-commit d435087b7dc7861149ee39c0a06a1d7e8c942f7e
-Author: Rusty Russell <rusty@rustcorp.com.au>
-Date: Wed May 27 10:59:26 2015 +0930
+commit 87790bbd0d8dc2bd7fd86cb947e32886db9e9766
+Author: Matthew Wilcox <willy@linux.intel.com>
+Date: Tue Feb 2 16:57:52 2016 -0800
- lguest: fix out-by-one error in address checking.
+ radix-tree: fix race in gang lookup
- This bug has been there since day 1; addresses in the top guest physical
- page weren't considered valid. You could map that page (the check in
- check_gpte() is correct), but if a guest tried to put a pagetable there
- we'd check that address manually when walking it, and kill the guest.
+ If the indirect_ptr bit is set on a slot, that indicates we need to redo
+ the lookup. Introduce a new function radix_tree_iter_retry() which
+ forces the loop to retry the lookup by setting 'slot' to NULL and
+ turning the iterator back to point at the problematic entry.
- Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
- Cc: stable@kernel.org
+ This is a pretty rare problem to hit at the moment; the lookup has to
+ race with a grow of the radix tree from a height of 0. The consequences
+ of hitting this race are that gang lookup could return a pointer to a
+ radix_tree_node instead of a pointer to whatever the user had inserted
+ in the tree.
+
+ Fixes: cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
+ Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/radix-tree.h | 16 ++++++++++++++++
+ lib/radix-tree.c | 12 ++++++++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+commit bf628043b4589c910919a0f221ae7f42aa8cea93
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed Feb 3 02:11:03 2016 +0100
+
+ unix: correctly track in-flight fds in sending process user_struct
+
+ The commit referenced in the Fixes tag incorrectly accounted the number
+ of in-flight fds over a unix domain socket to the original opener
+ of the file-descriptor. This allows another process to arbitrary
+ deplete the original file-openers resource limit for the maximum of
+ open files. Instead the sending processes and its struct cred should
+ be credited.
+
+ To do so, we add a reference counted struct user_struct pointer to the
+ scm_fp_list and use it to account for the number of inflight unix fds.
+
+ Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
+ Reported-by: David Herrmann <dh.herrmann@gmail.com>
+ Cc: David Herrmann <dh.herrmann@gmail.com>
+ Cc: Willy Tarreau <w@1wt.eu>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/af_unix.h | 4 ++--
+ include/net/scm.h | 1 +
+ net/core/scm.c | 7 +++++++
+ net/unix/af_unix.c | 4 ++--
+ net/unix/garbage.c | 8 ++++----
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+commit e830db443ff78d70b7b63536e688d73907face0c
+Author: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri Jan 15 16:57:37 2016 -0800
+
+ fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
+
+ Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
+ argument end is of type pgoff_t. It was being converted to a vaddr
+ offset and passed to unmap_hugepage_range. However, end was also being
+ used as an argument to the vma_interval_tree_foreach controlling loop.
+ In addition, the conversion of end to vaddr offset was incorrect.
+
+ hugetlb_vmtruncate_list is called as part of a file truncate or
+ fallocate hole punch operation.
+
+ When truncating a hugetlbfs file, this bug could prevent some pages from
+ being unmapped. This is possible if there are multiple vmas mapping the
+ file, and there is a sufficiently sized hole between the mappings. The
+ size of the hole between two vmas (A,B) must be such that the starting
+ virtual address of B is greater than (ending virtual address of A <<
+ PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
+ pages are not properly unmapped during truncate, the following BUG is
+ hit:
+
+ kernel BUG at fs/hugetlbfs/inode.c:428!
+
+ In the fallocate hole punch case, this bug could prevent pages from
+ being unmapped as in the truncate case. However, for hole punch the
+ result is that unmapped pages will not be removed during the operation.
+ For hole punch, it is also possible that more pages than desired will be
+ unmapped. This unnecessary unmapping will cause page faults to
+ reestablish the mappings on subsequent page access.
+
+ Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
+ Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+ Cc: Davidlohr Bueso <dave@stgolabs.net>
+ Cc: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org> [4.3]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/hugetlbfs/inode.c | 19 +++++++++++--------
+ 1 files changed, 11 insertions(+), 8 deletions(-)
+
+commit cdb3ba4a9113b779347387f3b6c6ea72dd4db12f
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Feb 4 17:06:13 2016 +0100
+
+ ALSA: timer: Fix leftover link at closing
+
+ In ALSA timer core, the active timer instance is managed in
+ active_list linked list. Each element is added / removed dynamically
+ at timer start, stop and in timer interrupt. The problem is that
+ snd_timer_interrupt() has a thinko and leaves the element in
+ active_list when it's the last opened element. This eventually leads
+ to list corruption or use-after-free error.
+
+ This hasn't been revealed because we used to delete the list forcibly
+ in snd_timer_stop() in the past. However, the recent fix avoids the
+ double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link
+ corruption due to double start or stop]), and this leak hits reality.
+
+ This patch fixes the link management in snd_timer_interrupt(). Now it
+ simply unlinks no matter which stream is.
+
+ BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 47d9647902f6a2f46a2be1e0140ba0f6f8c06008
+Author: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Fri Feb 5 15:37:01 2016 -0800
+
+ radix-tree: fix oops after radix_tree_iter_retry
+
+ Helper radix_tree_iter_retry() resets next_index to the current index.
+ In following radix_tree_next_slot current chunk size becomes zero. This
+ isn't checked and it tries to dereference null pointer in slot.
+
+ Tagged iterator is fine because retry happens only at slot 0 where tag
+ bitmask in iter->tags is filled with single bit.
+
+ Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
+ Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+ Cc: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Jeremiah Mahler <jmmahler@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/radix-tree.h | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 95b5dcb3c01958502af00b0bc0da1d906aae11a2
+Merge: 438be0b 256aeaf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:33 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 256aeaf87c22de8edf1f03682a572c590ae07771
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:09 2016 -0500
+
+ Update to pax-linux-4.3.5-test28.patch:
+ - fixed an integer truncation bug in numa_clear_kernel_node_hotplug caught by the size overflow plugin, reported by x14sg1 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4374)
+ - spender fixed UDEREF on arm
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ arch/x86/mm/numa.c | 2 +-
+ security/Kconfig | 1 -
+ 10 files changed, 60 insertions(+), 70 deletions(-)
+
+commit 438be0bd112bd17942b2628c53054dc1007558a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 19:50:31 2016 -0500
+
+ Fix a number of issues caused by the upstream merging of a UDEREF ripoff resulting in unbootable
+ ARM systems reported on the forums
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ security/Kconfig | 1 -
+ 9 files changed, 59 insertions(+), 69 deletions(-)
+
+commit 4ffdd5ef1f87e611af1efb4f251ada92abe9f4c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:21:53 2016 -0500
+
+ Fix another compiler warning
+
+ net/ipv4/tcp_input.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 30b5b7bc0fd67d458bdd5ab35e4689769eabd2ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:16:12 2016 -0500
+
+ Fix two compiler warnings
+
+ kernel/pid.c | 5 ++---
+ kernel/ptrace.c | 3 ++-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+commit dda4d2a21914c480750f10bd55c6e3203d415d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:22:40 2016 -0500
+
+ Apply fix for integer truncation in NUMA init code, reported by
+ x14sg1 on the forums:
+ https://forums.grsecurity.net/viewtopic.php?f=3&t=4374
+
+ arch/x86/mm/numa.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 477505f7c893cb6a2c3e22f83eefd9c985d7b3ca
+Merge: a781740 016d0d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:58 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 016d0d81a8dd4be1304c82a68e0ccf425868f467
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:10 2016 -0500
+
+ Update to pax-linux-4.3.5-test27.patch:
+ - fixed a bunch of potential REFCOUNT false positives, reported by Emese
+ - restored padding in fpregs_state for storing AVX-512 state in the future
+ - constified netlink_dump_control
+ - added const version of debug_gimple_stmt for gcc plugins, by Emese
+ - Emese fixed a bug in initify that could have initified too much
+ - Emese fixed a false positive intentional integer overflow in xfrm4_extract_header, reported by corsac
+
+ arch/x86/include/asm/fpu/types.h | 1 +
+ arch/x86/include/asm/mmu_context.h | 2 +-
+ block/blk-cgroup.c | 18 ++--
+ block/cfq-iosched.c | 4 +-
+ crypto/crypto_user.c | 8 ++-
+ drivers/acpi/apei/ghes.c | 6 +-
+ drivers/char/ipmi/ipmi_ssif.c | 12 ++--
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.c | 2 +-
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.h | 2 +-
+ drivers/gpu/drm/amd/scheduler/sched_fence.c | 2 +-
+ drivers/infiniband/core/netlink.c | 5 +-
+ drivers/infiniband/hw/cxgb4/device.c | 6 +-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +-
+ drivers/md/bcache/alloc.c | 2 +-
+ drivers/md/bcache/bcache.h | 10 +-
+ drivers/md/bcache/btree.c | 2 +-
+ drivers/md/bcache/io.c | 10 +-
+ drivers/md/bcache/journal.c | 2 +-
+ drivers/md/bcache/stats.c | 26 +++---
+ drivers/md/bcache/stats.h | 16 ++--
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bcache/sysfs.c | 20 +++---
+ drivers/md/dm-cache-target.c | 98 ++++++++++++------------
+ drivers/md/dm-raid.c | 2 +-
+ drivers/md/md.c | 6 +-
+ drivers/md/md.h | 2 +-
+ drivers/md/raid1.c | 2 +-
+ drivers/md/raid10.c | 2 +-
+ drivers/md/raid5.c | 4 +-
+ drivers/media/pci/zoran/zoran.h | 1 -
+ drivers/media/pci/zoran/zoran_driver.c | 3 -
+ drivers/net/ethernet/sfc/selftest.c | 20 +++---
+ drivers/net/irda/vlsi_ir.c | 18 ++--
+ drivers/net/irda/vlsi_ir.h | 14 ++--
+ drivers/net/wireless/ath/carl9170/carl9170.h | 6 +-
+ drivers/net/wireless/ath/carl9170/debug.c | 6 +-
+ drivers/net/wireless/ath/carl9170/main.c | 10 +-
+ drivers/net/wireless/ath/carl9170/tx.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/d3.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 2 +-
+ drivers/scsi/hptiop.c | 2 -
+ drivers/scsi/hptiop.h | 1 -
+ drivers/scsi/ipr.c | 6 +-
+ drivers/scsi/ipr.h | 2 +-
+ drivers/scsi/qla2xxx/qla_target.c | 10 +-
+ drivers/scsi/qla2xxx/qla_target.h | 2 +-
+ fs/btrfs/ctree.c | 2 +-
+ fs/btrfs/ctree.h | 4 +-
+ fs/btrfs/delayed-ref.c | 4 +-
+ fs/btrfs/disk-io.c | 4 +-
+ fs/btrfs/file.c | 4 +-
+ fs/btrfs/raid56.c | 32 ++++----
+ fs/btrfs/tests/btrfs-tests.c | 2 +-
+ fs/btrfs/transaction.c | 2 +-
+ fs/btrfs/tree-log.c | 8 +-
+ fs/btrfs/volumes.c | 14 ++--
+ fs/btrfs/volumes.h | 22 +++---
+ fs/jbd2/commit.c | 2 +-
+ fs/jbd2/transaction.c | 4 +-
+ fs/ocfs2/dlm/dlmcommon.h | 4 +-
+ fs/ocfs2/dlm/dlmdebug.c | 10 +-
+ fs/ocfs2/dlm/dlmdomain.c | 4 +-
+ fs/ocfs2/dlm/dlmmaster.c | 4 +-
+ include/acpi/ghes.h | 2 +-
+ include/linux/blk-cgroup.h | 24 +++---
+ include/linux/jbd2.h | 2 +-
+ include/linux/netlink.h | 12 ++--
+ include/net/cfg802154.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ kernel/rcu/tree_plugin.h | 4 +-
+ net/batman-adv/routing.c | 4 +-
+ net/batman-adv/soft-interface.c | 2 +-
+ net/batman-adv/translation-table.c | 14 ++--
+ net/batman-adv/types.h | 2 +-
+ net/core/neighbour.c | 14 ++--
+ net/core/rtnetlink.c | 2 +-
+ net/ipv4/arp.c | 2 +-
+ net/ipv4/inet_diag.c | 4 +-
+ net/ipv4/xfrm4_state.c | 4 +-
+ net/ipv6/ndisc.c | 2 +-
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/debugfs_key.c | 2 +-
+ net/mac80211/key.c | 4 +-
+ net/mac80211/tx.c | 2 +-
+ net/mac80211/wpa.c | 10 +-
+ net/mac802154/iface.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 22 +++---
+ net/netfilter/nf_tables_api.c | 13 ++--
+ net/netfilter/nfnetlink_acct.c | 7 +-
+ net/netfilter/nfnetlink_cthelper.c | 2 +-
+ net/netfilter/nfnetlink_cttimeout.c | 2 +-
+ net/netlink/af_netlink.c | 10 ++-
+ net/netlink/diag.c | 2 +-
+ net/netlink/genetlink.c | 14 ++--
+ net/packet/af_packet.c | 18 ++--
+ net/packet/diag.c | 2 +-
+ net/packet/internal.h | 6 +-
+ net/unix/diag.c | 2 +-
+ net/xfrm/xfrm_user.c | 2 +-
+ security/apparmor/include/policy.h | 2 +-
+ security/apparmor/policy.c | 4 +-
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ sound/core/seq/seq_fifo.c | 6 +-
+ sound/core/seq/seq_fifo.h | 2 +-
+ tools/gcc/gcc-common.h | 24 ++++--
+ tools/gcc/initify_plugin.c | 7 +-
+ tools/lib/api/Makefile | 2 +-
+ 109 files changed, 399 insertions(+), 391 deletions(-)
+
+commit a7817402ac837b1aee07fac42537a02097055098
+Author: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Fri Jan 29 11:36:10 2016 +0000
+
+ x86/mm/pat: Avoid truncation when converting cpa->numpages to address
+
+ There are a couple of nasty truncation bugs lurking in the pageattr
+ code that can be triggered when mapping EFI regions, e.g. when we pass
+ a cpa->pgd pointer. Because cpa->numpages is a 32-bit value, shifting
+ left by PAGE_SHIFT will truncate the resultant address to 32-bits.
+
+ Viorel-Cătălin managed to trigger this bug on his Dell machine that
+ provides a ~5GB EFI region which requires 1236992 pages to be mapped.
+ When calling populate_pud() the end of the region gets calculated
+ incorrectly in the following buggy expression,
+
+ end = start + (cpa->numpages << PAGE_SHIFT);
+
+ And only 188416 pages are mapped. Next, populate_pud() gets invoked
+ for a second time because of the loop in __change_page_attr_set_clr(),
+ only this time no pages get mapped because shifting the remaining
+ number of pages (1048576) by PAGE_SHIFT is zero. At which point the
+ loop in __change_page_attr_set_clr() spins forever because we fail to
+ map progress.
+
+ Hitting this bug depends very much on the virtual address we pick to
+ map the large region at and how many pages we map on the initial run
+ through the loop. This explains why this issue was only recently hit
+ with the introduction of commit
+
+ a5caa209ba9c ("x86/efi: Fix boot crash by mapping EFI memmap
+ entries bottom-up at runtime, instead of top-down")
+
+ It's interesting to note that safe uses of cpa->numpages do exist in
+ the pageattr code. If instead of shifting ->numpages we multiply by
+ PAGE_SIZE, no truncation occurs because PAGE_SIZE is a UL value, and
+ so the result is unsigned long.
+
+ To avoid surprises when users try to convert very large cpa->numpages
+ values to addresses, change the data type from 'int' to 'unsigned
+ long', thereby making it suitable for shifting by PAGE_SHIFT without
+ any type casting.
+
+ The alternative would be to make liberal use of casting, but that is
+ far more likely to cause problems in the future when someone adds more
+ code and fails to cast properly; this bug was difficult enough to
+ track down in the first place.
+
+ Reported-and-tested-by: Viorel-Cătălin Răpițeanu <rapiteanu.catalin@gmail.com>
+ Acked-by: Borislav Petkov <bp@alien8.de>
+ Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=110131
+ Link: http://lkml.kernel.org/r/1454067370-10374-1-git-send-email-matt@codeblueprint.co.uk
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/mm/pageattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 64dd9d7a67a742fda257cdd16510c29e695c34b5
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Tue Jan 26 04:15:18 2016 -0700
+
+ x86/mm: Fix types used in pgprot cacheability flags translations
+
+ For PAE kernels "unsigned long" is not suitable to hold page protection
+ flags, since _PAGE_NX doesn't fit there. This is the reason for quite a
+ few W+X pages getting reported as insecure during boot (observed namely
+ for the entire initrd range).
+
+ Fixes: 281d4078be ("x86: Make page cache mode a real type")
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Reviewed-by: Juergen Gross <JGross@suse.com>
+ Cc: stable@vger.kernel.org
+ Link: http://lkml.kernel.org/r/56A7635602000078000CAFF1@prv-mh.provo.novell.com
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/include/asm/pgtable_types.h | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
+
+commit bb9a3a9df0d8dfc96d521676e64c42b37ba22aea
+Merge: 682d661 f74425b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:06:25 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/slip/slhc.c
+ include/linux/sched.h
+ net/unix/af_unix.c
+ sound/core/timer.c
+
+commit f74425b5705bfe52aff9e97659ef10c4a14176c3
+Merge: d14af1f 849a2d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:02:55 2016 -0500
+
+ Merge branch 'linux-4.3.y' into pax-test
+
+ Conflicts:
+ arch/x86/include/asm/mmu_context.h
+
+commit 682d6611d75542e351c973c8dd74a99d3966c073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 30 13:05:03 2016 -0500
+
+ Based on a report from Mathias Krause, fix up a number of additional instances
+ of ulong overflow when passing in values to gr_learn_resource by saturating
+ to ULONG_MAX
+
+ mm/mlock.c | 11 ++++++++---
+ mm/mmap.c | 16 +++++++++++++---
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+commit adb52e95fb9ad4ac9c56cd5d47bd668f47c33096
+Author: Jann Horn <jann@thejh.net>
+Date: Sat Dec 26 06:00:48 2015 +0100
+
+ seccomp: always propagate NO_NEW_PRIVS on tsync
+
+ Before this patch, a process with some permissive seccomp filter
+ that was applied by root without NO_NEW_PRIVS was able to add
+ more filters to itself without setting NO_NEW_PRIVS by setting
+ the new filter from a throwaway thread with NO_NEW_PRIVS.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+
+ kernel/seccomp.c | 22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
+
+commit b85450498a3bbf269441c8963d7574bb3079c838
+Merge: 59c216f d14af1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:54:13 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d14af1f1dd66511f3f0674deee2b572972012b39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:53:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test26.patch:
+ - Emese fixed a few intentional overflows introduced by gcc, reported by StalkR (https://forums.grsecurity.net/viewtopic.php?f=3&t=4370)
+
+ fs/cifs/file.c | 2 +-
+ fs/gfs2/file.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 96 ++++++++++++++++++--
+ tools/gcc/size_overflow_plugin/size_overflow.h | 2 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 6 +-
+ .../size_overflow_transform_core.c | 5 +
+ 7 files changed, 102 insertions(+), 15 deletions(-)
+
+commit 59c216f13587eacdd692386b7a403ae78ed84fb6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 27 17:57:21 2016 -0500
+
+ Fix a size_overflow report reported by Mathias Krause in our
+ truncation of an loff_t to an unsigned long when being passed
+ to gr_learn_resource() (as all resource checks are against unsigned long
+ values)
+
+ fs/attr.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 70636c6ad60fc1db3af764ecc789b827b7497a97
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Wed Jan 6 12:42:38 2016 -0800
+
+ tcp: fix zero cwnd in tcp_cwnd_reduction
+
+ Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
+ conditionally") introduced a bug that cwnd may become 0 when both
+ inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
+ to a div-by-zero if the connection starts another cwnd reduction
+ phase by setting tp->prior_cwnd to the current cwnd (0) in
+ tcp_init_cwnd_reduction().
+
+ To prevent this we skip PRR operation when nothing is acked or
+ sacked. Then cwnd must be positive in all cases as long as ssthresh
+ is positive:
+
+ 1) The proportional reduction mode
+ inflight > ssthresh > 0
+
+ 2) The reduction bound mode
+ a) inflight == ssthresh > 0
+
+ b) inflight < ssthresh
+ sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
+
+ Therefore in all cases inflight and sndcnt can not both be 0.
+ We check invalid tp->prior_cwnd to avoid potential div0 bugs.
+
+ In reality this bug is triggered only with a sequence of less common
+ events. For example, the connection is terminating an ECN-triggered
+ cwnd reduction with an inflight 0, then it receives reordered/old
+ ACKs or DSACKs from prior transmission (which acks nothing). Or the
+ connection is in fast recovery stage that marks everything lost,
+ but fails to retransmit due to local issues, then receives data
+ packets from other end which acks nothing.
+
+ Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
+ Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Signed-off-by: Neal Cardwell <ncardwell@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_input.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit dac1da2bedbb43195d371c7a192cfeeb45683df0
+Author: Eric Dumazet <edumazet@google.com>
+Date: Sun Jan 24 13:53:50 2016 -0800
+
+ af_unix: fix struct pid memory leak
+
+ Dmitry reported a struct pid leak detected by a syzkaller program.
+
+ Bug happens in unix_stream_recvmsg() when we break the loop when a
+ signal is pending, without properly releasing scm.
+
+ Fixes: b3ca9b02b007 ("net: fix multithreaded signal handling in unix recv routines")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 15cc47f127520d1ac0c1fe76d993c2c27f0f2571
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jan 22 01:39:43 2016 +0100
+
+ pptp: fix illegal memory access caused by multiple bind()s
+
+ Several times already this has been reported as kasan reports caused by
+ syzkaller and trinity and people always looked at RCU races, but it is
+ much more simple. :)
+
+ In case we bind a pptp socket multiple times, we simply add it to
+ the callid_sock list but don't remove the old binding. Thus the old
+ socket stays in the bucket with unused call_id indexes and doesn't get
+ cleaned up. This causes various forms of kasan reports which were hard
+ to pinpoint.
+
+ Simply don't allow multiple binds and correct error handling in
+ pptp_bind. Also keep sk_state bits in place in pptp_connect.
+
+ Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
+ Cc: Dmitry Kozlov <xeb@mail.ru>
+ Cc: Sasha Levin <sasha.levin@oracle.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dave Jones <davej@codemonkey.org.uk>
+ Reported-by: Dave Jones <davej@codemonkey.org.uk>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ppp/pptp.c | 34 ++++++++++++++++++++++++----------
+ 1 files changed, 24 insertions(+), 10 deletions(-)
+
+commit e2b7b8c66851c85188fa6dab2d2b2a6c85bc7332
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:17:10 2016 -0500
+
+ Add info about cpupower/powertop to GRKERNSEC_KMEM, was present on our
+ wiki but was removed from the config help at some point
+
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit ce2e88efa000fc32bfcd84098f57c8ed8310fefc
+Author: Thomas Egerer <hakke_007@gmx.de>
+Date: Mon Jan 25 12:58:44 2016 +0100
+
+ ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
+
+ The ESP algorithms using CBC mode require echainiv. Hence INET*_ESP have
+ to select CRYPTO_ECHAINIV in order to work properly. This solves the
+ issues caused by a misconfiguration as described in [1].
+ The original approach, patching crypto/Kconfig was turned down by
+ Herbert Xu [2].
