ tools/gcc/kernexec_plugin.c | 551 +
+ tools/gcc/latent_entropy_plugin.c | 470 +
+ tools/gcc/size_overflow_plugin/.gitignore | 2 +
+ tools/gcc/size_overflow_plugin/Makefile | 26 +
+ .../disable_size_overflow_hash.data |11008 ++++++++++++++
+ .../generate_size_overflow_hash.sh | 103 +
+ .../insert_size_overflow_asm.c | 409 +
+ .../size_overflow_plugin/intentional_overflow.c | 980 ++
+ .../size_overflow_plugin/remove_unnecessary_dup.c | 137 +
+ tools/gcc/size_overflow_plugin/size_overflow.h | 329 +
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 192 +
+ .../size_overflow_plugin/size_overflow_hash.data |15719 ++++++++++++++++++++
.../size_overflow_hash_aux.data | 92 +
- .../size_overflow_plugin/size_overflow_plugin.c | 259 +
- .../size_overflow_plugin_hash.c | 364 ++
- tools/gcc/stackleak_plugin.c | 395 ++
- tools/gcc/structleak_plugin.c | 274 +
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1373 ++
+ .../gcc/size_overflow_plugin/size_overflow_misc.c | 505 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 318 +
+ .../size_overflow_plugin_hash.c | 353 +
+ .../size_overflow_plugin/size_overflow_transform.c | 576 +
+ .../size_overflow_transform_core.c | 962 ++
+ tools/gcc/stackleak_plugin.c | 436 +
+ tools/gcc/structleak_plugin.c | 287 +
tools/include/linux/compiler.h | 8 +
tools/lib/api/Makefile | 2 +-
tools/perf/util/include/asm/alternative-asm.h | 3 +
tools/virtio/linux/uaccess.h | 2 +-
virt/kvm/kvm_main.c | 44 +-
- 1834 files changed, 36315 insertions(+), 8522 deletions(-)
+ 1963 files changed, 60342 insertions(+), 8946 deletions(-)