+
+ [1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html
+ [2] http://marc.info/?l=linux-crypto-vger&m=145224655809562&w=2
+
+ Signed-off-by: Thomas Egerer <hakke_007@gmx.de>
+ Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/Kconfig | 1 +
+ net/ipv6/Kconfig | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
+
+commit fca5a303155ea67d28aece0caf2b03ffc3b2668d
+Merge: 904114c 6339c1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:08:40 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 6339c1f9a9beafd417bf9f04d4b257e62aeb45b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:07:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test25.patch:
+ - fixed incorrect handling of VM_DONTCOPY during fork that would trigger a consistency check in the vma mirroring logic, reported by Mathias Krause <minipli@googlemail.com>
+ - fixed init_new_context on !MODIFY_LDT_SYSCALL configs, reported by tjh (https://forums.grsecurity.net/viewtopic.php?f=3&t=4368)
+ - fixed a few REFCOUNT false positives in SNMP related statistics
+
+ arch/x86/Kconfig | 2 +-
+ arch/x86/include/asm/mmu_context.h | 17 +++++++++++++++++
+ include/net/snmp.h | 10 +++++-----
+ kernel/fork.c | 11 +++++++++--
+ net/ipv4/proc.c | 8 ++++----
+ net/ipv6/addrconf.c | 4 ++--
+ net/ipv6/proc.c | 10 +++++-----
+ 7 files changed, 43 insertions(+), 19 deletions(-)
+
+commit 904114c2fce3fdff5d57e763da56a78960db4e19
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Jan 22 18:08:52 2016 -0500
+
+ make sure that freeing shmem fast symlinks is RCU-delayed
+
+ Cc: stable@vger.kernel.org # v4.2+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ include/linux/shmem_fs.h | 5 +----
+ mm/shmem.c | 9 ++++-----
+ 2 files changed, 5 insertions(+), 9 deletions(-)
+
+commit ab86adee64312a2f827dd516cb199521327943ed
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon Jan 18 19:23:51 2016 -0500
+
+ netfilter: nf_conntrack: use safer way to lock all buckets
+
+ When we need to lock all buckets in the connection hashtable we'd attempt to
+ lock 1024 spinlocks, which is way more preemption levels than supported by
+ the kernel. Furthermore, this behavior was hidden by checking if lockdep is
+ enabled, and if it was - use only 8 buckets(!).
+
+ Fix this by using a global lock and synchronize all buckets on it when we
+ need to lock them all. This is pretty heavyweight, but is only done when we
+ need to resize the hashtable, and that doesn't happen often enough (or at all).
+
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+ Reviewed-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ Conflicts:
+
+ net/netfilter/nfnetlink_cttimeout.c
+
+ include/net/netfilter/nf_conntrack_core.h | 8 ++----
+ net/netfilter/nf_conntrack_core.c | 38 +++++++++++++++++++++-------
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 2 +-
+ 4 files changed, 33 insertions(+), 17 deletions(-)
+
+commit 37014723527225481c720484bb788a1a6358072f
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Jan 18 16:36:09 2016 +0100
+
+ pipe: limit the per-user amount of pages allocated in pipes
+
+ On no-so-small systems, it is possible for a single process to cause an
+ OOM condition by filling large pipes with data that are never read. A
+ typical process filling 4000 pipes with 1 MB of data will use 4 GB of
+ memory. On small systems it may be tricky to set the pipe max size to
+ prevent this from happening.
+
+ This patch makes it possible to enforce a per-user soft limit above
+ which new pipes will be limited to a single page, effectively limiting
+ them to 4 kB each, as well as a hard limit above which no new pipes may
+ be created for this user. This has the effect of protecting the system
+ against memory abuse without hurting other users, and still allowing
+ pipes to work correctly though with less data at once.
+
+ The limit are controlled by two new sysctls : pipe-user-pages-soft, and
+ pipe-user-pages-hard. Both may be disabled by setting them to zero. The
+ default soft limit allows the default number of FDs per process (1024)
+ to create pipes of the default size (64kB), thus reaching a limit of 64MB
+ before starting to create only smaller pipes. With 256 processes limited
+ to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
+ 1084 MB of memory allocated for a user. The hard limit is disabled by
+ default to avoid breaking existing applications that make intensive use
+ of pipes (eg: for splicing).
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Documentation/sysctl/fs.txt | 23 +++++++++++++++++++++
+ fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++-
+ include/linux/pipe_fs_i.h | 4 +++
+ include/linux/sched.h | 1 +
+ kernel/sysctl.c | 14 ++++++++++++
+ 5 files changed, 87 insertions(+), 2 deletions(-)
+
+commit 51645fa198d194f746651dcfbc5f24a4cf8b9fb8
+Merge: 540f2af 7791ecb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 23 10:57:11 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7791ecb84f840343a5646236fd0d34e1fb450793
+Merge: 470069c 399588c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 23 10:56:47 2016 -0500
+
+ Merge branch 'linux-4.3.y' into pax-test
+
+commit 540f2affebd42cdc26a699208ab4f1cb0cb75e33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 21:18:47 2016 -0500
+
+ Update size_overflow hash table
+
+ .../size_overflow_plugin/size_overflow_hash.data | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 7e649765626a28437f573f0fbe7a51a04615f041
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 20:29:46 2016 -0500
+
+ Backport fix from: https://lkml.org/lkml/2015/12/13/187
+
+ fs/ext4/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 53b859cd0a5f5b6ad54fe0c879dfedaa3c5a3005
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:30 2016 +0100
+
+ compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
+
+ This replaces all code in fs/compat_ioctl.c that translated
+ ioctl arguments into a in-kernel structure, then performed
+ do_ioctl under set_fs(KERNEL_DS), with code that allocates
+ data on the user stack and can call the VFS ioctl handler
+ under USER_DS.
+
+ This is done as a hardening measure because the caller
+ does not know what kind of ioctl handler will be invoked,
+ only that no corresponding compat_ioctl handler exists and
+ what the ioctl command number is. The accidental
+ invocation of an unlocked_ioctl handler that unexpectedly
+ calls copy_to_user could be a severe security issue.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/compat_ioctl.c
+
+ fs/compat_ioctl.c | 130 ++++++++++++++++++++++++++++-------------------------
+ 1 files changed, 68 insertions(+), 62 deletions(-)
+
+commit 3e89e770ae27e931cd1583f021abac41eeebc3e7
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Jan 7 09:53:30 2016 -0500
+
+ compat_ioctl: don't pass fd around when not needed
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/compat_ioctl.c | 103 ++++++++++++++++++++++++++--------------------------
+ fs/internal.h | 7 ++++
+ fs/ioctl.c | 4 +-
+ include/linux/fs.h | 2 -
+ 4 files changed, 61 insertions(+), 55 deletions(-)
+
+commit 9d4e04082752d4d2d68445c4e6faf33a2613df55
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:29 2016 +0100
+
+ compat_ioctl: don't look up the fd twice
+
+ In code in fs/compat_ioctl.c that translates ioctl arguments
+ into a in-kernel structure, then performs sys_ioctl, possibly
+ under set_fs(KERNEL_DS), this commit changes the sys_ioctl
+ calls to do_ioctl calls. do_ioctl is a new function that does
+ the same thing as sys_ioctl, but doesn't look up the fd again.
+
+ This change is made to avoid (potential) security issues
+ because of ioctl handlers that accept one of the ioctl
+ commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
+ TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
+ This can happen for multiple reasons:
+
+ - The ioctl command number could be reused.
+ - The ioctl handler might not check the full ioctl
+ command. This is e.g. true for drm_ioctl.
+ - The ioctl handler is very special, e.g. cuse_file_ioctl
+
+ The real issue is that set_fs(KERNEL_DS) is used here,
+ but that's fixed in a separate commit
+ "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".
+
+ This change mitigates potential security issues by
+ preventing a race that permits invocation of
+ unlocked_ioctl handlers under KERNEL_DS through compat
+ code even if a corresponding compat_ioctl handler exists.
+
+ So far, no way has been identified to use this to damage
+ kernel memory without having CAP_SYS_ADMIN in the init ns
+ (with the capability, doing reads/writes at arbitrary
+ kernel addresses should be easy through CUSE's ioctl
+ handler with FUSE_IOCTL_UNRESTRICTED set).
+
+ [AV: two missed sys_ioctl() taken care of]
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/compat_ioctl.c | 122 +++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 68 insertions(+), 54 deletions(-)
+
+commit 5bf9e1ed4ebb278cd956ba142914fc04a024309c
+Author: Vasily Kulikov <segoon@openwall.com>
+Date: Fri Jan 15 16:57:55 2016 -0800
+
+ include/linux/poison.h: use POISON_POINTER_DELTA for poison pointers
+
+ TIMER_ENTRY_STATIC is defined as a poison pointers which
+ should point to nowhere. Redefine them using POISON_POINTER_DELTA
+ arithmetics to make sure they really point to non-mappable area declared
+ by the target architecture.
+
+ Signed-off-by: Vasily Kulikov <segoon@openwall.com>
+ Acked-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Solar Designer <solar@openwall.com>
+ Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ include/linux/poison.h
+
+ include/linux/poison.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 60f2e0a05ab8f56c804a9334a23e2b446305d110
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 19:41:44 2016 -0500
+
+ Fix ARM compilation, reported by Austin Sepp
+
+ grsecurity/grsec_sig.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e15383743443dc43460a2fd73e0db0b608610dca
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Mon Jan 18 13:52:47 2016 +0100
+
+ ALSA: hrtimer: Fix stall by hrtimer_cancel()
+
+ hrtimer_cancel() waits for the completion from the callback, thus it
+ must not be called inside the callback itself. This was already a
+ problem in the past with ALSA hrtimer driver, and the early commit
+ [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
+
+ However, the previous fix is still insufficient: it may still cause a
+ lockup when the ALSA timer instance reprograms itself in its callback.
+ Then it invokes the start function even in snd_timer_interrupt() that
+ is called in hrtimer callback itself, results in a CPU stall. This is
+ no hypothetical problem but actually triggered by syzkaller fuzzer.
+
+ This patch tries to fix the issue again. Now we call
+ hrtimer_try_to_cancel() at both start and stop functions so that it
+ won't fall into a deadlock, yet giving some chance to cancel the queue
+ if the functions have been called outside the callback. The proper
+ hrtimer_cancel() is called in anyway at closing, so this should be
+ enough.
+
+ Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/hrtimer.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 12d874daf706e6e7c1ae709141859c809599297e
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 12:38:02 2016 +0100
+
+ ALSA: seq: Fix missing NULL check at remove_events ioctl
+
+ snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
+ unconditionally even if there is no FIFO assigned, and this leads to
+ an Oops due to NULL dereference. The fix is just to add a proper NULL
+ check.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2eb0632df1351378946507e7ef7ba0682632a7b5
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 15:36:27 2016 +0100
+
+ ALSA: seq: Fix race at timer setup and close
+
+ ALSA sequencer code has an open race between the timer setup ioctl and
+ the close of the client. This was triggered by syzkaller fuzzer, and
+ a use-after-free was caught there as a result.
+
+ This patch papers over it by adding a proper queue->timer_mutex lock
+ around the timer-related calls in the relevant code path.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/seq/seq_queue.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit b9e55ab955e59b4a636d78a748be90334a48b485
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Jan 14 16:30:58 2016 +0100
+
+ ALSA: timer: Harden slave timer list handling
+
+ A slave timer instance might be still accessible in a racy way while
+ operating the master instance as it lacks of locking. Since the
+ master operation is mostly protected with timer->lock, we should cope
+ with it while changing the slave instance, too. Also, some linked
+ lists (active_list and ack_list) of slave instances aren't unlinked
+ immediately at stopping or closing, and this may lead to unexpected
+ accesses.
+
+ This patch tries to address these issues. It adds spin lock of
+ timer->lock (either from master or slave, which is equivalent) in a
+ few places. For avoiding a deadlock, we ensure that the global
+ slave_active_lock is always locked at first before each timer lock.
+
+ Also, ack and active_list of slave instances are properly unlinked at
+ snd_timer_stop() and snd_timer_close().
+
+ Last but not least, remove the superfluous call of _snd_timer_stop()
+ at removing slave links. This is a noop, and calling it may confuse
+ readers wrt locking. Further cleanup will follow in a later patch.
+
+ Actually we've got reports of use-after-free by syzkaller fuzzer, and
+ this hopefully fixes these issues.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 18 ++++++++++++++----
+ 1 files changed, 14 insertions(+), 4 deletions(-)
+
+commit f1ce0547bdfda1b42ae8a66c222f2a897cbe1586
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 17:48:01 2016 +0100
+
+ ALSA: timer: Fix race among timer ioctls
+
+ ALSA timer ioctls have an open race and this may lead to a
+ use-after-free of timer instance object. A simplistic fix is to make
+ each ioctl exclusive. We have already tread_sem for controlling the
+ tread, and extend this as a global mutex to be applied to each ioctl.
+
+ The downside is, of course, the worse concurrency. But these ioctls
+ aren't to be parallel accessible, in anyway, so it should be fine to
+ serialize there.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 32 +++++++++++++++++++-------------
+ 1 files changed, 19 insertions(+), 13 deletions(-)
+
+commit 8347d8461ed48a98f9c76cc3cfcdad8217d314bc
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 21:35:06 2016 +0100
+
+ ALSA: timer: Fix double unlink of active_list
+
+ ALSA timer instance object has a couple of linked lists and they are
+ unlinked unconditionally at snd_timer_stop(). Meanwhile
+ snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
+ the element list itself unchanged. This ends up with unlinking twice,
+ and it was caught by syzkaller fuzzer.
+
+ The fix is to use list_del_init() variant properly there, too.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 243aebb7ae71d6e11ea9880faa893d1d0d60cd75
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jan 18 18:03:48 2016 +0100
+
+ ovs: limit ovs recursions in ovs_execute_actions to not corrupt stack
+
+ It was seen that defective configurations of openvswitch could overwrite
+ the STACK_END_MAGIC and cause a hard crash of the kernel because of too
+ many recursions within ovs.
+
+ This problem arises due to the high stack usage of openvswitch. The rest
+ of the kernel is fine with the current limit of 10 (RECURSION_LIMIT).
+
+ We use the already existing recursion counter in ovs_execute_actions to
+ implement an upper bound of 5 recursions.
+
+ Cc: Pravin Shelar <pshelar@ovn.org>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/openvswitch/actions.c | 19 ++++++++++++++-----
+ 1 files changed, 14 insertions(+), 5 deletions(-)
+
+commit 8080793479c6d5befe37a67b1dbd9e4e0a61af96
+Author: Ursula Braun <ursula.braun@de.ibm.com>
+Date: Tue Jan 19 10:41:33 2016 +0100
+
+ af_iucv: Validate socket address length in iucv_sock_bind()
+
+ Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Reviewed-by: Evgeny Cherkashin <Eugene.Crosser@ru.ibm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/iucv/af_iucv.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 50a383c1c91ed7409c3cbdd41e662d6891463d1b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 19:32:54 2016 -0500
+
+ Apply the same fix as everyone else for the recent keys vulnerability that is
+ unexploitable under PAX_REFCOUNT
+
+ Make a couple more changes that no one else can/will
+
+ include/linux/key-type.h | 4 ++--
+ ipc/msgutil.c | 4 ++--
+ security/keys/internal.h | 2 +-
+ security/keys/process_keys.c | 1 +
+ 4 files changed, 6 insertions(+), 5 deletions(-)
+
+commit b56c3a63f431c193400aee17543021950bd14bc4
+Merge: 38b1a3d 470069c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 18:30:19 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 470069cfedef2180313233d275be5901bd6d1135
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 18:29:59 2016 -0500
+
+ Update to pax-linux-4.3.3-test22.patch:
+ - Emesed fixed a gcc induced intentional integer overflow in asix_rx_fixup_internal, reported by thomas callison caffrey
+ - fixed some more fallout from the drm_drivers constification, reported by Colin Childs and Toralf Foerster
+
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 ++++----------
+ drivers/gpu/drm/drm_pci.c | 3 +++
+ drivers/gpu/drm/gma500/psb_drv.c | 4 ----
+ drivers/gpu/drm/i915/i915_drv.c | 16 ++++++++--------
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 6 +++---
+ drivers/gpu/drm/radeon/radeon_drv.c | 4 +---
+ drivers/net/usb/asix_common.c | 3 ++-
+ include/drm/drmP.h | 1 +
+ 8 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 38b1a3d676f407865c3d41840df8213c5ad639c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 12:33:53 2016 -0500
+
+ As reported by Luis Ressel, the Kconfig help for GRKERNSEC_BRUTE
+ mentioned banning execution of suid/sgid binaries, though the kernel
+ source clearly only mentions banning execution of suid binaries. Since
+ there's no reason for us to not ban execution of sgid binaries as well,
+ make the implementation match the Kconfig description.
+
+ fs/exec.c | 4 ++--
+ grsecurity/grsec_sig.c | 27 ++++++++++++++-------------
+ include/linux/sched.h | 4 ++--
+ 3 files changed, 18 insertions(+), 17 deletions(-)
+
+commit 8c3bcb7dbf7f606acfa0983e81f0f928da1f1ace
+Merge: d141a86 ea4a835
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 14:12:22 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/gpu/drm/i810/i810_drv.c
+
+commit ea4a835328ada6513ac013986764d6caea8cd348
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 14:11:30 2016 -0500
+
+ Update to pax-linux-4.3.3-test21.patch:
+ - fixed some fallout from the drm_drivers constification, reported by spender
+
+ drivers/gpu/drm/armada/armada_drv.c | 3 +--
+ drivers/gpu/drm/exynos/exynos_drm_drv.c | 1 -
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 6 +++++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 5 files changed, 8 insertions(+), 6 deletions(-)
+
+commit d141a86fd66194bc3f896b6809b189e2f12a9a83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 13:16:36 2016 -0500
+
+ compile fix
+
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 4 +++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+commit 0d9dc4b25ea32c14561bcfe6b5b24f1b00fe0270
+Merge: 5fa135d bbda879
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:59:22 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit bbda87914edf63e27fb46670bf3a373f2b963c73
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:58:04 2016 -0500
+
+ Update to pax-linux-4.3.3-test20.patch:
+ - constified drm_driver
+ - Emese fixed a special case in handling __func__ in the initify plugin
+ - Emese fixed a false positive size overflow report in handling inbufBits, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=567048)
+ - fixed regression that caused perf to not resolve kernel code addresses under KERNEXEC/i386, reported by minipli
+
+ arch/x86/kernel/cpu/perf_event.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_ds.c | 7 +-
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 4 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/mm/mpx.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 8 ++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
+ drivers/gpu/drm/drm_pci.c | 6 +-
+ drivers/gpu/drm/gma500/psb_drv.c | 5 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.c | 15 ++--
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_irq.c | 88 ++++++++++----------
+ drivers/gpu/drm/mga/mga_drv.c | 5 +-
+ drivers/gpu/drm/mga/mga_drv.h | 2 +-
+ drivers/gpu/drm/mga/mga_state.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 13 ++--
+ drivers/gpu/drm/qxl/qxl_drv.c | 8 ++-
+ drivers/gpu/drm/qxl/qxl_ioctl.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.c | 4 +-
+ drivers/gpu/drm/r128/r128_drv.h | 2 +-
+ drivers/gpu/drm/r128/r128_state.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.c | 17 +++-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_kms.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 2 +-
+ drivers/gpu/drm/savage/savage_bci.c | 2 +-
+ drivers/gpu/drm/savage/savage_drv.c | 5 +-
+ drivers/gpu/drm/savage/savage_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_drv.c | 5 +-
+ drivers/gpu/drm/sis/sis_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_mm.c | 2 +-
+ drivers/gpu/drm/via/via_dma.c | 2 +-
+ drivers/gpu/drm/via/via_drv.c | 5 +-
+ drivers/gpu/drm/via/via_drv.h | 2 +-
+ include/drm/drmP.h | 2 +-
+ mm/slab.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 6 +-
+ tools/gcc/initify_plugin.c | 15 +++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 3 +-
+ 42 files changed, 156 insertions(+), 110 deletions(-)
+
+commit 5fa135dc116350e0205c39ef65eaf6496ed2748a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:19:23 2016 -0500
+
+ compile fix
+
+ grsecurity/grsec_sig.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit a9090fa58f33f75c7450fda5721a9b13625a47d9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:10:37 2016 -0500
+
+ As pointed out by Jann Horn, some distros are starting to circumvent
+ previous assumptions about the attainability of a user to control
+ multiple UIDs by handing out suid binaries that allow a user to run
+ processes (including exploits) under a number of other pre-defined
+ UIDs. As this could potentially be used to bypass GRKERNSEC_BRUTE
+ (though it would have to involve some code path that doesn't involve
+ locks) fix that here by ensuring no more than 8 users on a system can
+ be banned before a reboot is required. If more are banned, a panic
+ is triggered.
+
+ grsecurity/grsec_sig.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit a8d37776e9521c567ebff6730d49312f72435f08
+Author: Eric Dumazet <edumazet@google.com>
+Date: Thu Dec 3 11:12:07 2015 -0800
+
+ proc: add a reschedule point in proc_readfd_common()
+
+ User can pass an arbitrary large buffer to getdents().
+
+ It is typically a 32KB buffer used by libc scandir() implementation.
+
+ When scanning /proc/{pid}/fd, we can hold cpu way too long,
+ so add a cond_resched() to be kind with other tasks.
+
+ We've seen latencies of more than 50ms on real workloads.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/proc/fd.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0adba75f8708f13b1f5d98ebe3fc2fb961e100c8
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 12 20:17:08 2016 +0100
+
+ net: bpf: reject invalid shifts
+
+ On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
+ constant shift that can't be encoded in the immediate field of the
+ UBFM/SBFM instructions is passed to the JIT. Since these shifts
+ amounts, which are negative or >= regsize, are invalid, reject them in
+ the eBPF verifier and the classic BPF filter checker, for all
+ architectures.
+
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ kernel/bpf/verifier.c | 10 ++++++++++
+ net/core/filter.c | 5 +++++
+ 2 files changed, 15 insertions(+), 0 deletions(-)
+
+commit c248e115a73496625a1c64660d0eeefd67e55cbf
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri Jan 8 11:00:54 2016 -0200
+
+ sctp: fix use-after-free in pr_debug statement
+
+ Dmitry Vyukov reported a use-after-free in the code expanded by the
+ macro debug_post_sfx, which is caused by the use of the asoc pointer
+ after it was freed within sctp_side_effect() scope.
+
+ This patch fixes it by allowing sctp_side_effect to clear that asoc
+ pointer when the TCB is freed.
+
+ As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
+ because it will trigger DELETE_TCB too on that same loop.
+
+ Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
+ but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
+ above. Fix it by returning SCTP_DISPOSITION_ABORT instead.
+
+ The macro is already prepared to handle such NULL pointer.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/sm_sideeffect.c | 11 ++++++-----
+ net/sctp/sm_statefuns.c | 17 ++++-------------
+ 2 files changed, 10 insertions(+), 18 deletions(-)
+
+commit 395ea8a9e73e184fc14153a033000bccf4213213
+Author: willy tarreau <w@1wt.eu>
+Date: Sun Jan 10 07:54:56 2016 +0100
+
+ unix: properly account for FDs passed over unix sockets
+
+ It is possible for a process to allocate and accumulate far more FDs than
+ the process' limit by sending them over a unix socket then closing them
+ to keep the process' fd count low.
+
+ This change addresses this problem by keeping track of the number of FDs
+ in flight per user and preventing non-privileged processes from having
+ more FDs in flight than their configured FD limit.
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/sched.h | 1 +
+ net/unix/af_unix.c | 24 ++++++++++++++++++++----
+ net/unix/garbage.c | 13 ++++++++-----
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+commit cb207ab8fbd71dcfc4a49d533aba8085012543fd
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Thu Jan 7 14:52:43 2016 -0500
+
+ net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
+
+ proc_dostring() needs an initialized destination string, while the one
+ provided in proc_sctp_do_hmac_alg() contains stack garbage.
+
+ Thus, writing to cookie_hmac_alg would strlen() that garbage and end up
+ accessing invalid memory.
+
+ Fixes: 3c68198e7 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/lguest/core.c | 2 +-
+ net/sctp/sysctl.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
-commit 125836e926d5fdf74c748f9aad27bde566566378
-Author: Joe Thornber <ejt@redhat.com>
-Date: Fri May 29 14:52:51 2015 +0100
+commit 4014e09faf0fe9054119624ccfff1236e886b554
+Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Tue Nov 24 17:13:21 2015 -0500
- dm: fix casting bug in dm_merge_bvec()
+ RDS: fix race condition when sending a message on unbound socket
+
+ commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
+
+ Sasha's found a NULL pointer dereference in the RDS connection code when
+ sending a message to an apparently unbound socket. The problem is caused
+ by the code checking if the socket is bound in rds_sendmsg(), which checks
+ the rs_bound_addr field without taking a lock on the socket. This opens a
+ race where rs_bound_addr is temporarily set but where the transport is not
+ in rds_bind(), leading to a NULL pointer dereference when trying to
+ dereference 'trans' in __rds_conn_create().
+
+ Vegard wrote a reproducer for this issue, so kindly ask him to share if
+ you're interested.
- dm_merge_bvec() was originally added in f6fccb ("dm: introduce
- merge_bvec_fn"). In that commit a value in sectors is converted to
- bytes using << 9, and then assigned to an int. This code made
- assumptions about the value of BIO_MAX_SECTORS.
+ I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+ with this patch, whereas I could without.
- A later commit 148e51 ("dm: improve documentation and code clarity in
- dm_merge_bvec") was meant to have no functional change but it removed
- the use of BIO_MAX_SECTORS in favor of using queue_max_sectors(). At
- this point the cast from sector_t to int resulted in a zero value. The
- fallout being dm_merge_bvec() would only allow a single page to be added
- to a bio.
+ Complete earlier incomplete fix to CVE-2015-6937:
+
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+ Cc: David S. Miller <davem@davemloft.net>
+
+ Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+ Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
- This interim fix is minimal for the benefit of stable@ because the more
- comprehensive cleanup of passing a sector_t to all DM targets' merge
- function will impact quite a few DM targets.
+ Conflicts:
- Signed-off-by: Joe Thornber <ejt@redhat.com>
- Signed-off-by: Mike Snitzer <snitzer@redhat.com>
- Cc: stable@vger.kernel.org # 3.19+
+ net/rds/send.c
- drivers/md/dm.c | 17 ++++++++++++-----
- 1 files changed, 12 insertions(+), 5 deletions(-)
+ net/rds/connection.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
-commit e4077a089999d63dfbd6b83a834e24ec25f41fb4
-Author: Al Viro <viro@zeniv.linux.org.uk>
-Date: Thu May 28 23:09:19 2015 -0400
+commit 206df8d01104344d7588d801016a281a4cd25556
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue Sep 8 10:53:40 2015 -0400
- d_walk() might skip too much
+ RDS: verify the underlying transport exists before creating a connection
- when we find that a child has died while we'd been trying to ascend,
- we should go into the first live sibling itself, rather than its sibling.
+ There was no verification that an underlying transport exists when creating
+ a connection, this would cause dereferencing a NULL ptr.
- Off-by-one in question had been introduced in "deal with deadlock in
- d_walk()" and the fix needs to be backported to all branches this one
- has been backported to.
+ It might happen on sockets that weren't properly bound before attempting to
+ send a message, which will cause a NULL ptr deref:
- Cc: stable@vger.kernel.org # 3.2 and later
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ [135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+ [135546.051270] Modules linked in:
+ [135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
+ [135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
+ [135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
+ [135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202
+ [135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
+ [135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
+ [135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
+ [135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
+ [135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
+ [135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
+ [135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
+ [135546.064723] Stack:
+ [135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
+ [135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
+ [135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
+ [135546.068629] Call Trace:
+ [135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
+ [135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
+ [135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
+ [135546.071981] rds_sendmsg (net/rds/send.c:1058)
+ [135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
+ [135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
+ [135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
+ [135546.076349] ? __might_fault (mm/memory.c:3795)
+ [135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
+ [135546.078856] SYSC_sendto (net/socket.c:1657)
+ [135546.079596] ? SYSC_connect (net/socket.c:1628)
+ [135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
+ [135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
+ [135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
+ [135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
+ [135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
+
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- fs/dcache.c | 8 ++++----
- 1 files changed, 4 insertions(+), 4 deletions(-)
+ net/rds/connection.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit b18767da07374771cd2c627b4d0aac1372eee807
-Author: Eric Dumazet <edumazet@google.com>
-Date: Sat May 30 09:16:53 2015 -0700
+commit 173fa03f05cf0ad485d49a42cbdee8844d3a689a
+Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+Date: Tue Jan 5 20:32:47 2016 -0500
- udp: fix behavior of wrong checksums
+ ftrace/module: Call clean up function when module init fails early
- We have two problems in UDP stack related to bogus checksums :
+ If the module init code fails after calling ftrace_module_init() and before
+ calling do_init_module(), we can suffer from a memory leak. This is because
+ ftrace_module_init() allocates pages to store the locations that ftrace
+ hooks are placed in the module text. If do_init_module() fails, it still
+ calls the MODULE_GOING notifiers which will tell ftrace to do a clean up of
+ the pages it allocated for the module. But if load_module() fails before
+ then, the pages allocated by ftrace_module_init() will never be freed.
- 1) We return -EAGAIN to application even if receive queue is not empty.
- This breaks applications using edge trigger epoll()
+ Call ftrace_release_mod() on the module if load_module() fails before
+ getting to do_init_module().
- 2) Under UDP flood, we can loop forever without yielding to other
- processes, potentially hanging the host, especially on non SMP.
+ Link: http://lkml.kernel.org/r/567CEA31.1070507@intel.com
- This patch is an attempt to make things better.
+ Reported-by: "Qiu, PeiyangX" <peiyangx.qiu@intel.com>
+ Fixes: a949ae560a511 "ftrace/module: Hardcode ftrace_module_init() call into load_module()"
+ Cc: stable@vger.kernel.org # v2.6.38+
+ Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ include/linux/ftrace.h | 1 +
+ kernel/module.c | 6 ++++++
+ 2 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 1e5a4a81a4c16c8ac2e264b88a02cc2f42ed0399
+Author: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Date: Wed Jan 6 00:18:48 2016 -0800
+
+ net: possible use after free in dst_release
- We might in the future add extra support for rt applications
- wanting to better control time spent doing a recv() in a hostile
- environment. For example we could validate checksums before queuing
- packets in socket receive queue.
+ dst_release should not access dst->flags after decrementing
+ __refcnt to 0. The dst_entry may be in dst_busy_list and
+ dst_gc_task may dst_destroy it before dst_release gets a chance
+ to access dst->flags.
- Signed-off-by: Eric Dumazet <edumazet@google.com>
- Cc: Willem de Bruijn <willemb@google.com>
+ Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()")
+ Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
+ Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/ipv4/udp.c | 6 ++----
- net/ipv6/udp.c | 6 ++----
- 2 files changed, 4 insertions(+), 8 deletions(-)
+ net/core/dst.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit 33414e447f7395b1c4a510dda495c9f1318f4570
-Author: Jan Kara <jack@suse.cz>
-Date: Tue Jun 2 17:10:28 2015 +0200
+commit bfb0455793dd4e0f0b49d34a68b3249ab55565cc
+Author: Alan <gnomes@lxorguk.ukuu.org.uk>
+Date: Wed Jan 6 14:55:02 2016 +0000
- lib: Fix strnlen_user() to not touch memory after specified maximum
+ mkiss: fix scribble on freed memory
- If the specified maximum length of the string is a multiple of unsigned
- long, we would load one long behind the specified maximum. If that
- happens to be in a next page, we can hit a page fault although we were
- not expected to.
+ commit d79f16c046086f4fe0d42184a458e187464eb83e fixed a user triggerable
+ scribble on free memory but added a new one which allows the user to
+ scribble even more and user controlled data into freed space.
- Fix the off-by-one bug in the test whether we are at the end of the
- specified range.
+ As with 6pack we need to halt the queue before we free the buffers, because
+ the transmit logic is not protected by the semaphore.
- Signed-off-by: Jan Kara <jack@suse.cz>
- Cc: stable@vger.kernel.org
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- lib/strnlen_user.c | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
+ drivers/net/hamradio/mkiss.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
-commit 22050350eb0fd749f46a19c1c6814a5571c8a89b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed May 27 20:31:40 2015 -0400
+commit 5cbbcbd32dc1949470f61d342503808fa9555276
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:49 2015 -0500
- squelch noise from initify plugin by default
+ mkiss: Fix use after free in mkiss_close().
+
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- tools/gcc/initify_plugin.c | 4 ++--
+ drivers/net/hamradio/mkiss.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
-commit ea7c117aca7fa6333302e3d29c918a55fefed297
-Merge: 8cab60e 2ca6f6c
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed May 27 19:35:49 2015 -0400
+commit b00171576794a98068e069a660f0991a6a5190ff
+Author: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Date: Tue Jan 5 11:51:25 2016 +0000
- Merge branch 'pax-test' into grsec-test
+ 6pack: fix free memory scribbles
- Conflicts:
- Makefile
- tools/gcc/Makefile
+ commit acf673a3187edf72068ee2f92f4dc47d66baed47 fixed a user triggerable free
+ memory scribble but in doing so replaced it with a different one that allows
+ the user to control the data and scribble even more.
+
+ sixpack_close is called by the tty layer in tty context. The tty context is
+ protected by sp_get() and sp_put(). However network layer activity via
+ sp_xmit() is not protected this way. We must therefore stop the queue
+ otherwise the user gets to dump a buffer mostly of their choice into freed
+ kernel pages.
+
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit 2ca6f6c4ea5dc16ae343bf85db644d9df17ebaf9
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed May 27 19:34:20 2015 -0400
-
- Update to pax-linux-4.0.4-test13.patch:
- - fixed arm compilation once again, reported by Michael Tremer <michael.tremer@ipfire.org>
- - Emese wrote a new gcc plugin called initify that moves some strings into freed-after-init memory, inspired by Mathias Krause (https://lkml.org/lkml/2014/8/21/255)
- - the result is a saving of a few pages worth of memory on typical configs
- - it is unconditionally enabled since it should not affect anything except reducing runtime memory usage a little bit
- - this can be further enhanced in various ways (propagation of __init/__exit annotations, more __nocapture annotations, etc)
- - fixed some section mismatch fallout brought out by the initify plugin
-
- Makefile | 2 +
- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +-
- drivers/clk/hisilicon/clk-hi3620.c | 70 +++---
- drivers/clk/hisilicon/clk-hix5hd2.c | 6 +-
- drivers/clk/rockchip/clk-rk3188.c | 2 +-
- drivers/clk/rockchip/clk-rk3288.c | 2 +-
- drivers/clk/rockchip/clk.h | 2 +-
- drivers/clk/samsung/clk.h | 2 +-
- drivers/clk/ti/composite.c | 2 +-
- drivers/clk/zynq/clkc.c | 24 +-
- drivers/leds/leds-clevo-mail.c | 2 +-
- drivers/leds/leds-ss4200.c | 2 +-
- drivers/platform/chrome/chromeos_laptop.c | 2 +-
- fs/exec.c | 2 +-
- include/asm-generic/bug.h | 6 +-
- include/asm-generic/vmlinux.lds.h | 3 +
- include/linux/compiler-gcc.h | 4 +-
- include/linux/compiler-gcc4.h | 4 +
- include/linux/compiler-gcc5.h | 4 +
- include/linux/compiler.h | 4 +
- include/linux/fs.h | 2 +-
- include/linux/irqdomain.h | 2 +-
- lib/test-hexdump.c | 8 +-
- tools/gcc/Makefile | 2 +
- tools/gcc/constify_plugin.c | 3 +-
- tools/gcc/gcc-common.h | 23 ++
- tools/gcc/initify_plugin.c | 427 +++++++++++++++++++++++++++++
- 27 files changed, 542 insertions(+), 72 deletions(-)
-
-commit 8cab60ecbb5b5667ba9ef80654fbeedc4d6e2cd5
-Author: Eric Work <work.eric@gmail.com>
-Date: Mon May 18 23:26:23 2015 -0700
-
- md/raid0: fix restore to sector variable in raid0_make_request
-
- The variable "sector" in "raid0_make_request()" was improperly updated
- by a call to "sector_div()" which modifies its first argument in place.
- Commit 47d68979cc968535cb87f3e5f2e6a3533ea48fbd restored this variable
- after the call for later re-use. Unfortunetly the restore was done after
- the referenced variable "bio" was advanced. This lead to the original
- value and the restored value being different. Here we move this line to
- the proper place.
-
- One observed side effect of this bug was discarding a file though
- unlinking would cause an unrelated file's contents to be discarded.
-
- Signed-off-by: NeilBrown <neilb@suse.de>
- Fixes: 47d68979cc96 ("md/raid0: fix bug with chunksize not a power of 2.")
- Cc: stable@vger.kernel.org (any that received above backport)
- URL: https://bugzilla.kernel.org/show_bug.cgi?id=98501
-
- drivers/md/raid0.c | 4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
+ drivers/net/hamradio/6pack.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit ea49dcac0da7f7fc28aca292ecda1fc0560afd5d
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri May 22 21:10:11 2015 -0400
+commit 5b64a833907cd230a3106aeba2304b2c1bcd116d
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:32 2015 -0500
- Include the required BNX2 firmware from Broadcom for usability
- purposes. Performed whitespace changes on the WHENCE file to
- ensure Broadcom's license for the file is not only contained in
- the resulting compilation but also in the patch itself. It is
- being distributed in hex format as permitted by their license.
+ 6pack: Fix use after free in sixpack_close().
+
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
+
+ Also we need to use del_timer_sync() for the timers so that we don't
+ have any asynchronous references after the unregister.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- firmware/Makefile | 1 +
- firmware/WHENCE | 19 +-
- firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 +++++++++++++++++++++++++++++
- 3 files changed, 6507 insertions(+), 9 deletions(-)
+ drivers/net/hamradio/6pack.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
-commit 639a09d41cd5c6989fda788181bd44fe5f94b639
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 21 07:10:30 2015 -0400
+commit 4f9d532742656b3613d579220fd10c78f24ba37b
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 16:23:07 2016 +0100
+
+ net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
+
+ The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data
+ instructions since it XORs A with X while all the others replace A with
+ some loaded value. All the BPF JITs fail to clear A if this is used as
+ the first instruction in a filter. This was found using american fuzzy
+ lop.
+
+ Add a helper to determine if A needs to be cleared given the first
+ instruction in a filter, and use this in the JITs. Except for ARM, the
+ rest have only been compile-tested.
+
+ Fixes: 3480593131e0 ("net: filter: get rid of BPF_S_* enum")
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- Fix compile warnings in DRM code caused by recent backport, reported by
- Nicolas Iooss
+ arch/arm/net/bpf_jit_32.c | 16 +---------------
+ arch/mips/net/bpf_jit.c | 16 +---------------
+ arch/powerpc/net/bpf_jit_comp.c | 13 ++-----------
+ arch/sparc/net/bpf_jit_comp.c | 17 ++---------------
+ include/linux/filter.h | 19 +++++++++++++++++++
+ 5 files changed, 25 insertions(+), 56 deletions(-)
- drivers/gpu/drm/drm_context.c | 6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
+commit 570d88f8acfffda92b89ae2e1c47320d47256034
+Author: John Fastabend <john.fastabend@gmail.com>
+Date: Tue Jan 5 09:11:36 2016 -0800
-commit 57f09049db562ea13c1a7348251dfa52c971aa91
-Merge: d58754b ce11297
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon May 18 19:41:42 2015 -0400
+ net: sched: fix missing free per cpu on qstats
+
+ When a qdisc is using per cpu stats (currently just the ingress
+ qdisc) only the bstats are being freed. This also free's the qstats.
+
+ Fixes: b0ab6f92752b9f9d8 ("net: sched: enable per cpu qstats")
+ Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- Merge branch 'pax-test' into grsec-test
+ net/sched/sch_generic.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
-commit ce11297c212fd4e4c0c03b5c1def54b1049fcceb
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon May 18 19:41:17 2015 -0400
+commit 32c0ebc51857ee83470a10dcb234d308a0ed1881
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 18:34:04 2016 +0100
- Update to pax-linux-4.0.4-test12.patch:
- - fixed a xen regression introduced with the recent enlargement of level1_fixmap_pgt, reported by 2d1
- - fixed a regression in the structleak plugin that would disable it under LTO
+ ARM: net: bpf: fix zero right shift
+
+ The LSR instruction cannot be used to perform a zero right shift since a
+ 0 as the immediate value (imm5) in the LSR instruction encoding means
+ that a shift of 32 is perfomed. See DecodeIMMShift() in the ARM ARM.
+
+ Make the JIT skip generation of the LSR if a zero-shift is requested.
+
+ This was found using american fuzzy lop.
+
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- arch/x86/include/asm/pgtable_64.h | 4 ++--
- arch/x86/xen/mmu.c | 4 +++-
- tools/gcc/structleak_plugin.c | 2 +-
- 3 files changed, 6 insertions(+), 4 deletions(-)
+ arch/arm/net/bpf_jit_32.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit d58754b52933bca6a1c1bb910c7045f8adfe1c1d
+commit 51f5d291750285efa4d4bbe84e5ec23dc00c8d2d
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon May 18 18:01:08 2015 -0400
+Date: Wed Jan 6 20:35:57 2016 -0500
- Remove __inline__ from .c files, let the compiler decide
+ Don't perform hidden lookups in RBAC against the directory of
+ a file being opened with O_CREAT, reported by Karl Witt
Conflicts:
- grsecurity/gracl_segv.c
+ fs/namei.c
- grsecurity/gracl.c | 12 ++++++------
- grsecurity/gracl_alloc.c | 4 ++--
- grsecurity/gracl_segv.c | 6 +++---
- grsecurity/grsec_sock.c | 4 ++--
- 4 files changed, 13 insertions(+), 13 deletions(-)
+ fs/namei.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
-commit f6b6f7e408d655d6fd25ef038a836c57a1c0ef65
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon May 18 17:54:21 2015 -0400
+commit 5a8266a6b2769ccdb447256f95bc2577a73cccd1
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jan 5 10:46:00 2016 +0100
- Actually wire up use of the RANDSTRUCT attributes for GCC 5.1, otherwise we'd
- ICE on some Xen PARAVIRT code (and would miss explicit randomization and would
- break other code)
+ bridge: Only call /sbin/bridge-stp for the initial network namespace
+
+ [I stole this patch from Eric Biederman. He wrote:]
+
+ > There is no defined mechanism to pass network namespace information
+ > into /sbin/bridge-stp therefore don't even try to invoke it except
+ > for bridge devices in the initial network namespace.
+ >
+ > It is possible for unprivileged users to cause /sbin/bridge-stp to be
+ > invoked for any network device name which if /sbin/bridge-stp does not
+ > guard against unreasonable arguments or being invoked twice on the
+ > same network device could cause problems.
+
+ [Hannes: changed patch using netns_eq]
+
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- include/linux/compiler-gcc5.h | 5 +++++
- 1 files changed, 5 insertions(+), 0 deletions(-)
+ net/bridge/br_stp_if.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
-commit 743fa074b6cb2515f66b49d2d9f6aeed993b7cc9
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun May 17 16:34:31 2015 -0400
+commit 650d535cc39f0aeff2f57e60b6617be25d3ef48b
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Wed Dec 23 16:28:40 2015 -0200
- Update size_overflow hash table
+ sctp: use GFP_USER for user-controlled kmalloc
+
+ Commit cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ missed two other spots.
+
+ For connectx, as it's more likely to be used by kernel users of the API,
+ it detects if GFP_USER should be used or not.
+
+ Fixes: cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- .../size_overflow_plugin/size_overflow_hash.data | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
+ net/sctp/socket.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
-commit 6a139e192ae004a0108ca54c1fb28e738a28fd65
-Merge: 35b9dfe f296a3a
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun May 17 15:04:29 2015 -0400
+commit 5718a1f63c41fc156f729783423b002763779d04
+Author: Florian Westphal <fw@strlen.de>
+Date: Thu Dec 31 14:26:33 2015 +0100
- Merge branch 'pax-test' into grsec-test
+ connector: bump skb->users before callback invocation
+
+ Dmitry reports memleak with syskaller program.
+ Problem is that connector bumps skb usecount but might not invoke callback.
+
+ So move skb_get to where we invoke the callback.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit f296a3a91c0eb8adeacbe65e74ee26bdc922fd12
-Merge: f11664e 8b660f4
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun May 17 15:04:22 2015 -0400
+ drivers/connector/connector.c | 11 +++--------
+ 1 files changed, 3 insertions(+), 8 deletions(-)
- Merge branch 'linux-4.0.y' into pax-test
+commit 2e6372e6a97f8d642416899861f91777f44f13b7
+Author: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Sun Jan 3 18:56:38 2016 +0000
+
+ af_unix: Fix splice-bind deadlock
+
+ On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice
+ system call and AF_UNIX sockets,
+
+ http://lists.openwall.net/netdev/2015/11/06/24
+
+ The situation was analyzed as
+
+ (a while ago) A: socketpair()
+ B: splice() from a pipe to /mnt/regular_file
+ does sb_start_write() on /mnt
+ C: try to freeze /mnt
+ wait for B to finish with /mnt
+ A: bind() try to bind our socket to /mnt/new_socket_name
+ lock our socket, see it not bound yet
+ decide that it needs to create something in /mnt
+ try to do sb_start_write() on /mnt, block (it's
+ waiting for C).
+ D: splice() from the same pipe to our socket
+ lock the pipe, see that socket is connected
+ try to lock the socket, block waiting for A
+ B: get around to actually feeding a chunk from
+ pipe to file, try to lock the pipe. Deadlock.
+
+ on 2015/11/10 by Al Viro,
+
+ http://lists.openwall.net/netdev/2015/11/10/4
+
+ The patch fixes this by removing the kern_path_create related code from
+ unix_mknod and executing it as part of unix_bind prior acquiring the
+ readlock of the socket in question. This means that A (as used above)
+ will sb_start_write on /mnt before it acquires the readlock, hence, it
+ won't indirectly block B which first did a sb_start_write and then
+ waited for a thread trying to acquire the readlock. Consequently, A
+ being blocked by C waiting for B won't cause a deadlock anymore
+ (effectively, both A and B acquire two locks in opposite order in the
+ situation described above).
+
+ Dmitry Vyukov(<dvyukov@google.com>) tested the original patch.
+
+ Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
- mm/memory-failure.c
-
-commit 35b9dfe2ec2260af1e6d0952c25e18756db64dd5
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun May 17 14:24:15 2015 -0400
-
- fix whitespace
+
+ net/unix/af_unix.c
- grsecurity/gracl.c | 8 ++++----
- 1 files changed, 4 insertions(+), 4 deletions(-)
+ net/unix/af_unix.c | 70 +++++++++++++++++++++++++++++++--------------------
+ 1 files changed, 42 insertions(+), 28 deletions(-)
-commit 38b838667a0c58da6b0e1bb51571eb696d1fe180
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun May 17 14:22:18 2015 -0400
+commit 2e729e557c571f3253e32472cd7d382ac16cf1c3
+Author: Qiu Peiyang <peiyangx.qiu@intel.com>
+Date: Thu Dec 31 13:11:28 2015 +0800
- Fix an ICE in the RANDSTRUCT plugin on GCC 5.1 reported and fixed by pipacs
+ tracing: Fix setting of start_index in find_next()
+
+ When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
+ panic at t_show.
+
+ general protection fault: 0000 [#1] PREEMPT SMP
+ CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2
+ RIP: 0010:[<ffffffff811375b2>]
+ [<ffffffff811375b2>] t_show+0x22/0xe0
+ RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
+ RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
+ R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
+ R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
+ FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
+ CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+ CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
+ Call Trace:
+ [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
+ [<ffffffff811b749b>] vfs_read+0x9b/0x160
+ [<ffffffff811b7f69>] SyS_read+0x49/0xb0
+ [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
+ ---[ end trace 5bd9eb630614861e ]---
+ Kernel panic - not syncing: Fatal exception
+
+ When the first time find_next calls find_next_mod_format, it should
+ iterate the trace_bprintk_fmt_list to find the first print format of
+ the module. However in current code, start_index is smaller than *pos
+ at first, and code will not iterate the list. Latter container_of will
+ get the wrong address with former v, which will cause mod_fmt be a
+ meaningless object and so is the returned mod_fmt->fmt.
+
+ This patch will fix it by correcting the start_index. After fixed,
+ when the first time calls find_next_mod_format, start_index will be
+ equal to *pos, and code will iterate the trace_bprintk_fmt_list to
+ get the right module printk format, so is the returned mod_fmt->fmt.
+
+ Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
+
+ Cc: stable@vger.kernel.org # 3.12+
+ Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers"
+ Signed-off-by: Qiu Peiyang <peiyangx.qiu@intel.com>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
- tools/gcc/randomize_layout_plugin.c | 1 +
+ kernel/trace/trace_printk.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
-commit 9009fade1831c1f748c3d4758859a710d883b468
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 14 07:59:25 2015 -0400
-
- Commit a series of patches from Peter Antoine that improve the security
- of the kernel's drm code:
-
- The following series of patches fix a number of security holes in the i915
- driver (actually in drm but...). The first three patches remove the actual
- security issues that have been found. The last two patches make the functions
- optional for all drivers. The only driver that has this feature turned on is
- the Nouveau driver, thus hopefully not breaking that driver.
-
- The patch set has been tested on the Intel platforms but has not been tested
- on the Nouveau driver. Hopefully someone with a working card and the right
- combination of drmlib can verify that the patches do what they say.
-
- There is a i-g-t test that goes with this patchset, but that test SHOULD NOT
- be run before the kernel is patches as the test will crash the driver and/or
- make the kernel panic.
-
- Peter Antoine (5):
- drm: Kernel Crash in drm_unlock
- drm: Fixes unsafe deference in locks.
- drm: Possible lock priority escalation.
- drm: Make HW_LOCK access functions optional.
- drm: Make Legacy Context access functions optional.
-
- drivers/gpu/drm/drm_context.c | 50 ++++++++++++++++++++++++++++++--
- drivers/gpu/drm/drm_drv.c | 11 ++++--
- drivers/gpu/drm/drm_lock.c | 18 ++++++++++-
- drivers/gpu/drm/i915/i915_dma.c | 3 ++
- drivers/gpu/drm/nouveau/nouveau_drm.c | 3 +-
- include/drm/drmP.h | 23 ++++++++-------
- include/uapi/drm/i915_drm.h | 1 +
- 7 files changed, 87 insertions(+), 22 deletions(-)
-
-commit fb9c8521491dac227589503a88ec9330210b3e1b
-Author: Alexei Starovoitov <ast@plumgrid.com>
-Date: Mon May 11 23:25:16 2015 -0700
-
- x86: bpf_jit: fix FROM_BE16 and FROM_LE16/32 instructions
-
- FROM_BE16:
- 'ror %reg, 8' doesn't clear upper bits of the register,
- so use additional 'movzwl' insn to zero extend 16 bits into 64
-
- FROM_LE16:
- should zero extend lower 16 bits into 64 bit
-
- FROM_LE32:
- should zero extend lower 32 bits into 64 bit
-
- Fixes: 89aa075832b0 ("net: sock: allow eBPF programs to be attached to sockets")
- Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- arch/x86/net/bpf_jit_comp.c | 28 ++++++++++++++++++++++++++++
- 1 files changed, 28 insertions(+), 0 deletions(-)
-
-commit 8a44405559fd34746059c0fbfc3d304478e23f2a
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 14 07:29:57 2015 -0400
+commit 0994af4b1930f32aa493dc08145cd304f8bfc8f4
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon Dec 28 20:47:08 2015 -0500
- Update size_overflow hash table
+ [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64()
+
+ Cc: stable@vger.kernel.org # 3.15+
+ Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- .../size_overflow_plugin/size_overflow_hash.data | 684 ++++++++++++++++----
- 1 files changed, 544 insertions(+), 140 deletions(-)
+ arch/arm/kernel/sys_oabi-compat.c | 73 +++++++++++++++++++------------------
+ 1 files changed, 37 insertions(+), 36 deletions(-)
-commit 6a3ad59934ad12b28a8834ceebf8d6a23a95d654
-Merge: 798f007 f11664e
+commit 4ed030f65dcf3e6b0128032a49a7d75f947fa351
+Merge: de243c2 3adc55a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed May 13 18:11:35 2015 -0400
+Date: Tue Jan 5 18:10:10 2016 -0500
Merge branch 'pax-test' into grsec-test
-
- Conflicts:
- tools/gcc/size_overflow_plugin/size_overflow_hash.data
-commit f11664e3d714d8c69033066f2ed7cd10dd7e0aa2
+commit 3adc55a5acfa429c2a7cc883aef08b960c0079b0
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed May 13 18:08:17 2015 -0400
-
- Update to pax-linux-4.0.3-test11.patch:
- - updated the size overflow hash table
- - Emese regenerated the size overflow hash table and also fixed compile errors with gcc 4.5 and 4.6
- - fixed a compile error in drivers/iommu/io-pgtable-arm.c, by spender
- - fixed a compile error in KVM on arm, reported by Michael Tremer <michael.tremer@ipfire.org>
- - fixed a size overflow false positive in squashfs, reported by Martin Vath <martin@mvath.de> (https://bugs.gentoo.org/show_bug.cgi?id=548960)
- - fixed a UDEREF false positive in copy_user_handle_tail on amd64, reported by matt merhar
- - fixed a boot crash due to a recent change to fixmap page table allocations on amd64, reported by Hanno Böck <hanno@hboeck.de> (https://forums.grsecurity.net/viewtopic.php?f=1&t=4201)
- - fixed a /proc/kcore regression to not return uninitialized memory if the requested kernel address range is not fully mapped
-
- arch/x86/include/asm/pgtable.h | 2 +
- arch/x86/kernel/head_64.S | 4 +-
- arch/x86/lib/usercopy_64.c | 2 +-
- drivers/iommu/io-pgtable-arm.c | 12 +-
- fs/proc/kcore.c | 14 +-
- fs/squashfs/xattr.c | 12 +-
- include/linux/irqdomain.h | 1 +
- .../size_overflow_plugin/size_overflow_hash.data | 6233 ++++++++++----------
- .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
- .../size_overflow_plugin/size_overflow_transform.c | 6 +-
- .../size_overflow_transform_core.c | 21 +
- 11 files changed, 3083 insertions(+), 3226 deletions(-)
-
-commit 1d3cc55d86824a8bee85e5bf625c29d28b4c4e64
-Merge: 34db492 fa253b2
+Date: Tue Jan 5 18:08:53 2016 -0500
+
+ Update to pax-linux-4.3.3-test16.patch:
+ - small cleanup in entry_64.S on x86
+ - Emese fixed the initify plugin to recursively check variable initializers, reported by Rasmus Villemoes
+ - fixed an integer truncation of a partially uninitialized value bug in em_pop_sreg, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4354)
+ - fixed alternatives patching of call insns under KERNEXEC/i386, reported by fly_a320 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4305) and TTgrsec (https://forums.grsecurity.net/viewtopic.php?f=3&t=4353)
+ - fixed a size overflow false positive that triggered in tcp_parse_options on arm, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350&p=15917#p15916)
+ - fixed a boot crash on amd64 with KERNEXEC/OR and CONTEXT_TRACKING, reported by Klaus Kusche (https://bugs.gentoo.org/show_bug.cgi?id=570420)
+
+ arch/x86/entry/entry_64.S | 60 +++++-----
+ arch/x86/kernel/alternative.c | 2 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ tools/gcc/initify_plugin.c | 123 +++++++++----------
+ .../disable_size_overflow_hash.data | 4 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ 6 files changed, 93 insertions(+), 102 deletions(-)
+
+commit de243c26efd0e423ca92db825af2c3f8eb1ca043
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed May 13 18:05:12 2015 -0400
-
- Merge branch 'linux-4.0.y' into pax-test
+Date: Tue Dec 29 18:01:24 2015 -0500
-commit 798f007623ca5c65e3c07f52d1034aac26640103
-Author: Jason A. Donenfeld <Jason@zx2c4.com>
-Date: Wed May 6 15:09:40 2015 +0200
-
- usbnet: avoid integer overflow in start_xmit
-
- transfer_buffer_length is of type u32. It's therefore wrong to assign it
- to a signed integer. This patch avoids the overflow.
+ It was noticed during an internal audit that the code under GRKERNSEC_PROC_MEMMAP
+ which aimed to enforce a 16MB minimum on RLIMIT_DATA for suid/sgid binaries only
+ did so if RLIMIT_DATA was set lower than PAGE_SIZE.
- It's worth noting that entry->length here is a long; perhaps it would be
- beneficial at somepoint to change this to be unsigned as well, if
- nothing else relies on its signedness for error conditions or the like.
-
- Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ This addition was only supplemental as GRKERNSEC_BRUTE is the main defense
+ against suid/sgid attacks and the flaw above would only eliminate the extra
+ entropy provided for the brk-managed heap, still leaving it with the minimum
+ of 16-bit entropy for mmap on x86 and 28 on x64.
- drivers/net/usb/usbnet.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8e264cfe47e5f08cdc9ed009a630277206cd2534
+Merge: 436201b 2584340
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 28 20:30:01 2015 -0500
-commit 1844c93ca54650d8b56bc28d6fceb7e30ae44337
-Author: Eric W. Biederman <ebiederm@xmission.com>
-Date: Fri May 8 16:36:50 2015 -0500
+ Merge branch 'pax-test' into grsec-test
- mnt: Fix fs_fully_visible to verify the root directory is visible
+commit 2584340eab494e64ec1bf9eb5b0d1ae31f926306
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 28 20:29:28 2015 -0500
+
+ Update to pax-linux-4.3.3-test14.patch:
+ - fixed an integer sign conversion error in i2c_dw_pci_probe caught by the size overflow plugin, reported by Jean Lucas and ganymede (https://forums.grsecurity.net/viewtopic.php?f=3&t=4349)
+ - fixed shutdown crash with tboot and KERNEXEC, reported by perfinion
+ - fixed a few false positive and one real size overflow reports in hyperv, reported by hunger
+ - fixed compile regressions on armv5, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350)
+ - fixed an assert in the initify plugin that triggered in vic_register on arm
+
+ arch/arm/include/asm/atomic.h | 7 +++++--
+ arch/arm/include/asm/domain.h | 5 ++---
+ arch/x86/kernel/tboot.c | 14 +++++++++-----
+ drivers/hv/channel.c | 4 +---
+ drivers/i2c/busses/i2c-designware-pcidrv.c | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 3 +--
+ fs/exec.c | 4 ++--
+ include/linux/atomic.h | 15 ---------------
+ net/core/skbuff.c | 3 ++-
+ tools/gcc/initify_plugin.c | 4 +++-
+ 10 files changed, 26 insertions(+), 35 deletions(-)
+
+commit 436201b6626b488d173c8076447000077c27b84a
+Author: David Howells <dhowells@redhat.com>
+Date: Fri Dec 18 01:34:26 2015 +0000
+
+ KEYS: Fix race between read and revoke
- This fixes a dumb bug in fs_fully_visible that allows proc or sys to
- be mounted if there is a bind mount of part of /proc/ or /sys/ visible.
+ This fixes CVE-2015-7550.
- Cc: stable@vger.kernel.org
- Reported-by: Eric Windisch <ewindisch@docker.com>
- Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
-
- fs/namespace.c | 6 ++++++
- 1 files changed, 6 insertions(+), 0 deletions(-)
-
-commit 8674ca202b191f9504414c20b870d93f6cdde83f
-Author: Christophe Leroy <christophe.leroy@c-s.fr>
-Date: Wed May 6 17:26:47 2015 +0200
-
- splice: sendfile() at once fails for big files
-
- Using sendfile with below small program to get MD5 sums of some files,
- it appear that big files (over 64kbytes with 4k pages system) get a
- wrong MD5 sum while small files get the correct sum.
- This program uses sendfile() to send a file to an AF_ALG socket
- for hashing.
-
- /* md5sum2.c */
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
- #include <string.h>
- #include <fcntl.h>
- #include <sys/socket.h>
- #include <sys/stat.h>
- #include <sys/types.h>
- #include <linux/if_alg.h>
-
- int main(int argc, char **argv)
- {
- int sk = socket(AF_ALG, SOCK_SEQPACKET, 0);
- struct stat st;
- struct sockaddr_alg sa = {
- .salg_family = AF_ALG,
- .salg_type = "hash",
- .salg_name = "md5",
- };
- int n;
-
- bind(sk, (struct sockaddr*)&sa, sizeof(sa));
-
- for (n = 1; n < argc; n++) {
- int size;
- int offset = 0;
- char buf[4096];
- int fd;
- int sko;
- int i;
-
- fd = open(argv[n], O_RDONLY);
- sko = accept(sk, NULL, 0);
- fstat(fd, &st);
- size = st.st_size;
- sendfile(sko, fd, &offset, size);
- size = read(sko, buf, sizeof(buf));
- for (i = 0; i < size; i++)
- printf("%2.2x", buf[i]);
- printf(" %s\n", argv[n]);
- close(fd);
- close(sko);
- }
- exit(0);
- }
+ There's a race between keyctl_read() and keyctl_revoke(). If the revoke
+ happens between keyctl_read() checking the validity of a key and the key's
+ semaphore being taken, then the key type read method will see a revoked key.
- Test below is done using official linux patch files. First result is
- with a software based md5sum. Second result is with the program above.
+ This causes a problem for the user-defined key type because it assumes in
+ its read method that there will always be a payload in a non-revoked key
+ and doesn't check for a NULL pointer.
- root@vgoip:~# ls -l patch-3.6.*
- -rw-r--r-- 1 root root 64011 Aug 24 12:01 patch-3.6.2.gz
- -rw-r--r-- 1 root root 94131 Aug 24 12:01 patch-3.6.3.gz
+ Fix this by making keyctl_read() check the validity of a key after taking
+ semaphore instead of before.
- root@vgoip:~# md5sum patch-3.6.*
- b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
- c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
+ I think the bug was introduced with the original keyrings code.
- root@vgoip:~# ./md5sum2 patch-3.6.*
- b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
- 5fd77b24e68bb24dcc72d6e57c64790e patch-3.6.3.gz
+ This was discovered by a multithreaded test program generated by syzkaller
+ (http://github.com/google/syzkaller). Here's a cleaned up version:
- After investivation, it appears that sendfile() sends the files by blocks
- of 64kbytes (16 times PAGE_SIZE). The problem is that at the end of each
- block, the SPLICE_F_MORE flag is missing, therefore the hashing operation
- is reset as if it was the end of the file.
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <pthread.h>
+ void *thr0(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ keyctl_revoke(key);
+ return 0;
+ }
+ void *thr1(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ char buffer[16];
+ keyctl_read(key, buffer, 16);
+ return 0;
+ }
+ int main()
+ {
+ key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+ pthread_t th[5];
+ pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+ pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+ pthread_join(th[0], 0);
+ pthread_join(th[1], 0);
+ pthread_join(th[2], 0);
+ pthread_join(th[3], 0);
+ return 0;
+ }
- This patch adds SPLICE_F_MORE to the flags when more data is pending.
+ Build as:
- With the patch applied, we get the correct sums:
+ cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
- root@vgoip:~# md5sum patch-3.6.*
- b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
- c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
+ Run as:
- root@vgoip:~# ./md5sum2 patch-3.6.*
- b3ffb9848196846f31b2ff133d2d6443 patch-3.6.2.gz
- c5e8f687878457db77cb7158c38a7e43 patch-3.6.3.gz
+ while keyctl-race; do :; done
- Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
- Signed-off-by: Jens Axboe <axboe@fb.com>
-
- fs/splice.c | 12 +++++++++++-
- 1 files changed, 11 insertions(+), 1 deletions(-)
-
-commit 47488c19e1d47e54d0421dd372e4020868703b9a
-Author: Al Viro <viro@zeniv.linux.org.uk>
-Date: Fri May 8 22:53:15 2015 -0400
-
- path_openat(): fix double fput()
+ as it may need several iterations to crash the kernel. The crash can be
+ summarised as:
- path_openat() jumps to the wrong place after do_tmpfile() - it has
- already done path_cleanup() (as part of path_lookupat() called by
- do_tmpfile()), so doing that again can lead to double fput().
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+ ...
+ Call Trace:
+ [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+ [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+ [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
- Cc: stable@vger.kernel.org # v3.11+
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: James Morris <james.l.morris@oracle.com>
- fs/namei.c | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
-commit 965d7cc13d29d9b8b2168cf73b05d006ce7a0330
+commit 195cea04477025da4a2078bd3e1fb7c4e11206c2
Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 7 20:09:26 2015 -0400
+Date: Tue Dec 22 20:44:01 2015 -0500
- Update size_overflow hash table
+ Add new kernel command-line param: pax_size_overflow_report_only
+ If a user triggers a size_overflow violation that makes it difficult
+ to obtain the call trace without serial console/net console, they can
+ use this option to provide that information to us
- .../size_overflow_plugin/size_overflow_hash.data | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ Documentation/kernel-parameters.txt | 5 +++++
+ fs/exec.c | 12 +++++++++---
+ init/main.c | 11 +++++++++++
+ 3 files changed, 25 insertions(+), 3 deletions(-)
-commit 0ae1f9332e2c234f733300ca9cb61033ff0be292
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 7 19:44:47 2015 -0400
+commit 4254a8da5851df8c08cdca5c392916e8c105408d
+Author: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon Dec 21 10:55:45 2015 -0800
- make the const ops table non-local
+ addrconf: always initialize sysctl table data
+
+ When sysctl performs restrict writes, it allows to write from
+ a middle position of a sysctl file, which requires us to initialize
+ the table data before calling proc_dostring() for the write case.
+
+ Fixes: 3d1bec99320d ("ipv6: introduce secret_stable to ipv6_devconf")
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Tested-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/iommu/io-pgtable-arm.c | 12 +++++++-----
- 1 files changed, 7 insertions(+), 5 deletions(-)
+ net/ipv6/addrconf.c | 11 ++++-------
+ 1 files changed, 4 insertions(+), 7 deletions(-)
-commit ba1301fd7a645a5d5be6c59b620ca97c36299ad2
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 7 18:58:43 2015 -0400
+commit f8002863fb06c363180637046947a78a6ccb3d33
+Author: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed Dec 16 23:39:04 2015 -0800
- Update size_overflow hash table
+ net: check both type and procotol for tcp sockets
+
+ Dmitry reported the following out-of-bound access:
+
+ Call Trace:
+ [<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
+ mm/kasan/report.c:294
+ [<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
+ [< inline >] SYSC_setsockopt net/socket.c:1746
+ [<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
+ [<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
+ arch/x86/entry/entry_64.S:185
+
+ This is because we mistake a raw socket as a tcp socket.
+ We should check both sk->sk_type and sk->sk_protocol to ensure
+ it is a tcp socket.
+
+ Willem points out __skb_complete_tx_timestamp() needs to fix as well.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Acked-by: Willem de Bruijn <willemb@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- .../size_overflow_plugin/size_overflow_hash.data | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ net/core/skbuff.c | 3 ++-
+ net/core/sock.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
-commit 050a518c6f55c8e770e44c7bab3ebf603539b746
-Merge: 7614be0 34db492
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 7 18:26:43 2015 -0400
+commit bd6b3399804470a4ad8f34229469ca149dceba3d
+Author: Colin Ian King <colin.king@canonical.com>
+Date: Fri Dec 18 14:22:01 2015 -0800
- Merge branch 'pax-test' into grsec-test
+ proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter
- Conflicts:
- fs/open.c
+ Writing to /proc/$pid/coredump_filter always returns -ESRCH because commit
+ 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()") removed
+ the setting of ret after the get_proc_task call and incorrectly left it as
+ -ESRCH. Instead, return 0 when successful.
+
+ Example breakage:
+
+ echo 0 > /proc/self/coredump_filter
+ bash: echo: write error: No such process
+
+ Fixes: 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()")
+ Signed-off-by: Colin Ian King <colin.king@canonical.com>
+ Acked-by: Kees Cook <keescook@chromium.org>
+ Cc: <stable@vger.kernel.org> [4.3+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-commit 34db492ef0dddd9c4e3d2f7b2480247ae2bbdaf0
-Merge: e580e37 072cab6
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 7 18:24:48 2015 -0400
+ fs/proc/base.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
- Update to pax-linux-4.0.2-test10.patch:
- - disable PCID before exiting the kernel to code that may not sanitize its environment properly before turning off paging, fixes tboot/TXT shutdown among others, reported and debugged by Jason Zaman perfinion@gentoo.org
- - worked around a gcc induced intentional overflow in the bunzip decompressor, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=548508)
- - F_SETPIPE_SZ handling ignored pipe_min_size and could trigger the size overflow instrumentation, reported by minipli
- - fixed an integer signedness mixup in a parameter of semop and semtimedop, by minipli
- - fixed some constification fallout in io_pgtable/io_pgtable_ops handling that triggered on arm, reported by Michael Tremer <michael.tremer@ipfire.org>
+commit b28aca2b99ed08546778355fb9402c503ff9b29e
+Author: Junichi Nomura <j-nomura@ce.jp.nec.com>
+Date: Tue Dec 22 10:23:44 2015 -0700
+
+ block: ensure to split after potentially bouncing a bio
- Merge branch 'linux-4.0.y' into pax-test
+ blk_queue_bio() does split then bounce, which makes the segment
+ counting based on pages before bouncing and could go wrong. Move
+ the split to after bouncing, like we do for blk-mq, and the we
+ fix the issue of having the bio count for segments be wrong.
- Conflicts:
- arch/arm/include/asm/elf.h
- fs/binfmt_elf.c
+ Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios")
+ Cc: stable@vger.kernel.org
+ Tested-by: Artem S. Tashkinov <t.artem@lycos.com>
+ Signed-off-by: Jens Axboe <axboe@fb.com>
-commit 7614be07b9df52ecd1dbad23cef4221dd76a54bf
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Thu May 7 18:01:36 2015 -0400
-
- Even though in the history of autoconfig it has never tripped anyone
- up under realistic use cases (e.g. nobody starts a config, enables
- only CONFIG_GRKERNSEC, then exits menuconfig, then loads it back up
- and tries to apply an autoconfig setting) explicitly mention that you
- cannot do it and expect the autoconfig to work. Due to how the Kbuild
- system works, we can't apply defaults and also allow them to be modified
- via custom settings -- if they're 'select'ed then they can't be modified,
- and using 'select' violates any dependencies that may exist. Therefore
- we have to resort to using 'default', which after a user has already chosen
- all the settings by virtue of enabling CONFIG_GRKERNSEC and then saving their
- complete kernel config, cannot have any effect as the options have now all
- been chosen and there's no 'default' applicable.
-
- security/Kconfig | 5 +++++
- 1 files changed, 5 insertions(+), 0 deletions(-)
+ block/blk-core.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit 3c85103f0377ab0e193be5a427498d1ab1c4ebef
-Merge: 314b162 e580e37
+commit e62a25e917a9e5b35ddd5b4f1b5e5e30fbd2e84c
+Merge: f6f63ae ec72fa5
Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon May 4 18:42:22 2015 -0400
+Date: Tue Dec 22 19:46:26 2015 -0500
Merge branch 'pax-test' into grsec-test
-commit e580e375583a4288990269df661098155e29b3e7
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Mon May 4 18:42:01 2015 -0400
-
- Update to pax-linux-4.0.1-test7.patch:
- - fixed an xgbe driver compile regression, reported by spender
- - fixed a bunch of NULL function pointer dereference regressions in the compat drm ioctl code for i915/mga/r128/radeon, reported by minipli
-
- drivers/gpu/drm/i915/i915_ioc32.c | 13 ++++++-------
- drivers/gpu/drm/mga/mga_ioc32.c | 7 +++----
- drivers/gpu/drm/r128/r128_ioc32.c | 7 +++----
- drivers/gpu/drm/radeon/radeon_ioc32.c | 7 +++----
- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++--
- 5 files changed, 17 insertions(+), 21 deletions(-)
-
-commit 314b16217423b8e732f3dcb1e04a9daee66b06ea
+commit ec72fa5f8d9cb4e223bad1b8b5c2e1071c222f2a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun May 3 14:21:56 2015 -0400
+Date: Tue Dec 22 19:45:51 2015 -0500
- Update size_overflow hash table
+ Update to pax-linux-4.3.3-test13.patch:
+ - Emese fixed a (probably) false positive integer truncation in xfs_da_grow_inode_int, reported by jdkbx (http://forums.grsecurity.net/viewtopic.php?f=3&t=4346)
+ - fixed a size overflow in btrfs/try_merge_map, reported by Alex W (https://bugs.archlinux.org/task/47173) and mathias and dwokfur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4344)
- .../size_overflow_plugin/size_overflow_hash.data | 510 +++++++++++++++-----
- 1 files changed, 401 insertions(+), 109 deletions(-)
+ arch/arm/mm/fault.c | 2 +-
+ arch/x86/mm/fault.c | 2 +-
+ fs/btrfs/extent_map.c | 8 ++++++--
+ fs/xfs/libxfs/xfs_da_btree.c | 4 +++-
+ 4 files changed, 11 insertions(+), 5 deletions(-)
-commit ec7e8a8c3309e0036d4c5361a66caac880418347
+commit f6f63ae154cd45028add1dc41957878060d77fbf
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun May 3 08:50:17 2015 -0400
+Date: Thu Dec 17 18:43:44 2015 -0500
- constify compile fix
+ ptrace_has_cap() checks whether the current process should be
+ treated as having a certain capability for ptrace checks
+ against another process. Until now, this was equivalent to
+ has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
+
+ However, if a root-owned process wants to enter a user
+ namespace for some reason without knowing who owns it and
+ therefore can't change to the namespace owner's uid and gid
+ before entering, as soon as it has entered the namespace,
+ the namespace owner can attach to it via ptrace and thereby
+ gain access to its uid and gid.
+
+ While it is possible for the entering process to switch to
+ the uid of a claimed namespace owner before entering,
+ causing the attempt to enter to fail if the claimed uid is
+ wrong, this doesn't solve the problem of determining an
+ appropriate gid.
+
+ With this change, the entering process can first enter the
+ namespace and then safely inspect the namespace's
+ properties, e.g. through /proc/self/{uid_map,gid_map},
+ assuming that the namespace owner doesn't have access to
+ uid 0.
+ Signed-off-by: Jann Horn <jann@thejh.net>
- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
+ kernel/ptrace.c | 30 +++++++++++++++++++++++++-----
+ 1 files changed, 25 insertions(+), 5 deletions(-)
-commit e98198e8f9aa0b17be2727731390268c02a6afe4
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun May 3 08:28:00 2015 -0400
+commit e314f0fb63020f61543b401ff594e953c2c304e5
+Author: tadeusz.struk@intel.com <tadeusz.struk@intel.com>
+Date: Tue Dec 15 10:46:17 2015 -0800
- RANDSTRUCT compile fix
+ net: fix uninitialized variable issue
+
+ msg_iocb needs to be initialized on the recv/recvfrom path.
+ Otherwise afalg will wrongly interpret it as an async call.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+ Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- fs/overlayfs/super.c | 6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
+ net/socket.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit 61e19c8623ec094d5cbf811938691ca7b4066713
+commit a3f56a43ad56b8fcaf04f6327636ed2f5970de3b
+Merge: dfa764c 142edcf
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat May 2 23:26:32 2015 -0400
-
- compile fix
+Date: Wed Dec 16 21:01:17 2015 -0500
- fs/proc/generic.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit 88e4f3ecfbc91dea85862629fb79f8ede5d7c689
+commit 142edcf1005a57fb8887823565cf0bafad2f313c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat May 2 23:18:10 2015 -0400
+Date: Wed Dec 16 21:00:57 2015 -0500
- compile fix
+ Update to pax-linux-4.3.3-test12.patch:
+ - Emese fixed a size overflow false positive in reiserfs/leaf_paste_entries, reported by Christian Apeltauer (https://bugs.gentoo.org/show_bug.cgi?id=568046)
+ - fixed a bunch of int/size_t mismatches in the drivers/tty/n_tty.c code causing size overflow false positives, reported by Toralf Förster, mathias (https://forums.grsecurity.net/viewtopic.php?f=3&t=4342), N8Fear (https://forums.grsecurity.net/viewtopic.php?f=3&t=4341)
- fs/debugfs/inode.c | 12 ++++++++++++
- 1 files changed, 12 insertions(+), 0 deletions(-)
+ drivers/tty/n_tty.c | 16 ++++++++--------
+ .../disable_size_overflow_hash.data | 2 ++
+ .../size_overflow_plugin/size_overflow_hash.data | 6 ++----
+ 3 files changed, 12 insertions(+), 12 deletions(-)
-commit c207fa7156db513835c1d2848eb710a48a9dabcf
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat May 2 23:15:53 2015 -0400
+commit dfa764cc549892a5bfc1083cac78b99032cae577
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Dec 15 22:59:12 2015 +0100
- fix gcc warning
+ ipv6: automatically enable stable privacy mode if stable_secret set
+
+ Bjørn reported that while we switch all interfaces to privacy stable mode
+ when setting the secret, we don't set this mode for new interfaces. This
+ does not make sense, so change this behaviour.
+
+ Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf")
+ Reported-by: Bjørn Mork <bjorn@mork.no>
+ Cc: Bjørn Mork <bjorn@mork.no>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/char/mem.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ net/ipv6/addrconf.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit ee428a73671f9d2cb4256f24abc417c7c8b8c356
+commit c2815a1fee03f222273e77c14e43f960da06f35a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat May 2 23:03:56 2015 -0400
+Date: Wed Dec 16 13:03:38 2015 -0500
- compile fix
+ Work around upstream limitation on the number of thread info flags causing a compilation error
+ Reported by fabled at http://forums.grsecurity.net/viewtopic.php?f=3&t=4339
- fs/debugfs/inode.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ arch/arm/kernel/entry-common.S | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
-commit 2de93b3f9e3c8346e2b39d8370cce9dd87f5c0d2
+commit 8c9ae168e09ae49324d709d76d73d9fc4ca477e1
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat May 2 22:56:36 2015 -0400
+Date: Tue Dec 15 19:03:41 2015 -0500
- Initial import of grsecurity 3.1 for Linux 4.0.1
+ Initial import of grsecurity 3.1 for Linux 4.3.3
Documentation/dontdiff | 2 +
Documentation/kernel-parameters.txt | 7 +
+ Documentation/sysctl/kernel.txt | 15 +
Makefile | 18 +-
arch/alpha/include/asm/cache.h | 4 +-
arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arc/Kconfig | 1 +
arch/arm/Kconfig | 1 +
- arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/Kconfig.debug | 1 +
+ arch/arm/include/asm/thread_info.h | 7 +-
arch/arm/kernel/process.c | 4 +-
arch/arm/kernel/ptrace.c | 9 +
arch/arm/kernel/traps.c | 7 +-
arch/arm/mm/Kconfig | 2 +-
arch/arm/mm/fault.c | 40 +-
arch/arm/mm/mmap.c | 8 +-
- arch/arm/net/bpf_jit_32.c | 4 +
+ arch/arm/net/bpf_jit_32.c | 51 +-
+ arch/arm64/Kconfig.debug | 1 +
arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/Kconfig.debug | 1 +
arch/blackfin/include/asm/cache.h | 3 +-
arch/cris/include/arch-v10/arch/cache.h | 3 +-
arch/cris/include/arch-v32/arch/cache.h | 3 +-
arch/mips/Kconfig | 1 +
arch/mips/include/asm/cache.h | 3 +-
arch/mips/include/asm/thread_info.h | 11 +-
- arch/mips/kernel/irq.c | 4 +
+ arch/mips/kernel/irq.c | 3 +
arch/mips/kernel/ptrace.c | 9 +
arch/mips/mm/mmap.c | 4 +-
arch/mn10300/proc-mn103e010/include/proc/cache.h | 4 +-
arch/parisc/include/asm/cache.h | 5 +-
arch/parisc/kernel/sys_parisc.c | 4 +
arch/powerpc/Kconfig | 1 +
- arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/cache.h | 4 +-
arch/powerpc/include/asm/thread_info.h | 5 +-
arch/powerpc/kernel/Makefile | 2 +
arch/powerpc/kernel/irq.c | 3 +
arch/powerpc/kernel/ptrace.c | 14 +
arch/powerpc/kernel/traps.c | 5 +
arch/powerpc/mm/slice.c | 2 +-
+ arch/s390/Kconfig.debug | 1 +
arch/s390/include/asm/cache.h | 4 +-
arch/score/include/asm/cache.h | 4 +-
arch/sh/include/asm/cache.h | 3 +-
arch/tile/mm/hugetlbpage.c | 2 +
arch/um/include/asm/cache.h | 3 +-
arch/unicore32/include/asm/cache.h | 6 +-
- arch/x86/Kconfig | 5 +
+ arch/x86/Kconfig | 21 +
+ arch/x86/Kconfig.debug | 2 +
+ arch/x86/entry/common.c | 14 +
+ arch/x86/entry/entry_32.S | 2 +-
+ arch/x86/entry/entry_64.S | 2 +-
arch/x86/ia32/ia32_aout.c | 2 +
arch/x86/include/asm/floppy.h | 20 +-
+ arch/x86/include/asm/fpu/types.h | 69 +-
arch/x86/include/asm/io.h | 2 +-
arch/x86/include/asm/page.h | 12 +-
arch/x86/include/asm/paravirt_types.h | 23 +-
- arch/x86/include/asm/processor.h | 2 +-
- arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/include/asm/processor.h | 12 +-
+ arch/x86/include/asm/thread_info.h | 6 +-
+ arch/x86/include/asm/uaccess.h | 2 +-
arch/x86/kernel/dumpstack.c | 10 +-
arch/x86/kernel/dumpstack_32.c | 2 +-
arch/x86/kernel/dumpstack_64.c | 2 +-
- arch/x86/kernel/entry_32.S | 2 +-
- arch/x86/kernel/entry_64.S | 2 +-
- arch/x86/kernel/espfix_64.c | 2 +-
arch/x86/kernel/ioport.c | 13 +
arch/x86/kernel/irq_32.c | 3 +
arch/x86/kernel/irq_64.c | 4 +
+ arch/x86/kernel/ldt.c | 18 +
arch/x86/kernel/msr.c | 10 +
- arch/x86/kernel/ptrace.c | 28 +
+ arch/x86/kernel/ptrace.c | 14 +
arch/x86/kernel/signal.c | 9 +-
arch/x86/kernel/sys_i386_32.c | 9 +-
arch/x86/kernel/sys_x86_64.c | 8 +-
arch/x86/kernel/traps.c | 5 +
arch/x86/kernel/verify_cpu.S | 1 +
- arch/x86/kernel/vm86_32.c | 16 +
+ arch/x86/kernel/vm86_32.c | 15 +
+ arch/x86/kvm/svm.c | 14 +-
arch/x86/mm/fault.c | 12 +-
arch/x86/mm/hugetlbpage.c | 15 +-
arch/x86/mm/init.c | 66 +-
arch/x86/xen/Kconfig | 1 +
arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ crypto/ablkcipher.c | 2 +-
+ crypto/blkcipher.c | 2 +-
+ crypto/scatterwalk.c | 10 +-
drivers/acpi/acpica/hwxfsleep.c | 11 +-
drivers/acpi/custom_method.c | 4 +
drivers/block/cciss.h | 30 +-
drivers/cdrom/cdrom.c | 2 +-
drivers/char/Kconfig | 4 +-
drivers/char/genrtc.c | 1 +
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
drivers/char/mem.c | 17 +
drivers/char/random.c | 5 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 2 -
+ drivers/crypto/nx/nx-aes-ccm.c | 2 +-
+ drivers/crypto/nx/nx-aes-gcm.c | 2 +-
+ drivers/crypto/talitos.c | 2 +-
drivers/firewire/ohci.c | 4 +
- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 70 +-
+ drivers/gpu/drm/nouveau/nouveau_ttm.c | 28 +-
drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
+ drivers/gpu/drm/virtio/virtgpu_ttm.c | 10 +-
drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
drivers/hid/hid-wiimote-debug.c | 2 +-
drivers/infiniband/hw/nes/nes_cm.c | 22 +-
+ drivers/iommu/Kconfig | 1 +
drivers/iommu/amd_iommu.c | 14 +-
drivers/isdn/gigaset/bas-gigaset.c | 32 +-
drivers/isdn/gigaset/ser-gigaset.c | 32 +-
drivers/isdn/gigaset/usb-gigaset.c | 32 +-
+ drivers/isdn/hisax/config.c | 2 +-
+ drivers/isdn/hisax/hfc_pci.c | 2 +-
+ drivers/isdn/hisax/hfc_sx.c | 2 +-
+ drivers/isdn/hisax/q931.c | 6 +-
drivers/isdn/i4l/isdn_concap.c | 6 +-
drivers/isdn/i4l/isdn_x25iface.c | 16 +-
+ drivers/md/bcache/Kconfig | 1 +
drivers/md/raid5.c | 8 +
drivers/media/pci/solo6x10/solo6x10-g723.c | 2 +-
+ drivers/media/platform/sti/c8sectpfe/Kconfig | 1 +
+ drivers/media/platform/vivid/vivid-osd.c | 1 +
drivers/media/radio/radio-cadet.c | 5 +-
drivers/media/usb/dvb-usb/cinergyT2-core.c | 91 +-
drivers/media/usb/dvb-usb/cinergyT2-fe.c | 182 +-
drivers/message/fusion/mptbase.c | 9 +
drivers/misc/sgi-xp/xp_main.c | 12 +-
drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
- drivers/net/ethernet/sfc/selftest.c | 2 +-
+ drivers/net/ppp/pppoe.c | 14 +-
+ drivers/net/ppp/pptp.c | 6 +
+ drivers/net/slip/slhc.c | 3 +
drivers/net/wan/lmc/lmc_media.c | 97 +-
+ drivers/net/wan/x25_asy.c | 6 +-
drivers/net/wan/z85230.c | 24 +-
+ drivers/net/wireless/ath/ath9k/Kconfig | 1 -
drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ drivers/pci/pci-sysfs.c | 2 +-
drivers/pci/proc.c | 9 +
drivers/platform/x86/asus-wmi.c | 12 +
drivers/rtc/rtc-dev.c | 3 +
drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
drivers/scsi/bfa/bfa_modules.h | 12 +-
drivers/scsi/hpsa.h | 40 +-
+ drivers/staging/dgnc/dgnc_mgmt.c | 1 +
drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
+ drivers/target/target_core_sbc.c | 17 +-
+ drivers/target/target_core_transport.c | 14 +-
+ drivers/tty/serial/uartlite.c | 4 +-
drivers/tty/sysrq.c | 2 +-
drivers/tty/vt/keyboard.c | 22 +-
drivers/uio/uio.c | 6 +-
drivers/usb/gadget/function/f_uac1.c | 1 +
drivers/usb/gadget/function/u_uac1.c | 1 +
drivers/usb/host/hwa-hc.c | 9 +-
+ drivers/usb/usbip/vhci_sysfs.c | 2 +-
drivers/video/fbdev/arcfb.c | 2 +-
drivers/video/fbdev/matrox/matroxfb_DAC1064.c | 10 +-
drivers/video/fbdev/matrox/matroxfb_Ti3026.c | 5 +-
drivers/video/fbdev/sh_mobile_lcdcfb.c | 6 +-
- drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++++++------------
+ drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++-----
drivers/xen/xenfs/xenstored.c | 5 +
+ firmware/Makefile | 2 +
+ firmware/WHENCE | 20 +-
+ firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 +++++++++++++++++
+ firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 ++++++++++++++++++++
+ fs/9p/vfs_inode.c | 4 +-
fs/attr.c | 1 +
fs/autofs4/waitq.c | 9 +
fs/binfmt_aout.c | 7 +
- fs/binfmt_elf.c | 40 +-
+ fs/binfmt_elf.c | 50 +-
fs/compat.c | 20 +-
fs/coredump.c | 17 +-
fs/dcache.c | 3 +
- fs/debugfs/inode.c | 27 +-
- fs/exec.c | 224 ++-
+ fs/debugfs/inode.c | 11 +-
+ fs/exec.c | 219 +-
fs/ext2/balloc.c | 4 +-
fs/ext2/super.c | 8 +-
- fs/ext3/balloc.c | 4 +-
- fs/ext3/super.c | 8 +-
fs/ext4/balloc.c | 4 +-
fs/fcntl.c | 4 +
- fs/fhandle.c | 8 +-
+ fs/fhandle.c | 3 +-
fs/file.c | 4 +
fs/filesystems.c | 4 +
fs/fs_struct.c | 20 +-
fs/hugetlbfs/inode.c | 5 +-
- fs/inode.c | 6 +-
+ fs/inode.c | 8 +-
fs/kernfs/dir.c | 6 +
fs/mount.h | 4 +-
- fs/namei.c | 243 ++-
+ fs/namei.c | 286 +-
fs/namespace.c | 24 +
fs/nfsd/nfscache.c | 2 +-
- fs/ocfs2/refcounttree.c | 2 +-
fs/open.c | 38 +
+ fs/overlayfs/inode.c | 11 +-
+ fs/overlayfs/super.c | 6 +-
fs/pipe.c | 2 +-
fs/posix_acl.c | 15 +-
fs/proc/Kconfig | 10 +-
- fs/proc/array.c | 66 +-
- fs/proc/base.c | 163 ++-
+ fs/proc/array.c | 69 +-
+ fs/proc/base.c | 186 +-
fs/proc/cmdline.c | 4 +
fs/proc/devices.c | 4 +
fs/proc/fd.c | 17 +-
fs/proc/internal.h | 11 +-
fs/proc/interrupts.c | 4 +
fs/proc/kcore.c | 3 +
+ fs/proc/meminfo.c | 7 +-
+ fs/proc/namespaces.c | 4 +-
fs/proc/proc_net.c | 31 +
fs/proc/proc_sysctl.c | 52 +-
fs/proc/root.c | 8 +
fs/reiserfs/item_ops.c | 24 +-
fs/reiserfs/super.c | 4 +
fs/select.c | 2 +
- fs/seq_file.c | 37 +-
+ fs/seq_file.c | 30 +-
+ fs/splice.c | 8 +
fs/stat.c | 20 +-
fs/sysfs/dir.c | 30 +-
+ fs/sysv/inode.c | 11 +-
fs/utimes.c | 7 +
fs/xattr.c | 26 +-
- grsecurity/Kconfig | 1182 +++++++++
+ grsecurity/Kconfig | 1182 ++++
grsecurity/Makefile | 54 +
- grsecurity/gracl.c | 2749 ++++++++++++++++++++
+ grsecurity/gracl.c | 2757 +++++++++
grsecurity/gracl_alloc.c | 105 +
grsecurity/gracl_cap.c | 127 +
- grsecurity/gracl_compat.c | 269 ++
- grsecurity/gracl_fs.c | 447 ++++
- grsecurity/gracl_ip.c | 386 +++
- grsecurity/gracl_learn.c | 207 ++
- grsecurity/gracl_policy.c | 1781 +++++++++++++
+ grsecurity/gracl_compat.c | 269 +
+ grsecurity/gracl_fs.c | 448 ++
+ grsecurity/gracl_ip.c | 386 ++
+ grsecurity/gracl_learn.c | 207 +
+ grsecurity/gracl_policy.c | 1786 ++++++
grsecurity/gracl_res.c | 68 +
- grsecurity/gracl_segv.c | 324 +++
+ grsecurity/gracl_segv.c | 304 +
grsecurity/gracl_shm.c | 40 +
grsecurity/grsec_chdir.c | 19 +
- grsecurity/grsec_chroot.c | 467 ++++
- grsecurity/grsec_disabled.c | 445 ++++
- grsecurity/grsec_exec.c | 189 ++
- grsecurity/grsec_fifo.c | 24 +
+ grsecurity/grsec_chroot.c | 467 ++
+ grsecurity/grsec_disabled.c | 445 ++
+ grsecurity/grsec_exec.c | 189 +
+ grsecurity/grsec_fifo.c | 26 +
grsecurity/grsec_fork.c | 23 +
- grsecurity/grsec_init.c | 290 ++
+ grsecurity/grsec_init.c | 290 +
grsecurity/grsec_ipc.c | 48 +
- grsecurity/grsec_link.c | 58 +
- grsecurity/grsec_log.c | 341 +++
+ grsecurity/grsec_link.c | 65 +
+ grsecurity/grsec_log.c | 340 +
grsecurity/grsec_mem.c | 48 +
grsecurity/grsec_mount.c | 65 +
- grsecurity/grsec_pax.c | 45 +
+ grsecurity/grsec_pax.c | 47 +
grsecurity/grsec_proc.c | 20 +
grsecurity/grsec_ptrace.c | 30 +
- grsecurity/grsec_sig.c | 236 ++
- grsecurity/grsec_sock.c | 244 ++
- grsecurity/grsec_sysctl.c | 488 ++++
+ grsecurity/grsec_sig.c | 236 +
+ grsecurity/grsec_sock.c | 244 +
+ grsecurity/grsec_sysctl.c | 488 ++
grsecurity/grsec_time.c | 16 +
grsecurity/grsec_tpe.c | 78 +
grsecurity/grsec_usb.c | 15 +
grsecurity/grsum.c | 64 +
include/linux/binfmts.h | 5 +-
- include/linux/capability.h | 5 +
- include/linux/compiler-gcc4.h | 5 +
+ include/linux/bitops.h | 2 +-
+ include/linux/capability.h | 13 +
+ include/linux/compiler-gcc.h | 5 +
include/linux/compiler.h | 8 +
include/linux/cred.h | 8 +-
include/linux/dcache.h | 5 +-
include/linux/fs.h | 24 +-
include/linux/fs_struct.h | 2 +-
include/linux/fsnotify.h | 6 +
- include/linux/gracl.h | 342 +++
- include/linux/gracl_compat.h | 156 ++
+ include/linux/gracl.h | 342 +
+ include/linux/gracl_compat.h | 156 +
include/linux/gralloc.h | 9 +
include/linux/grdefs.h | 140 +
- include/linux/grinternal.h | 230 ++
+ include/linux/grinternal.h | 230 +
include/linux/grmsg.h | 118 +
- include/linux/grsecurity.h | 250 ++
+ include/linux/grsecurity.h | 255 +
include/linux/grsock.h | 19 +
+ include/linux/ipc.h | 2 +-
include/linux/ipc_namespace.h | 2 +-
include/linux/kallsyms.h | 18 +-
include/linux/kmod.h | 5 +
include/linux/kobject.h | 2 +-
+ include/linux/lsm_hooks.h | 4 +-
include/linux/mm.h | 12 +
include/linux/mm_types.h | 4 +-
- include/linux/module.h | 4 +-
+ include/linux/module.h | 5 +-
include/linux/mount.h | 2 +-
+ include/linux/msg.h | 2 +-
include/linux/netfilter/xt_gradm.h | 9 +
include/linux/path.h | 4 +-
include/linux/perf_event.h | 13 +-
include/linux/printk.h | 2 +-
include/linux/proc_fs.h | 22 +-
include/linux/proc_ns.h | 2 +-
+ include/linux/ptrace.h | 24 +-
include/linux/random.h | 2 +-
include/linux/rbtree_augmented.h | 4 +-
- include/linux/scatterlist.h | 7 +
- include/linux/sched.h | 104 +-
- include/linux/security.h | 3 +-
+ include/linux/scatterlist.h | 12 +-
+ include/linux/sched.h | 114 +-
+ include/linux/security.h | 1 +
+ include/linux/sem.h | 2 +-
include/linux/seq_file.h | 5 +
- include/linux/shm.h | 4 +
+ include/linux/shm.h | 6 +-
include/linux/skbuff.h | 3 +
include/linux/slab.h | 9 -
- include/linux/sysctl.h | 4 +-
+ include/linux/sysctl.h | 8 +-
include/linux/thread_info.h | 6 +-
include/linux/tty.h | 2 +-
include/linux/tty_driver.h | 4 +-
include/linux/user_namespace.h | 2 +-
include/linux/utsname.h | 2 +-
include/linux/vermagic.h | 16 +-
- include/linux/vmalloc.h | 4 +
+ include/linux/vmalloc.h | 20 +-
include/net/af_unix.h | 2 +-
+ include/net/dst.h | 33 +
include/net/ip.h | 2 +-
include/net/neighbour.h | 2 +-
include/net/net_namespace.h | 2 +-
- include/net/sock.h | 2 +-
+ include/net/sock.h | 4 +-
+ include/target/target_core_base.h | 2 +-
include/trace/events/fs.h | 53 +
include/uapi/linux/personality.h | 1 +
- init/Kconfig | 3 +-
+ init/Kconfig | 4 +-
init/main.c | 35 +-
ipc/mqueue.c | 1 +
- ipc/shm.c | 23 +
+ ipc/msg.c | 3 +-
+ ipc/sem.c | 3 +-
+ ipc/shm.c | 26 +-
ipc/util.c | 6 +
+ kernel/auditsc.c | 2 +-
kernel/bpf/syscall.c | 8 +-
kernel/capability.c | 41 +-
kernel/cgroup.c | 5 +-
kernel/compat.c | 1 +
kernel/configs.c | 11 +
- kernel/cred.c | 113 +-
- kernel/events/core.c | 14 +-
+ kernel/cred.c | 112 +-
+ kernel/events/core.c | 16 +-
kernel/exit.c | 10 +-
kernel/fork.c | 86 +-
- kernel/futex.c | 4 +-
+ kernel/futex.c | 6 +-
+ kernel/futex_compat.c | 2 +-
kernel/kallsyms.c | 9 +
- kernel/kcmp.c | 4 +
+ kernel/kcmp.c | 8 +-
+ kernel/kexec_core.c | 2 +-
kernel/kmod.c | 95 +-
kernel/kprobes.c | 7 +-
kernel/ksysfs.c | 2 +
kernel/locking/lockdep_proc.c | 10 +-
- kernel/module.c | 106 +-
+ kernel/module.c | 108 +-
kernel/panic.c | 4 +-
- kernel/pid.c | 19 +-
+ kernel/pid.c | 23 +-
kernel/power/Kconfig | 2 +
- kernel/printk/printk.c | 5 +
- kernel/ptrace.c | 20 +-
+ kernel/printk/printk.c | 20 +-
+ kernel/ptrace.c | 56 +-
kernel/resource.c | 10 +
kernel/sched/core.c | 11 +-
kernel/signal.c | 37 +-
kernel/sys.c | 64 +-
- kernel/sysctl.c | 71 +-
+ kernel/sysctl.c | 172 +-
kernel/taskstats.c | 6 +
kernel/time/posix-timers.c | 8 +
kernel/time/time.c | 5 +
kernel/time/timekeeping.c | 3 +
- kernel/time/timer_list.c | 12 +
+ kernel/time/timer_list.c | 13 +-
kernel/time/timer_stats.c | 10 +-
+ kernel/trace/Kconfig | 2 +
kernel/trace/trace_syscalls.c | 8 +
kernel/user_namespace.c | 15 +
- lib/Kconfig.debug | 7 +-
+ lib/Kconfig.debug | 13 +-
+ lib/Kconfig.kasan | 2 +-
lib/is_single_threaded.c | 3 +
lib/list_debug.c | 65 +-
lib/nlattr.c | 2 +
lib/rbtree.c | 4 +-
- lib/vsprintf.c | 37 +-
+ lib/vsprintf.c | 39 +-
localversion-grsec | 1 +
- mm/Kconfig | 5 +-
+ mm/Kconfig | 8 +-
mm/Kconfig.debug | 1 +
mm/filemap.c | 1 +
mm/kmemleak.c | 4 +-
- mm/memory.c | 4 +-
+ mm/memory.c | 2 +-
mm/mempolicy.c | 12 +-
mm/migrate.c | 3 +-
mm/mlock.c | 6 +-
mm/mmap.c | 93 +-
mm/mprotect.c | 8 +
+ mm/oom_kill.c | 28 +-
mm/page_alloc.c | 2 +-
- mm/process_vm_access.c | 6 +
- mm/shmem.c | 2 +-
- mm/slab.c | 2 +-
+ mm/process_vm_access.c | 8 +-
+ mm/shmem.c | 36 +-
+ mm/slab.c | 14 +-
mm/slab_common.c | 2 +-
- mm/slub.c | 22 +-
+ mm/slob.c | 12 +
+ mm/slub.c | 33 +-
mm/util.c | 3 +
- mm/vmalloc.c | 72 +-
+ mm/vmalloc.c | 129 +-
mm/vmstat.c | 29 +-
net/appletalk/atalk_proc.c | 2 +-
net/atm/lec.c | 6 +-
net/atm/mpoa_caches.c | 42 +-
+ net/bluetooth/sco.c | 3 +
net/can/bcm.c | 2 +-
net/can/proc.c | 2 +-
net/core/dev_ioctl.c | 7 +-
net/core/net-procfs.c | 17 +-
net/core/pktgen.c | 2 +-
net/core/sock.c | 3 +-
- net/core/sock_diag.c | 7 +
net/core/sysctl_net_core.c | 2 +-
net/decnet/dn_dev.c | 2 +-
net/ipv4/devinet.c | 6 +-
- net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/inet_hashtables.c | 4 +
net/ipv4/ip_input.c | 7 +
net/ipv4/ip_sockglue.c | 3 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
- net/ipv4/ping.c | 1 +
+ net/ipv4/netfilter/nf_nat_pptp.c | 2 +-
net/ipv4/route.c | 6 +-
- net/ipv4/tcp.c | 4 +-
- net/ipv4/tcp_input.c | 6 +-
- net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_ipv4.c | 29 +-
net/ipv4/tcp_minisocks.c | 9 +-
net/ipv4/tcp_timer.c | 11 +
net/ipv4/udp.c | 24 +
net/ipv6/addrconf.c | 13 +-
net/ipv6/proc.c | 2 +-
- net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/tcp_ipv6.c | 26 +-
net/ipv6/udp.c | 7 +
net/ipx/ipx_proc.c | 2 +-
net/irda/irproc.c | 2 +-
net/netfilter/xt_gradm.c | 51 +
net/netfilter/xt_hashlimit.c | 4 +-
net/netfilter/xt_recent.c | 2 +-
- net/rds/connection.c | 1 +
- net/rds/rds.h | 1 +
- net/rds/send.c | 33 +-
- net/socket.c | 71 +-
+ net/sched/sch_api.c | 2 +-
+ net/sctp/socket.c | 4 +-
+ net/socket.c | 75 +-
+ net/sunrpc/Kconfig | 1 +
net/sunrpc/cache.c | 2 +-
net/sunrpc/stats.c | 2 +-
net/sysctl_net.c | 2 +-
net/x25/sysctl_net_x25.c | 2 +-
net/x25/x25_proc.c | 2 +-
scripts/package/Makefile | 2 +-
- scripts/package/mkspec | 38 +-
- security/Kconfig | 363 +++-
+ scripts/package/mkspec | 41 +-
+ security/Kconfig | 369 +-
security/apparmor/file.c | 4 +-
security/apparmor/lsm.c | 8 +-
- security/commoncap.c | 29 +
+ security/commoncap.c | 36 +-
security/min_addr.c | 2 +
+ security/smack/smack_lsm.c | 8 +-
security/tomoyo/file.c | 12 +-
security/tomoyo/mount.c | 4 +
- security/tomoyo/tomoyo.c | 22 +-
+ security/tomoyo/tomoyo.c | 20 +-
security/yama/Kconfig | 2 +-
- sound/core/seq/oss/seq_oss.c | 4 +-
- sound/core/seq/seq_midi.c | 4 +-
- sound/drivers/opl3/opl3_seq.c | 4 +-
- sound/drivers/opl4/opl4_seq.c | 4 +-
- sound/isa/sb/emu8000_synth.c | 4 +-
- sound/pci/emu10k1/emu10k1_synth.c | 4 +-
+ security/yama/yama_lsm.c | 4 +-
sound/synth/emux/emux_seq.c | 14 +-
sound/usb/line6/driver.c | 40 +-
sound/usb/line6/toneport.c | 12 +-
tools/gcc/.gitignore | 1 +
tools/gcc/Makefile | 12 +
tools/gcc/gen-random-seed.sh | 8 +
- tools/gcc/randomize_layout_plugin.c | 917 +++++++
- tools/gcc/size_overflow_plugin/.gitignore | 2 +
- 452 files changed, 19340 insertions(+), 2775 deletions(-)
+ tools/gcc/randomize_layout_plugin.c | 930 +++
+ tools/gcc/size_overflow_plugin/.gitignore | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 459 ++-
+ 511 files changed, 32631 insertions(+), 3196 deletions(-)
+
+commit a76adb92ce39aee8eec5a025c828030ad6135c6d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 15 14:31:49 2015 -0500
+
+ Update to pax-linux-4.3.3-test11.patch:
+ - fixed a few compile regressions with the recent plugin changes, reported by spender
+ - updated the size overflow hash table
+
+ tools/gcc/latent_entropy_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 66 +++++++++++++++++---
+ tools/gcc/stackleak_plugin.c | 2 +-
+ tools/gcc/structleak_plugin.c | 6 +--
+ 4 files changed, 60 insertions(+), 16 deletions(-)
+
+commit f7284b1fc06628fcb2d35d2beecdea5454d46af9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 15 11:50:24 2015 -0500
+
+ Apply structleak ICE fix for gcc < 4.9
+
+ tools/gcc/structleak_plugin.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 92fe3eb9fd10ec7f7334decab1526989669b0287
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 15 07:57:06 2015 -0500
+
+ Update to pax-linux-4.3.1-test10.patch:
+ - Emese fixed INDIRECT_REF and TARGET_MEM_REF handling in the initify plugin
+ - Emese regenerated the size overflow hash tables for 4.3
+ - fixed some compat syscall exit paths to restore r12 under KERNEXEC/or
+ - the latent entropy, stackleak and structleak plugins no longer split the entry block unnecessarily
+
+ arch/x86/entry/entry_64.S | 2 +-
+ arch/x86/entry/entry_64_compat.S | 15 +-
+ scripts/package/builddeb | 2 +-
+ tools/gcc/initify_plugin.c | 11 +-
+ tools/gcc/latent_entropy_plugin.c | 20 +-
+ .../disable_size_overflow_hash.data | 4 +
+ .../size_overflow_plugin/size_overflow_hash.data | 5345 +++++++++++---------
+ tools/gcc/stackleak_plugin.c | 26 +-
+ tools/gcc/structleak_plugin.c | 21 +-
+ 9 files changed, 3079 insertions(+), 2367 deletions(-)
+
+commit 5bd245cb687319079c2f1c0d6a1170791ed1ed2c
+Merge: b5847e6 3548341
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 15 07:47:56 2015 -0500
+
+ Merge branch 'linux-4.3.y' into pax-4_3
+
+ Conflicts:
+ net/unix/af_unix.c
+
+commit b5847e6a896c5d99191135ca4d7c3b6be8f116ff
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 9 23:11:36 2015 -0500
+
+ Update to pax-linux-4.3.1-test9.patch:
+ - fixed __get_user on x86 to lie less about the size of the load, reported by peetaur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4332)
+ - Emese fixed an intentional overflow caused by gcc, reported by saironiq (https://forums.grsecurity.net/viewtopic.php?f=3&t=4333)
+ - Emese fixed a false positive overflow report in the forcedeth driver, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?t=4334)
+ - Emese fixed a false positive overflow report in KVM's emulator, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4336)
+ - Emese fixed the initify plugin to detect some captured use of __func__, reported by Rasmus Villemoes <linux@rasmusvillemoes.dk>
+ - constrained shmmax and shmall to avoid triggering size overflow checks, reported by Mathias Krause <minipli@ld-linux.so>
+ - the checker plugin can partially handle sparse's locking context annotations, it's context insensitive and thus not exactly useful for now, also see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59856
+
+ Makefile | 6 +
+ arch/x86/include/asm/compat.h | 4 +
+ arch/x86/include/asm/dma.h | 2 +
+ arch/x86/include/asm/pmem.h | 2 +-
+ arch/x86/include/asm/uaccess.h | 20 +-
+ arch/x86/kernel/apic/vector.c | 6 +-
+ arch/x86/kernel/cpu/mtrr/generic.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 28 +-
+ arch/x86/kernel/head_64.S | 1 -
+ arch/x86/kvm/i8259.c | 10 +-
+ arch/x86/kvm/ioapic.c | 2 +
+ arch/x86/kvm/x86.c | 2 +
+ arch/x86/lib/usercopy_64.c | 2 +-
+ arch/x86/mm/mpx.c | 4 +-
+ arch/x86/mm/pageattr.c | 7 +
+ drivers/base/devres.c | 4 +-
+ drivers/base/power/runtime.c | 6 +-
+ drivers/base/regmap/regmap.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 4 +-
+ drivers/block/drbd/drbd_worker.c | 6 +-
+ drivers/char/virtio_console.c | 6 +-
+ drivers/md/dm.c | 12 +-
+ drivers/net/ethernet/nvidia/forcedeth.c | 4 +-
+ drivers/net/macvtap.c | 4 +-
+ drivers/video/fbdev/core/fbmem.c | 10 +-
+ fs/compat.c | 3 +-
+ fs/coredump.c | 2 +-
+ fs/dcache.c | 13 +-
+ fs/fhandle.c | 2 +-
+ fs/file.c | 14 +-
+ fs/fs-writeback.c | 11 +-
+ fs/overlayfs/copy_up.c | 2 +-
+ fs/readdir.c | 3 +-
+ fs/super.c | 3 +-
+ include/linux/compiler.h | 36 ++-
+ include/linux/rcupdate.h | 8 +
+ include/linux/sched.h | 4 +-
+ include/linux/seqlock.h | 10 +
+ include/linux/spinlock.h | 17 +-
+ include/linux/srcu.h | 5 +-
+ include/linux/syscalls.h | 2 +-
+ include/linux/writeback.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ ipc/ipc_sysctl.c | 6 +
+ kernel/exit.c | 25 +-
+ kernel/resource.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/user.c | 2 +-
+ kernel/workqueue.c | 6 +-
+ lib/rhashtable.c | 4 +-
+ net/compat.c | 2 +-
+ net/ipv4/xfrm4_mode_transport.c | 2 +-
+ security/keys/internal.h | 8 +-
+ security/keys/keyring.c | 4 -
+ sound/core/seq/seq_clientmgr.c | 8 +-
+ sound/core/seq/seq_compat.c | 2 +-
+ sound/core/seq/seq_memory.c | 6 +-
+ tools/gcc/checker_plugin.c | 415 +++++++++++++++++++-
+ tools/gcc/gcc-common.h | 1 +
+ tools/gcc/initify_plugin.c | 33 ++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 1 -
+ 62 files changed, 708 insertions(+), 140 deletions(-)
+
+commit f2634c2f6995f4231616f24ed016f890c701f939
+Merge: 1241bff 5f8b236
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 9 21:50:47 2015 -0500
+
+ Merge branch 'linux-4.3.y' into pax-4_3
+
+ Conflicts:
+ arch/x86/kernel/fpu/xstate.c
+ arch/x86/kernel/head_64.S
+
+commit 1241bff82e3d7dadb05de0a60b8d2822afc6547c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 6 08:44:56 2015 -0500
+
+ Update to pax-linux-4.3-test8.patch:
+ - fixed integer truncation check in md introduced by upstream commits 284ae7cab0f7335c9e0aa8992b28415ef1a54c7c and 58c0fed400603a802968b23ddf78f029c5a84e41, reported by BeiKed9o (https://forums.grsecurity.net/viewtopic.php?f=3&t=4328)
+ - gcc plugin compilation problems will now also produce the output of the checking script to make diagnosis easier, reported by hunger
+ - Emese fixed a false positive size overflow report in __vhost_add_used_n, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4329)
+ - fixed a potential integer truncation error in the raid1 code caught by the size overflow plugin, reported by d1b (https://forums.grsecurity.net/viewtopic.php?f=3&t=4331)
+
+ Makefile | 5 +++
+ drivers/md/md.c | 5 ++-
+ drivers/md/raid1.c | 2 +-
+ fs/proc/task_mmu.c | 3 ++
+ .../disable_size_overflow_hash.data | 4 ++-
+ .../size_overflow_plugin/intentional_overflow.c | 32 ++++++++++++++++---
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ 8 files changed, 43 insertions(+), 12 deletions(-)
-commit bb1459423dd1d228fcbd17812a82a2d05ad9577b
+commit cce6a9f9bdd27096632ca1c0246dcc07f2eb1a18
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat May 2 21:53:15 2015 -0400
+Date: Fri Dec 4 14:24:12 2015 -0500
- Initial import of pax-linux-4.0.1-test6.patch
+ Initial import of pax-linux-4.3-test7.patch
Documentation/dontdiff | 47 +-
Documentation/kbuild/makefiles.txt | 39 +-
Documentation/kernel-parameters.txt | 28 +
- Makefile | 106 +-
+ Makefile | 108 +-
arch/alpha/include/asm/atomic.h | 10 +
arch/alpha/include/asm/elf.h | 7 +
arch/alpha/include/asm/pgalloc.h | 6 +
arch/alpha/kernel/osf_sys.c | 8 +-
arch/alpha/mm/fault.c | 141 +-
arch/arm/Kconfig | 2 +-
- arch/arm/include/asm/atomic.h | 319 +-
- arch/arm/include/asm/barrier.h | 2 +-
+ arch/arm/include/asm/atomic.h | 320 +-
arch/arm/include/asm/cache.h | 5 +-
arch/arm/include/asm/cacheflush.h | 2 +-
arch/arm/include/asm/checksum.h | 14 +-
- arch/arm/include/asm/cmpxchg.h | 2 +
- arch/arm/include/asm/domain.h | 33 +-
- arch/arm/include/asm/elf.h | 13 +-
+ arch/arm/include/asm/cmpxchg.h | 4 +
+ arch/arm/include/asm/cpuidle.h | 2 +-
+ arch/arm/include/asm/domain.h | 22 +-
+ arch/arm/include/asm/elf.h | 9 +-
arch/arm/include/asm/fncpy.h | 2 +
arch/arm/include/asm/futex.h | 10 +
arch/arm/include/asm/kmap_types.h | 2 +-
arch/arm/include/asm/pgtable-2level.h | 3 +
arch/arm/include/asm/pgtable-3level.h | 3 +
arch/arm/include/asm/pgtable.h | 54 +-
- arch/arm/include/asm/psci.h | 2 +-
arch/arm/include/asm/smp.h | 2 +-
- arch/arm/include/asm/thread_info.h | 6 +-
arch/arm/include/asm/tls.h | 3 +
- arch/arm/include/asm/uaccess.h | 96 +-
+ arch/arm/include/asm/uaccess.h | 79 +-
arch/arm/include/uapi/asm/ptrace.h | 2 +-
- arch/arm/kernel/armksyms.c | 8 +-
- arch/arm/kernel/entry-armv.S | 110 +-
+ arch/arm/kernel/armksyms.c | 2 +-
+ arch/arm/kernel/cpuidle.c | 2 +-
+ arch/arm/kernel/entry-armv.S | 109 +-
arch/arm/kernel/entry-common.S | 40 +-
- arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/entry-header.S | 55 +
arch/arm/kernel/fiq.c | 3 +
- arch/arm/kernel/head.S | 2 +-
- arch/arm/kernel/module.c | 31 +-
+ arch/arm/kernel/module-plts.c | 7 +-
+ arch/arm/kernel/module.c | 38 +-
arch/arm/kernel/patch.c | 2 +
- arch/arm/kernel/process.c | 83 +-
- arch/arm/kernel/psci.c | 2 +-
+ arch/arm/kernel/process.c | 90 +-
+ arch/arm/kernel/reboot.c | 1 +
arch/arm/kernel/setup.c | 20 +-
arch/arm/kernel/signal.c | 35 +-
arch/arm/kernel/smp.c | 2 +-
arch/arm/kernel/tcm.c | 4 +-
- arch/arm/kernel/traps.c | 6 +-
arch/arm/kernel/vmlinux.lds.S | 6 +-
- arch/arm/kvm/arm.c | 10 +-
- arch/arm/lib/clear_user.S | 6 +-
- arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/kvm/arm.c | 8 +-
arch/arm/lib/copy_page.S | 1 +
- arch/arm/lib/copy_to_user.S | 6 +-
arch/arm/lib/csumpartialcopyuser.S | 4 +-
arch/arm/lib/delay.c | 2 +-
arch/arm/lib/uaccess_with_memcpy.c | 4 +-
- arch/arm/mach-exynos/suspend.c | 7 +-
- arch/arm/mach-keystone/keystone.c | 2 +-
+ arch/arm/mach-exynos/suspend.c | 6 +-
arch/arm/mach-mvebu/coherency.c | 4 +-
arch/arm/mach-omap2/board-n8x0.c | 2 +-
arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +-
arch/arm/mach-omap2/omap_hwmod.c | 4 +-
arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +-
arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-shmobile/platsmp-apmu.c | 5 +-
arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
arch/arm/mach-tegra/irq.c | 1 +
arch/arm/mach-ux500/pm.c | 1 +
- arch/arm/mach-ux500/setup.h | 7 -
arch/arm/mach-zynq/platsmp.c | 1 +
arch/arm/mm/Kconfig | 6 +-
arch/arm/mm/alignment.c | 8 +
arch/arm/mm/init.c | 39 +
arch/arm/mm/ioremap.c | 4 +-
arch/arm/mm/mmap.c | 30 +-
- arch/arm/mm/mmu.c | 182 +-
+ arch/arm/mm/mmu.c | 162 +-
arch/arm/net/bpf_jit_32.c | 3 +
arch/arm/plat-iop/setup.c | 2 +-
arch/arm/plat-omap/sram.c | 2 +
arch/arm64/include/asm/atomic.h | 10 +
- arch/arm64/include/asm/barrier.h | 2 +-
arch/arm64/include/asm/percpu.h | 8 +-
arch/arm64/include/asm/pgalloc.h | 5 +
arch/arm64/include/asm/uaccess.h | 1 +
arch/frv/mm/elf-fdpic.c | 3 +-
arch/ia64/Makefile | 1 +
arch/ia64/include/asm/atomic.h | 10 +
- arch/ia64/include/asm/barrier.h | 2 +-
arch/ia64/include/asm/elf.h | 7 +
arch/ia64/include/asm/pgalloc.h | 12 +
arch/ia64/include/asm/pgtable.h | 13 +-
arch/ia64/mm/fault.c | 32 +-
arch/ia64/mm/init.c | 15 +-
arch/m32r/lib/usercopy.c | 6 +
- arch/metag/include/asm/barrier.h | 2 +-
arch/mips/cavium-octeon/dma-octeon.c | 2 +-
- arch/mips/include/asm/atomic.h | 355 +-
- arch/mips/include/asm/barrier.h | 2 +-
- arch/mips/include/asm/elf.h | 11 +-
+ arch/mips/include/asm/atomic.h | 368 +-
+ arch/mips/include/asm/elf.h | 7 +
arch/mips/include/asm/exec.h | 2 +-
arch/mips/include/asm/hw_irq.h | 2 +-
arch/mips/include/asm/local.h | 57 +
arch/mips/include/asm/uaccess.h | 1 +
arch/mips/kernel/binfmt_elfn32.c | 7 +
arch/mips/kernel/binfmt_elfo32.c | 7 +
- arch/mips/kernel/i8259.c | 2 +-
arch/mips/kernel/irq-gt641xx.c | 2 +-
arch/mips/kernel/irq.c | 6 +-
arch/mips/kernel/pm-cps.c | 2 +-
arch/mips/kernel/process.c | 12 -
- arch/mips/kernel/reset.c | 4 +
arch/mips/kernel/sync-r4k.c | 24 +-
arch/mips/kernel/traps.c | 13 +-
- arch/mips/kvm/mips.c | 2 +-
arch/mips/mm/fault.c | 25 +
arch/mips/mm/mmap.c | 51 +-
arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
arch/parisc/kernel/traps.c | 4 +-
arch/parisc/mm/fault.c | 140 +-
arch/powerpc/include/asm/atomic.h | 329 +-
- arch/powerpc/include/asm/barrier.h | 2 +-
- arch/powerpc/include/asm/elf.h | 16 +-
+ arch/powerpc/include/asm/elf.h | 12 +
arch/powerpc/include/asm/exec.h | 2 +-
arch/powerpc/include/asm/kmap_types.h | 2 +-
arch/powerpc/include/asm/local.h | 46 +
arch/powerpc/kernel/signal_64.c | 2 +-
arch/powerpc/kernel/traps.c | 21 +
arch/powerpc/kernel/vdso.c | 5 +-
- arch/powerpc/kvm/powerpc.c | 2 +-
arch/powerpc/lib/usercopy_64.c | 18 -
arch/powerpc/mm/fault.c | 56 +-
- arch/powerpc/mm/mmap.c | 24 +-
+ arch/powerpc/mm/mmap.c | 16 +
arch/powerpc/mm/slice.c | 13 +-
arch/powerpc/platforms/cell/spufs/file.c | 4 +-
arch/s390/include/asm/atomic.h | 10 +
- arch/s390/include/asm/barrier.h | 2 +-
- arch/s390/include/asm/elf.h | 13 +-
+ arch/s390/include/asm/elf.h | 7 +
arch/s390/include/asm/exec.h | 2 +-
arch/s390/include/asm/uaccess.h | 13 +-
arch/s390/kernel/module.c | 22 +-
arch/s390/kernel/process.c | 24 -
- arch/s390/mm/mmap.c | 24 +
+ arch/s390/mm/mmap.c | 16 +
arch/score/include/asm/exec.h | 2 +-
arch/score/kernel/process.c | 5 -
arch/sh/mm/mmap.c | 22 +-
arch/sparc/include/asm/atomic_64.h | 110 +-
- arch/sparc/include/asm/barrier_64.h | 2 +-
arch/sparc/include/asm/cache.h | 2 +-
arch/sparc/include/asm/elf_32.h | 7 +
arch/sparc/include/asm/elf_64.h | 7 +
arch/um/include/asm/page.h | 3 +
arch/um/include/asm/pgtable-3level.h | 1 +
arch/um/kernel/process.c | 16 -
- arch/x86/Kconfig | 11 +-
+ arch/x86/Kconfig | 15 +-
arch/x86/Kconfig.cpu | 6 +-
arch/x86/Kconfig.debug | 4 +-
arch/x86/Makefile | 13 +-
arch/x86/crypto/camellia-x86_64-asm_64.S | 7 +
arch/x86/crypto/cast5-avx-x86_64-asm_64.S | 51 +-
arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 25 +-
- arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 2 +
+ arch/x86/crypto/crc32c-pcl-intel-asm_64.S | 4 +-
arch/x86/crypto/ghash-clmulni-intel_asm.S | 4 +
arch/x86/crypto/salsa20-x86_64-asm_64.S | 4 +
arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 9 +
arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +-
arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/entry/calling.h | 86 +-
+ arch/x86/entry/common.c | 13 +-
+ arch/x86/entry/entry_32.S | 351 +-
+ arch/x86/entry/entry_64.S | 619 +-
+ arch/x86/entry/entry_64_compat.S | 159 +-
+ arch/x86/entry/thunk_64.S | 2 +
+ arch/x86/entry/vdso/Makefile | 2 +-
+ arch/x86/entry/vdso/vdso2c.h | 8 +-
+ arch/x86/entry/vdso/vma.c | 41 +-
+ arch/x86/entry/vsyscall/vsyscall_64.c | 16 +-
+ arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +-
arch/x86/ia32/ia32_signal.c | 23 +-
- arch/x86/ia32/ia32entry.S | 170 +-
- arch/x86/ia32/sys_ia32.c | 4 +-
- arch/x86/include/asm/alternative-asm.h | 39 +
+ arch/x86/ia32/sys_ia32.c | 42 +-
+ arch/x86/include/asm/alternative-asm.h | 43 +-
arch/x86/include/asm/alternative.h | 4 +-
arch/x86/include/asm/apic.h | 2 +-
arch/x86/include/asm/apm.h | 4 +-
- arch/x86/include/asm/atomic.h | 269 +-
+ arch/x86/include/asm/atomic.h | 230 +-
arch/x86/include/asm/atomic64_32.h | 100 +
arch/x86/include/asm/atomic64_64.h | 164 +-
- arch/x86/include/asm/barrier.h | 4 +-
arch/x86/include/asm/bitops.h | 18 +-
- arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/boot.h | 2 +-
arch/x86/include/asm/cache.h | 5 +-
- arch/x86/include/asm/calling.h | 119 +-
arch/x86/include/asm/checksum_32.h | 12 +-
arch/x86/include/asm/cmpxchg.h | 39 +
arch/x86/include/asm/compat.h | 2 +-
- arch/x86/include/asm/cpufeature.h | 16 +-
+ arch/x86/include/asm/cpufeature.h | 17 +-
arch/x86/include/asm/desc.h | 78 +-
arch/x86/include/asm/desc_defs.h | 6 +
arch/x86/include/asm/div64.h | 2 +-
- arch/x86/include/asm/elf.h | 36 +-
+ arch/x86/include/asm/elf.h | 33 +-
arch/x86/include/asm/emergency-restart.h | 2 +-
- arch/x86/include/asm/fpu-internal.h | 8 +-
+ arch/x86/include/asm/fpu/internal.h | 42 +-
+ arch/x86/include/asm/fpu/types.h | 6 +-
arch/x86/include/asm/futex.h | 14 +-
arch/x86/include/asm/hw_irq.h | 4 +-
arch/x86/include/asm/i8259.h | 2 +-
- arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/io.h | 22 +-
arch/x86/include/asm/irqflags.h | 5 +
arch/x86/include/asm/kprobes.h | 9 +-
arch/x86/include/asm/local.h | 106 +-
arch/x86/include/asm/mman.h | 15 +
- arch/x86/include/asm/mmu.h | 16 +-
- arch/x86/include/asm/mmu_context.h | 136 +-
+ arch/x86/include/asm/mmu.h | 14 +-
+ arch/x86/include/asm/mmu_context.h | 114 +-
arch/x86/include/asm/module.h | 17 +-
arch/x86/include/asm/nmi.h | 19 +-
arch/x86/include/asm/page.h | 1 +
- arch/x86/include/asm/page_64.h | 8 +-
+ arch/x86/include/asm/page_32.h | 12 +-
+ arch/x86/include/asm/page_64.h | 14 +-
arch/x86/include/asm/paravirt.h | 46 +-
arch/x86/include/asm/paravirt_types.h | 15 +-
arch/x86/include/asm/pgalloc.h | 23 +
arch/x86/include/asm/pgtable-2level.h | 2 +
- arch/x86/include/asm/pgtable-3level.h | 4 +
- arch/x86/include/asm/pgtable.h | 126 +-
+ arch/x86/include/asm/pgtable-3level.h | 7 +
+ arch/x86/include/asm/pgtable.h | 128 +-
arch/x86/include/asm/pgtable_32.h | 14 +-
- arch/x86/include/asm/pgtable_32_types.h | 15 +-
- arch/x86/include/asm/pgtable_64.h | 20 +-
+ arch/x86/include/asm/pgtable_32_types.h | 24 +-
+ arch/x86/include/asm/pgtable_64.h | 23 +-
arch/x86/include/asm/pgtable_64_types.h | 5 +
arch/x86/include/asm/pgtable_types.h | 26 +-
arch/x86/include/asm/preempt.h | 2 +-
- arch/x86/include/asm/processor.h | 54 +-
- arch/x86/include/asm/ptrace.h | 26 +-
- arch/x86/include/asm/qrwlock.h | 4 +-
+ arch/x86/include/asm/processor.h | 57 +-
+ arch/x86/include/asm/ptrace.h | 13 +-
arch/x86/include/asm/realmode.h | 4 +-
arch/x86/include/asm/reboot.h | 10 +-
arch/x86/include/asm/rmwcc.h | 84 +-
arch/x86/include/asm/rwsem.h | 60 +-
- arch/x86/include/asm/segment.h | 29 +-
- arch/x86/include/asm/smap.h | 64 +-
+ arch/x86/include/asm/segment.h | 27 +-
+ arch/x86/include/asm/smap.h | 43 +
arch/x86/include/asm/smp.h | 14 +-
arch/x86/include/asm/stackprotector.h | 4 +-
arch/x86/include/asm/stacktrace.h | 32 +-
arch/x86/include/asm/switch_to.h | 4 +-
- arch/x86/include/asm/thread_info.h | 31 +-
- arch/x86/include/asm/tlbflush.h | 75 +-
+ arch/x86/include/asm/sys_ia32.h | 6 +-
+ arch/x86/include/asm/thread_info.h | 27 +-
+ arch/x86/include/asm/tlbflush.h | 77 +-
arch/x86/include/asm/uaccess.h | 192 +-
arch/x86/include/asm/uaccess_32.h | 28 +-
arch/x86/include/asm/uaccess_64.h | 169 +-
arch/x86/include/asm/word-at-a-time.h | 2 +-
arch/x86/include/asm/x86_init.h | 10 +-
arch/x86/include/asm/xen/page.h | 2 +-
- arch/x86/include/asm/xsave.h | 14 +-
arch/x86/include/uapi/asm/e820.h | 2 +-
- arch/x86/include/uapi/asm/ptrace-abi.h | 1 -
arch/x86/kernel/Makefile | 2 +-
arch/x86/kernel/acpi/boot.c | 4 +-
arch/x86/kernel/acpi/sleep.c | 4 +
arch/x86/kernel/acpi/wakeup_32.S | 6 +-
- arch/x86/kernel/alternative.c | 74 +-
+ arch/x86/kernel/alternative.c | 124 +-
arch/x86/kernel/apic/apic.c | 4 +-
- arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 6 +-
arch/x86/kernel/apic/apic_noop.c | 2 +-
arch/x86/kernel/apic/bigsmp_32.c | 2 +-
arch/x86/kernel/apic/io_apic.c | 8 +-
- arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/msi.c | 2 +-
+ arch/x86/kernel/apic/probe_32.c | 4 +-
arch/x86/kernel/apic/vector.c | 4 +-
- arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 2 +-
arch/x86/kernel/apic/x2apic_phys.c | 2 +-
arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
arch/x86/kernel/apm_32.c | 21 +-
arch/x86/kernel/asm-offsets_64.c | 1 +
arch/x86/kernel/cpu/Makefile | 4 -
arch/x86/kernel/cpu/amd.c | 2 +-
- arch/x86/kernel/cpu/common.c | 140 +-
- arch/x86/kernel/cpu/intel_cacheinfo.c | 48 +-
- arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/bugs_64.c | 2 +
+ arch/x86/kernel/cpu/common.c | 202 +-
+ arch/x86/kernel/cpu/intel_cacheinfo.c | 14 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 34 +-
arch/x86/kernel/cpu/mcheck/p5.c | 3 +
arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
- arch/x86/kernel/cpu/microcode/core.c | 2 +-
arch/x86/kernel/cpu/microcode/intel.c | 4 +-
arch/x86/kernel/cpu/mtrr/main.c | 2 +-
arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
- arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event.c | 10 +-
arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_bts.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel_cqm.c | 4 +-
+ arch/x86/kernel/cpu/perf_event_intel_pt.c | 44 +-
arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
- arch/x86/kernel/cpuid.c | 2 +-
- arch/x86/kernel/crash.c | 2 +-
arch/x86/kernel/crash_dump_64.c | 2 +-
arch/x86/kernel/doublefault.c | 8 +-
- arch/x86/kernel/dumpstack.c | 30 +-
- arch/x86/kernel/dumpstack_32.c | 29 +-
+ arch/x86/kernel/dumpstack.c | 24 +-
+ arch/x86/kernel/dumpstack_32.c | 25 +-
arch/x86/kernel/dumpstack_64.c | 62 +-
arch/x86/kernel/e820.c | 4 +-
arch/x86/kernel/early_printk.c | 1 +
- arch/x86/kernel/entry_32.S | 359 +-
- arch/x86/kernel/entry_64.S | 714 +-
- arch/x86/kernel/espfix_64.c | 13 +-
- arch/x86/kernel/ftrace.c | 8 +-
- arch/x86/kernel/head64.c | 13 +-
- arch/x86/kernel/head_32.S | 228 +-
- arch/x86/kernel/head_64.S | 139 +-
+ arch/x86/kernel/espfix_64.c | 44 +-
+ arch/x86/kernel/fpu/core.c | 24 +-
+ arch/x86/kernel/fpu/init.c | 40 +-
+ arch/x86/kernel/fpu/regset.c | 22 +-
+ arch/x86/kernel/fpu/signal.c | 20 +-
+ arch/x86/kernel/fpu/xstate.c | 8 +-
+ arch/x86/kernel/ftrace.c | 18 +-
+ arch/x86/kernel/head64.c | 14 +-
+ arch/x86/kernel/head_32.S | 235 +-
+ arch/x86/kernel/head_64.S | 173 +-
arch/x86/kernel/i386_ksyms_32.c | 12 +
- arch/x86/kernel/i387.c | 2 +-
arch/x86/kernel/i8259.c | 10 +-
arch/x86/kernel/io_delay.c | 2 +-
arch/x86/kernel/ioport.c | 2 +-
arch/x86/kernel/irq.c | 8 +-
- arch/x86/kernel/irq_32.c | 47 +-
- arch/x86/kernel/irq_64.c | 2 +-
- arch/x86/kernel/jump_label.c | 8 +-
- arch/x86/kernel/kgdb.c | 25 +-
- arch/x86/kernel/kprobes/core.c | 32 +-
+ arch/x86/kernel/irq_32.c | 45 +-
+ arch/x86/kernel/jump_label.c | 10 +-
+ arch/x86/kernel/kgdb.c | 21 +-
+ arch/x86/kernel/kprobes/core.c | 28 +-
arch/x86/kernel/kprobes/opt.c | 16 +-
arch/x86/kernel/ksysfs.c | 2 +-
- arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/kvmclock.c | 20 +-
+ arch/x86/kernel/ldt.c | 25 +
arch/x86/kernel/livepatch.c | 12 +-
arch/x86/kernel/machine_kexec_32.c | 6 +-
arch/x86/kernel/mcount_64.S | 19 +-
arch/x86/kernel/pci-calgary_64.c | 2 +-
arch/x86/kernel/pci-iommu_table.c | 2 +-
arch/x86/kernel/pci-swiotlb.c | 2 +-
- arch/x86/kernel/process.c | 55 +-
- arch/x86/kernel/process_32.c | 32 +-
- arch/x86/kernel/process_64.c | 21 +-
+ arch/x86/kernel/process.c | 80 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 14 +-
arch/x86/kernel/ptrace.c | 20 +-
arch/x86/kernel/pvclock.c | 8 +-
arch/x86/kernel/reboot.c | 44 +-
arch/x86/kernel/reboot_fixups_32.c | 2 +-
arch/x86/kernel/relocate_kernel_64.S | 3 +-
- arch/x86/kernel/setup.c | 27 +-
+ arch/x86/kernel/setup.c | 29 +-
arch/x86/kernel/setup_percpu.c | 29 +-
arch/x86/kernel/signal.c | 17 +-
arch/x86/kernel/smp.c | 2 +-
arch/x86/kernel/smpboot.c | 29 +-
- arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/step.c | 6 +-
arch/x86/kernel/sys_i386_32.c | 184 +
arch/x86/kernel/sys_x86_64.c | 22 +-
- arch/x86/kernel/tboot.c | 12 +-
- arch/x86/kernel/time.c | 10 +-
+ arch/x86/kernel/tboot.c | 14 +-
+ arch/x86/kernel/time.c | 8 +-
arch/x86/kernel/tls.c | 7 +-
arch/x86/kernel/tracepoint.c | 4 +-
- arch/x86/kernel/traps.c | 79 +-
+ arch/x86/kernel/traps.c | 53 +-
arch/x86/kernel/tsc.c | 2 +-
- arch/x86/kernel/uprobes.c | 4 +-
+ arch/x86/kernel/uprobes.c | 2 +-
arch/x86/kernel/vm86_32.c | 6 +-
- arch/x86/kernel/vmlinux.lds.S | 147 +-
- arch/x86/kernel/vsyscall_64.c | 16 +-
+ arch/x86/kernel/vmlinux.lds.S | 153 +-
arch/x86/kernel/x8664_ksyms_64.c | 6 +-
arch/x86/kernel/x86_init.c | 6 +-
- arch/x86/kernel/xsave.c | 10 +-
arch/x86/kvm/cpuid.c | 21 +-
arch/x86/kvm/emulate.c | 2 +-
arch/x86/kvm/lapic.c | 2 +-
arch/x86/kvm/paging_tmpl.h | 2 +-
- arch/x86/kvm/svm.c | 8 +
- arch/x86/kvm/vmx.c | 82 +-
- arch/x86/kvm/x86.c | 8 +-
+ arch/x86/kvm/svm.c | 10 +-
+ arch/x86/kvm/vmx.c | 62 +-
+ arch/x86/kvm/x86.c | 42 +-
arch/x86/lguest/boot.c | 3 +-
arch/x86/lib/atomic64_386_32.S | 164 +
- arch/x86/lib/atomic64_cx8_32.S | 103 +-
- arch/x86/lib/checksum_32.S | 100 +-
- arch/x86/lib/clear_page_64.S | 5 +-
+ arch/x86/lib/atomic64_cx8_32.S | 98 +-
+ arch/x86/lib/checksum_32.S | 99 +-
+ arch/x86/lib/clear_page_64.S | 3 +
arch/x86/lib/cmpxchg16b_emu.S | 3 +
- arch/x86/lib/copy_page_64.S | 20 +-
- arch/x86/lib/copy_user_64.S | 81 +-
- arch/x86/lib/copy_user_nocache_64.S | 14 +
- arch/x86/lib/csum-copy_64.S | 18 +-
+ arch/x86/lib/copy_page_64.S | 14 +-
+ arch/x86/lib/copy_user_64.S | 66 +-
+ arch/x86/lib/csum-copy_64.S | 14 +-
arch/x86/lib/csum-wrappers_64.c | 8 +-
arch/x86/lib/getuser.S | 74 +-
arch/x86/lib/insn.c | 8 +-
arch/x86/lib/iomap_copy_64.S | 2 +
- arch/x86/lib/memcpy_64.S | 10 +-
- arch/x86/lib/memmove_64.S | 4 +-
- arch/x86/lib/memset_64.S | 7 +-
+ arch/x86/lib/memcpy_64.S | 6 +
+ arch/x86/lib/memmove_64.S | 3 +-
+ arch/x86/lib/memset_64.S | 3 +
arch/x86/lib/mmx_32.c | 243 +-
arch/x86/lib/msr-reg.S | 2 +
- arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/putuser.S | 87 +-
arch/x86/lib/rwsem.S | 6 +-
- arch/x86/lib/thunk_64.S | 12 +-
- arch/x86/lib/usercopy_32.c | 357 +-
- arch/x86/lib/usercopy_64.c | 18 +-
+ arch/x86/lib/usercopy_32.c | 359 +-
+ arch/x86/lib/usercopy_64.c | 20 +-
+ arch/x86/math-emu/fpu_aux.c | 2 +-
+ arch/x86/math-emu/fpu_entry.c | 4 +-
+ arch/x86/math-emu/fpu_system.h | 2 +-
arch/x86/mm/Makefile | 4 +
- arch/x86/mm/extable.c | 25 +-
- arch/x86/mm/fault.c | 568 +-
+ arch/x86/mm/extable.c | 26 +-
+ arch/x86/mm/fault.c | 570 +-
arch/x86/mm/gup.c | 6 +-
- arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/highmem_32.c | 6 +
arch/x86/mm/hugetlbpage.c | 24 +-
- arch/x86/mm/init.c | 101 +-
+ arch/x86/mm/init.c | 111 +-
arch/x86/mm/init_32.c | 111 +-
arch/x86/mm/init_64.c | 46 +-
arch/x86/mm/iomap_32.c | 4 +
- arch/x86/mm/ioremap.c | 28 +-
+ arch/x86/mm/ioremap.c | 52 +-
arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
- arch/x86/mm/mmap.c | 36 +-
+ arch/x86/mm/mmap.c | 40 +-
arch/x86/mm/mmio-mod.c | 10 +-
arch/x86/mm/numa.c | 2 +-
- arch/x86/mm/pageattr.c | 33 +-
- arch/x86/mm/pat.c | 20 +-
+ arch/x86/mm/pageattr.c | 38 +-
+ arch/x86/mm/pat.c | 12 +-
arch/x86/mm/pat_rbtree.c | 2 +-
arch/x86/mm/pf_in.c | 10 +-
- arch/x86/mm/pgtable.c | 162 +-
+ arch/x86/mm/pgtable.c | 214 +-
arch/x86/mm/pgtable_32.c | 3 +
- arch/x86/mm/physaddr.c | 4 +-
arch/x86/mm/setup_nx.c | 7 +
arch/x86/mm/tlb.c | 4 +
arch/x86/mm/uderef_64.c | 37 +
arch/x86/net/bpf_jit.S | 11 +
arch/x86/net/bpf_jit_comp.c | 13 +-
- arch/x86/oprofile/backtrace.c | 8 +-
+ arch/x86/oprofile/backtrace.c | 6 +-
arch/x86/oprofile/nmi_int.c | 8 +-
arch/x86/oprofile/op_model_amd.c | 8 +-
arch/x86/oprofile/op_model_ppro.c | 7 +-
arch/x86/pci/irq.c | 8 +-
arch/x86/pci/pcbios.c | 144 +-
arch/x86/platform/efi/efi_32.c | 24 +
- arch/x86/platform/efi/efi_64.c | 27 +-
+ arch/x86/platform/efi/efi_64.c | 26 +-
arch/x86/platform/efi/efi_stub_32.S | 64 +-
arch/x86/platform/efi/efi_stub_64.S | 2 +
arch/x86/platform/intel-mid/intel-mid.c | 5 +-
arch/x86/realmode/init.c | 10 +-
arch/x86/realmode/rm/Makefile | 3 +
arch/x86/realmode/rm/header.S | 4 +-
+ arch/x86/realmode/rm/reboot.S | 4 +
arch/x86/realmode/rm/trampoline_32.S | 12 +-
arch/x86/realmode/rm/trampoline_64.S | 3 +-
arch/x86/realmode/rm/wakeup_asm.S | 5 +-
arch/x86/tools/Makefile | 2 +-
- arch/x86/tools/relocs.c | 94 +-
+ arch/x86/tools/relocs.c | 96 +-
arch/x86/um/mem_32.c | 2 +-
arch/x86/um/tls_32.c | 2 +-
- arch/x86/vdso/Makefile | 2 +-
- arch/x86/vdso/vdso2c.h | 2 +-
- arch/x86/vdso/vdso32-setup.c | 1 +
- arch/x86/vdso/vma.c | 41 +-
- arch/x86/xen/enlighten.c | 52 +-
- arch/x86/xen/mmu.c | 13 +-
- arch/x86/xen/smp.c | 21 +-
+ arch/x86/xen/enlighten.c | 50 +-
+ arch/x86/xen/mmu.c | 19 +-
+ arch/x86/xen/smp.c | 16 +-
arch/x86/xen/xen-asm_32.S | 2 +-
arch/x86/xen/xen-head.S | 11 +
arch/x86/xen/xen-ops.h | 2 -
block/scsi_ioctl.c | 29 +-
crypto/cryptd.c | 4 +-
crypto/pcrypt.c | 2 +-
- crypto/zlib.c | 4 +-
+ crypto/zlib.c | 12 +-
+ drivers/acpi/acpi_video.c | 2 +-
drivers/acpi/apei/apei-internal.h | 2 +-
drivers/acpi/apei/ghes.c | 4 +-
drivers/acpi/bgrt.c | 6 +-
drivers/acpi/device_pm.c | 4 +-
drivers/acpi/ec.c | 2 +-
drivers/acpi/pci_slot.c | 2 +-
- drivers/acpi/processor_driver.c | 2 +-
drivers/acpi/processor_idle.c | 2 +-
drivers/acpi/processor_pdc.c | 2 +-
drivers/acpi/sleep.c | 2 +-
drivers/acpi/sysfs.c | 4 +-
drivers/acpi/thermal.c | 2 +-
- drivers/acpi/video.c | 2 +-
- drivers/ata/libahci.c | 2 +-
+ drivers/acpi/video_detect.c | 7 +-
drivers/ata/libata-core.c | 12 +-
drivers/ata/libata-scsi.c | 2 +-
drivers/ata/libata.h | 2 +-
drivers/base/bus.c | 4 +-
drivers/base/devtmpfs.c | 8 +-
drivers/base/node.c | 2 +-
- drivers/base/power/domain.c | 9 +-
+ drivers/base/platform-msi.c | 20 +-
+ drivers/base/power/domain.c | 11 +-
drivers/base/power/sysfs.c | 2 +-
drivers/base/power/wakeup.c | 8 +-
+ drivers/base/regmap/regmap-debugfs.c | 11 +-
drivers/base/syscore.c | 4 +-
drivers/block/cciss.c | 28 +-
drivers/block/cciss.h | 2 +-
drivers/block/drbd/drbd_nl.c | 4 +-
drivers/block/drbd/drbd_receiver.c | 34 +-
drivers/block/drbd/drbd_worker.c | 8 +-
- drivers/block/loop.c | 2 +-
drivers/block/pktcdvd.c | 4 +-
drivers/block/rbd.c | 2 +-
drivers/bluetooth/btwilink.c | 2 +-
+ drivers/bus/arm-cci.c | 12 +-
drivers/cdrom/cdrom.c | 11 +-
drivers/cdrom/gdrom.c | 1 -
drivers/char/agp/compat_ioctl.c | 2 +-
drivers/char/agp/frontend.c | 4 +-
+ drivers/char/agp/intel-gtt.c | 4 +-
drivers/char/hpet.c | 2 +-
- drivers/char/i8k.c | 2 +-
drivers/char/ipmi/ipmi_msghandler.c | 8 +-
drivers/char/ipmi/ipmi_si_intf.c | 8 +-
drivers/char/mem.c | 47 +-
drivers/char/random.c | 12 +-
drivers/char/sonypi.c | 11 +-
drivers/char/tpm/tpm_acpi.c | 3 +-
- drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/tpm/tpm_eventlog.c | 4 +-
drivers/char/virtio_console.c | 4 +-
drivers/clk/clk-composite.c | 2 +-
+ drivers/clk/samsung/clk.h | 2 +-
drivers/clk/socfpga/clk-gate.c | 9 +-
drivers/clk/socfpga/clk-pll.c | 9 +-
+ drivers/clk/ti/clk.c | 8 +-
drivers/cpufreq/acpi-cpufreq.c | 17 +-
drivers/cpufreq/cpufreq-dt.c | 4 +-
- drivers/cpufreq/cpufreq.c | 26 +-
- drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq.c | 30 +-
+ drivers/cpufreq/cpufreq_governor.c | 2 +-
drivers/cpufreq/cpufreq_governor.h | 4 +-
drivers/cpufreq/cpufreq_ondemand.c | 10 +-
drivers/cpufreq/intel_pstate.c | 33 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 67 +-
drivers/cpufreq/speedstep-centrino.c | 7 +-
drivers/cpuidle/driver.c | 2 +-
+ drivers/cpuidle/dt_idle_states.c | 2 +-
drivers/cpuidle/governor.c | 2 +-
drivers/cpuidle/sysfs.c | 2 +-
drivers/crypto/hifn_795x.c | 4 +-
drivers/dma/sh/shdma-base.c | 4 +-
drivers/dma/sh/shdmac.c | 2 +-
drivers/edac/edac_device.c | 4 +-
- drivers/edac/edac_mc_sysfs.c | 12 +-
+ drivers/edac/edac_mc_sysfs.c | 2 +-
drivers/edac/edac_pci.c | 4 +-
drivers/edac/edac_pci_sysfs.c | 22 +-
drivers/edac/mce_amd.h | 2 +-
drivers/firewire/core-transaction.c | 1 +
drivers/firewire/core.h | 1 +
drivers/firmware/dmi-id.c | 2 +-
- drivers/firmware/dmi_scan.c | 2 +-
+ drivers/firmware/dmi_scan.c | 12 +-
drivers/firmware/efi/cper.c | 8 +-
drivers/firmware/efi/efi.c | 12 +-
drivers/firmware/efi/efivars.c | 2 +-
drivers/firmware/google/gsmi.c | 2 +-
drivers/firmware/google/memconsole.c | 7 +-
drivers/firmware/memmap.c | 2 +-
+ drivers/firmware/psci.c | 2 +-
+ drivers/gpio/gpio-davinci.c | 6 +-
drivers/gpio/gpio-em.c | 2 +-
drivers/gpio/gpio-ich.c | 2 +-
- drivers/gpio/gpio-omap.c | 2 +-
+ drivers/gpio/gpio-omap.c | 4 +-
drivers/gpio/gpio-rcar.c | 2 +-
drivers/gpio/gpio-vr41xx.c | 2 +-
- drivers/gpio/gpiolib.c | 13 +-
- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.h | 2 +-
+ drivers/gpio/gpiolib.c | 12 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 +-
+ .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 90 +-
+ .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.h | 8 +-
+ .../drm/amd/amdkfd/kfd_device_queue_manager_cik.c | 14 +-
+ .../drm/amd/amdkfd/kfd_device_queue_manager_vi.c | 14 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c | 4 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h | 2 +-
+ .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 16 +-
drivers/gpu/drm/drm_crtc.c | 2 +-
drivers/gpu/drm/drm_drv.c | 2 +-
drivers/gpu/drm/drm_fops.c | 12 +-
drivers/gpu/drm/i810/i810_drv.h | 4 +-
drivers/gpu/drm/i915/i915_dma.c | 2 +-
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
- drivers/gpu/drm/i915/i915_ioc32.c | 11 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 16 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.h | 6 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 10 +-
drivers/gpu/drm/i915/intel_display.c | 26 +-
drivers/gpu/drm/imx/imx-drm-core.c | 2 +-
drivers/gpu/drm/mga/mga_drv.h | 4 +-
- drivers/gpu/drm/mga/mga_ioc32.c | 11 +-
+ drivers/gpu/drm/mga/mga_ioc32.c | 10 +-
drivers/gpu/drm/mga/mga_irq.c | 8 +-
drivers/gpu/drm/nouveau/nouveau_bios.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/omapdrm/Makefile | 2 +-
drivers/gpu/drm/qxl/qxl_cmd.c | 12 +-
drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +-
drivers/gpu/drm/qxl/qxl_drv.h | 8 +-
drivers/gpu/drm/qxl/qxl_ttm.c | 38 +-
drivers/gpu/drm/r128/r128_cce.c | 2 +-
drivers/gpu/drm/r128/r128_drv.h | 4 +-
- drivers/gpu/drm/r128/r128_ioc32.c | 11 +-
+ drivers/gpu/drm/r128/r128_ioc32.c | 10 +-
drivers/gpu/drm/r128/r128_irq.c | 4 +-
drivers/gpu/drm/r128/r128_state.c | 4 +-
drivers/gpu/drm/radeon/mkregtable.c | 4 +-
drivers/gpu/drm/radeon/radeon_device.c | 2 +-
drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
- drivers/gpu/drm/radeon/radeon_ioc32.c | 13 +-
+ drivers/gpu/drm/radeon/radeon_ioc32.c | 12 +-
drivers/gpu/drm/radeon/radeon_irq.c | 6 +-
drivers/gpu/drm/radeon/radeon_state.c | 4 +-
drivers/gpu/drm/radeon/radeon_ttm.c | 4 +-
drivers/gpu/drm/tegra/dc.c | 2 +-
drivers/gpu/drm/tegra/dsi.c | 2 +-
drivers/gpu/drm/tegra/hdmi.c | 2 +-
+ drivers/gpu/drm/tegra/sor.c | 7 +-
+ drivers/gpu/drm/tilcdc/Makefile | 6 +-
drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
drivers/gpu/drm/ttm/ttm_page_alloc.c | 18 +-
drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 18 +-
drivers/gpu/drm/via/via_irq.c | 18 +-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
drivers/gpu/vga/vga_switcheroo.c | 4 +-
drivers/hid/hid-core.c | 4 +-
+ drivers/hid/hid-sensor-custom.c | 2 +-
drivers/hv/channel.c | 2 +-
drivers/hv/hv.c | 4 +-
drivers/hv/hv_balloon.c | 18 +-
drivers/hv/hyperv_vmbus.h | 2 +-
- drivers/hv/vmbus_drv.c | 4 +-
drivers/hwmon/acpi_power_meter.c | 6 +-
drivers/hwmon/applesmc.c | 2 +-
drivers/hwmon/asus_atk0110.c | 10 +-
drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/dell-smm-hwmon.c | 2 +-
drivers/hwmon/ibmaem.c | 2 +-
drivers/hwmon/iio_hwmon.c | 2 +-
drivers/hwmon/nct6683.c | 6 +-
drivers/hwmon/sht15.c | 12 +-
drivers/hwmon/via-cputemp.c | 2 +-
drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/ide/ide-cd.c | 2 +-
+ drivers/ide/ide-disk.c | 2 +-
drivers/iio/industrialio-core.c | 2 +-
+ drivers/iio/magnetometer/ak8975.c | 2 +-
drivers/infiniband/core/cm.c | 32 +-
drivers/infiniband/core/fmr_pool.c | 20 +-
drivers/infiniband/core/uverbs_cmd.c | 3 +
drivers/infiniband/hw/cxgb4/mem.c | 4 +-
- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
drivers/infiniband/hw/mlx4/mad.c | 2 +-
drivers/infiniband/hw/mlx4/mcg.c | 2 +-
drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
drivers/input/serio/serio.c | 4 +-
drivers/input/serio/serio_raw.c | 4 +-
drivers/input/touchscreen/htcpen.c | 2 +-
+ drivers/iommu/arm-smmu-v3.c | 2 +-
+ drivers/iommu/arm-smmu.c | 43 +-
+ drivers/iommu/io-pgtable-arm.c | 101 +-
+ drivers/iommu/io-pgtable.c | 11 +-
+ drivers/iommu/io-pgtable.h | 19 +-
drivers/iommu/iommu.c | 2 +-
- drivers/iommu/irq_remapping.c | 12 +-
- drivers/irqchip/irq-gic.c | 4 +-
+ drivers/iommu/ipmmu-vmsa.c | 13 +-
+ drivers/iommu/irq_remapping.c | 2 +-
+ drivers/irqchip/irq-gic.c | 2 +-
+ drivers/irqchip/irq-i8259.c | 2 +-
drivers/irqchip/irq-renesas-intc-irqpin.c | 2 +-
drivers/irqchip/irq-renesas-irqc.c | 2 +-
drivers/isdn/capi/capi.c | 10 +-
drivers/isdn/i4l/isdn_tty.c | 22 +-
drivers/isdn/icn/icn.c | 2 +-
drivers/isdn/mISDN/dsp_cmx.c | 2 +-
- drivers/leds/leds-clevo-mail.c | 2 +-
- drivers/leds/leds-ss4200.c | 2 +-
drivers/lguest/core.c | 10 +-
drivers/lguest/page_tables.c | 2 +-
drivers/lguest/x86/core.c | 12 +-
drivers/md/bcache/closure.h | 2 +-
drivers/md/bitmap.c | 2 +-
drivers/md/dm-ioctl.c | 2 +-
- drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-raid1.c | 18 +-
drivers/md/dm-stats.c | 6 +-
drivers/md/dm-stripe.c | 10 +-
drivers/md/dm-table.c | 2 +-
drivers/md/persistent-data/dm-space-map-metadata.c | 4 +-
drivers/md/persistent-data/dm-space-map.h | 1 +
drivers/md/raid1.c | 4 +-
- drivers/md/raid10.c | 16 +-
+ drivers/md/raid10.c | 18 +-
drivers/md/raid5.c | 22 +-
drivers/media/dvb-core/dvbdev.c | 2 +-
drivers/media/dvb-frontends/af9033.h | 2 +-
drivers/media/radio/radio-shark2.c | 2 +-
drivers/media/radio/radio-si476x.c | 2 +-
drivers/media/radio/wl128x/fmdrv_common.c | 2 +-
- drivers/media/usb/dvb-usb/dw2102.c | 2 +-
drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 12 +-
drivers/media/v4l2-core/v4l2-device.c | 4 +-
drivers/media/v4l2-core/v4l2-ioctl.c | 13 +-
drivers/mfd/max8925-i2c.c | 2 +-
drivers/mfd/tps65910.c | 2 +-
drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/wm5110-tables.c | 2 +-
+ drivers/mfd/wm8998-tables.c | 2 +-
drivers/misc/c2port/core.c | 4 +-
- drivers/misc/eeprom/sunxi_sid.c | 4 +-
drivers/misc/kgdbts.c | 4 +-
drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/mic/scif/scif_rb.c | 8 +-
drivers/misc/sgi-gru/gruhandles.c | 4 +-
drivers/misc/sgi-gru/gruprocfs.c | 8 +-
drivers/misc/sgi-gru/grutables.h | 154 +-
drivers/misc/sgi-xp/xp.h | 2 +-
drivers/misc/sgi-xp/xpc.h | 3 +-
- drivers/misc/sgi-xp/xpc_main.c | 4 +-
+ drivers/misc/sgi-xp/xpc_main.c | 2 +-
drivers/mmc/card/block.c | 2 +-
drivers/mmc/host/dw_mmc.h | 2 +-
drivers/mmc/host/mmci.c | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-common.h | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-dcb.c | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 27 +-
- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 147 +-
- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 58 +-
- drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 8 +-
- drivers/net/ethernet/amd/xgbe/xgbe-main.c | 11 +-
- drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 143 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 64 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 10 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-main.c | 15 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 27 +-
drivers/net/ethernet/amd/xgbe/xgbe-ptp.c | 4 +-
- drivers/net/ethernet/amd/xgbe/xgbe.h | 7 +-
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 10 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/cavium/liquidio/lio_ethtool.c | 6 +-
+ drivers/net/ethernet/cavium/liquidio/lio_main.c | 11 +-
drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
drivers/net/ethernet/faraday/ftgmac100.c | 2 +
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_tx.c | 4 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +-
drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
drivers/net/ethernet/sfc/ptp.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
drivers/net/ethernet/via/via-rhine.c | 2 +-
+ drivers/net/geneve.c | 2 +-
drivers/net/hyperv/hyperv_net.h | 2 +-
drivers/net/hyperv/rndis_filter.c | 4 +-
drivers/net/ifb.c | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
drivers/net/macvlan.c | 20 +-
drivers/net/macvtap.c | 6 +-
drivers/net/nlmon.c | 2 +-
drivers/net/usb/r8152.c | 2 +-
drivers/net/usb/sierra_net.c | 4 +-
drivers/net/virtio_net.c | 2 +-
+ drivers/net/vrf.c | 2 +-
drivers/net/vxlan.c | 4 +-
drivers/net/wimax/i2400m/rx.c | 2 +-
drivers/net/wireless/airo.c | 2 +-
drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath10k/ce.c | 6 +-
drivers/net/wireless/ath/ath10k/htc.c | 7 +-
drivers/net/wireless/ath/ath10k/htc.h | 4 +-
drivers/net/wireless/ath/ath9k/ar9002_mac.c | 36 +-
drivers/net/wireless/ath/ath9k/ar9003_mac.c | 64 +-
drivers/net/wireless/ath/ath9k/hw.h | 4 +-
drivers/net/wireless/ath/ath9k/main.c | 22 +-
+ drivers/net/wireless/ath/wil6210/wil_platform.h | 2 +-
drivers/net/wireless/b43/phy_lp.c | 2 +-
drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
drivers/net/wireless/ti/wl12xx/main.c | 8 +-
drivers/net/wireless/ti/wl18xx/main.c | 6 +-
drivers/nfc/nfcwilink.c | 2 +-
- drivers/nfc/st21nfca/st21nfca.c | 2 +-
drivers/of/fdt.c | 4 +-
drivers/oprofile/buffer_sync.c | 8 +-
drivers/oprofile/event_buffer.c | 2 +-
drivers/oprofile/oprof.c | 2 +-
- drivers/oprofile/oprofile_files.c | 2 +-
drivers/oprofile/oprofile_stats.c | 10 +-
drivers/oprofile/oprofile_stats.h | 10 +-
drivers/oprofile/oprofilefs.c | 6 +-
drivers/pci/hotplug/cpqphp_nvram.c | 2 +
drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
drivers/pci/hotplug/pciehp_core.c | 2 +-
- drivers/pci/msi.c | 6 +-
+ drivers/pci/msi.c | 22 +-
drivers/pci/pci-sysfs.c | 6 +-
drivers/pci/pci.h | 2 +-
drivers/pci/pcie/aspm.c | 6 +-
drivers/pci/pcie/portdrv_pci.c | 2 +-
drivers/pci/probe.c | 2 +-
- drivers/platform/chrome/chromeos_laptop.c | 2 +-
+ drivers/pinctrl/nomadik/pinctrl-nomadik.c | 2 +-
+ drivers/pinctrl/pinctrl-at91.c | 5 +-
drivers/platform/chrome/chromeos_pstore.c | 2 +-
drivers/platform/x86/alienware-wmi.c | 4 +-
drivers/platform/x86/compal-laptop.c | 2 +-
drivers/platform/x86/samsung-laptop.c | 2 +-
drivers/platform/x86/samsung-q10.c | 2 +-
drivers/platform/x86/sony-laptop.c | 14 +-
- drivers/platform/x86/thinkpad_acpi.c | 4 +-
+ drivers/platform/x86/thinkpad_acpi.c | 2 +-
drivers/pnp/pnpbios/bioscalls.c | 14 +-
drivers/pnp/pnpbios/core.c | 2 +-
drivers/power/pda_power.c | 7 +-
drivers/power/power_supply.h | 4 +-
drivers/power/power_supply_core.c | 7 +-
drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/power/reset/at91-reset.c | 9 +-
drivers/powercap/powercap_sys.c | 136 +-
drivers/ptp/ptp_private.h | 2 +-
drivers/ptp/ptp_sysfs.c | 2 +-
drivers/regulator/core.c | 4 +-
drivers/regulator/max8660.c | 6 +-
- drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/max8973-regulator.c | 16 +-
drivers/regulator/mc13892-regulator.c | 8 +-
+ drivers/rtc/rtc-armada38x.c | 7 +-
drivers/rtc/rtc-cmos.c | 4 +-
drivers/rtc/rtc-ds1307.c | 2 +-
drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/rtc/rtc-test.c | 6 +-
+ drivers/scsi/be2iscsi/be_main.c | 2 +-
drivers/scsi/bfa/bfa_fcpim.h | 2 +-
drivers/scsi/bfa/bfa_ioc.h | 4 +-
drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
drivers/scsi/hosts.c | 4 +-
- drivers/scsi/hpsa.c | 36 +-
+ drivers/scsi/hpsa.c | 38 +-
drivers/scsi/hpsa.h | 2 +-
drivers/scsi/libfc/fc_exch.c | 50 +-
drivers/scsi/libsas/sas_ata.c | 2 +-
drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
drivers/scsi/lpfc/lpfc_init.c | 6 +-
drivers/scsi/lpfc/lpfc_scsi.c | 10 +-
+ drivers/scsi/megaraid/megaraid_sas.h | 2 +-
drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
drivers/scsi/pmcraid.c | 20 +-
drivers/scsi/pmcraid.h | 8 +-
drivers/scsi/qla2xxx/qla_os.c | 6 +-
drivers/scsi/qla4xxx/ql4_def.h | 2 +-
drivers/scsi/qla4xxx/ql4_os.c | 6 +-
+ drivers/scsi/scsi.c | 2 +-
drivers/scsi/scsi_lib.c | 8 +-
drivers/scsi/scsi_sysfs.c | 2 +-
drivers/scsi/scsi_transport_fc.c | 8 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/scsi/scsi_transport_srp.c | 6 +-
- drivers/scsi/sd.c | 2 +-
+ drivers/scsi/sd.c | 6 +-
drivers/scsi/sg.c | 2 +-
+ drivers/scsi/sr.c | 21 +-
drivers/soc/tegra/fuse/fuse-tegra.c | 2 +-
drivers/spi/spi.c | 2 +-
drivers/staging/android/timed_output.c | 6 +-
drivers/staging/fbtft/fbtft-core.c | 2 +-
drivers/staging/fbtft/fbtft.h | 2 +-
drivers/staging/gdm724x/gdm_tty.c | 2 +-
- drivers/staging/i2o/i2o.h | 2 +-
- drivers/staging/i2o/i2o_proc.c | 67 +-
- drivers/staging/i2o/iop.c | 8 +-
+ drivers/staging/iio/accel/lis3l02dq_ring.c | 2 +-
+ drivers/staging/iio/adc/ad7280a.c | 4 +-
drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +-
drivers/staging/lustre/lnet/selftest/framework.c | 4 -
drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
drivers/staging/lustre/lustre/include/obd.h | 2 +-
- .../lustre/lustre/libcfs/linux/linux-proc.c | 6 +-
- drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet-rx.c | 20 +-
drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rdma/ipath/ipath_rc.c | 6 +-
+ drivers/staging/rdma/ipath/ipath_ruc.c | 6 +-
drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
drivers/staging/rtl8712/rtl871x_io.h | 2 +-
- drivers/staging/unisys/visorchipset/visorchipset.h | 4 +-
+ drivers/staging/sm750fb/sm750.c | 14 +-
+ drivers/staging/unisys/visorbus/visorbus_private.h | 4 +-
drivers/target/sbp/sbp_target.c | 4 +-
- drivers/target/target_core_device.c | 2 +-
- drivers/target/target_core_transport.c | 2 +-
+ drivers/thermal/cpu_cooling.c | 9 +-
drivers/thermal/int340x_thermal/int3400_thermal.c | 6 +-
drivers/thermal/of-thermal.c | 17 +-
drivers/thermal/x86_pkg_temp_thermal.c | 2 +-
drivers/tty/ipwireless/tty.c | 27 +-
drivers/tty/moxa.c | 2 +-
drivers/tty/n_gsm.c | 4 +-
- drivers/tty/n_tty.c | 5 +-
+ drivers/tty/n_tty.c | 3 +-
drivers/tty/pty.c | 4 +-
drivers/tty/rocket.c | 6 +-
+ drivers/tty/serial/8250/8250_core.c | 10 +-
+ drivers/tty/serial/ifx6x60.c | 2 +-
drivers/tty/serial/ioc4_serial.c | 6 +-
drivers/tty/serial/kgdb_nmi.c | 4 +-
drivers/tty/serial/kgdboc.c | 32 +-
drivers/uio/uio.c | 13 +-
drivers/usb/atm/cxacru.c | 2 +-
drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/class/cdc-acm.h | 2 +-
drivers/usb/core/devices.c | 6 +-
- drivers/usb/core/devio.c | 10 +-
+ drivers/usb/core/devio.c | 12 +-
drivers/usb/core/hcd.c | 4 +-
- drivers/usb/core/message.c | 6 +-
drivers/usb/core/sysfs.c | 2 +-
drivers/usb/core/usb.c | 2 +-
drivers/usb/early/ehci-dbgp.c | 16 +-
drivers/usb/gadget/function/u_serial.c | 22 +-
+ drivers/usb/gadget/udc/dummy_hcd.c | 2 +-
+ drivers/usb/host/ehci-hcd.c | 2 +-
drivers/usb/host/ehci-hub.c | 4 +-
+ drivers/usb/host/ehci-q.c | 4 +-
+ drivers/usb/host/fotg210-hcd.c | 2 +-
+ drivers/usb/host/fusbh200-hcd.c | 2 +-
+ drivers/usb/host/hwa-hc.c | 2 +-
+ drivers/usb/host/ohci-hcd.c | 2 +-
+ drivers/usb/host/r8a66597.h | 2 +-
+ drivers/usb/host/uhci-hcd.c | 2 +-
+ drivers/usb/host/xhci-pci.c | 2 +-
+ drivers/usb/host/xhci.c | 2 +-
drivers/usb/misc/appledisplay.c | 4 +-
drivers/usb/serial/console.c | 8 +-
+ drivers/usb/storage/transport.c | 2 +-
+ drivers/usb/storage/usb.c | 2 +-
drivers/usb/storage/usb.h | 2 +-
drivers/usb/usbip/vhci.h | 2 +-
drivers/usb/usbip/vhci_hcd.c | 6 +-
drivers/vfio/vfio.c | 2 +-
drivers/vhost/vringh.c | 20 +-
drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/console/fbcon.c | 2 +-
drivers/video/fbdev/aty/aty128fb.c | 2 +-
drivers/video/fbdev/aty/atyfb_base.c | 8 +-
drivers/video/fbdev/aty/mach64_cursor.c | 5 +-
drivers/video/fbdev/core/fbmem.c | 2 +-
drivers/video/fbdev/hyperv_fb.c | 4 +-
drivers/video/fbdev/i810/i810_accel.c | 1 +
+ drivers/video/fbdev/matrox/matroxfb_base.c | 2 +-
drivers/video/fbdev/mb862xx/mb862xxfb_accel.c | 16 +-
drivers/video/fbdev/nvidia/nvidia.c | 27 +-
drivers/video/fbdev/omap2/dss/display.c | 8 +-
drivers/video/fbdev/vesafb.c | 58 +-
drivers/video/fbdev/via/via_clock.h | 2 +-
drivers/xen/events/events_base.c | 6 +-
- fs/9p/vfs_addr.c | 2 +-
- fs/9p/vfs_inode.c | 2 +-
+ drivers/xen/evtchn.c | 4 +-
fs/Kconfig.binfmt | 2 +-
fs/afs/inode.c | 4 +-
fs/aio.c | 2 +-
fs/autofs4/waitq.c | 2 +-
fs/befs/endian.h | 6 +-
fs/binfmt_aout.c | 23 +-
- fs/binfmt_elf.c | 665 +-
+ fs/binfmt_elf.c | 670 +-
+ fs/binfmt_elf_fdpic.c | 4 +-
fs/block_dev.c | 2 +-
fs/btrfs/ctree.c | 9 +-
- fs/btrfs/delayed-inode.c | 6 +-
- fs/btrfs/delayed-inode.h | 4 +-
+ fs/btrfs/delayed-inode.c | 9 +-
+ fs/btrfs/delayed-inode.h | 6 +-
+ fs/btrfs/file.c | 10 +-
+ fs/btrfs/inode.c | 14 +-
fs/btrfs/super.c | 2 +-
fs/btrfs/sysfs.c | 2 +-
fs/btrfs/tests/free-space-tests.c | 8 +-
fs/cachefiles/internal.h | 12 +-
fs/cachefiles/namei.c | 2 +-
fs/cachefiles/proc.c | 12 +-
- fs/ceph/dir.c | 11 +-
+ fs/ceph/dir.c | 12 +-
fs/ceph/super.c | 4 +-
fs/cifs/cifs_debug.c | 12 +-
fs/cifs/cifsfs.c | 8 +-
fs/ecryptfs/miscdev.c | 2 +-
fs/exec.c | 362 +-
fs/ext2/xattr.c | 5 +-
- fs/ext3/xattr.c | 5 +-
fs/ext4/ext4.h | 20 +-
fs/ext4/mballoc.c | 44 +-
- fs/ext4/mmp.c | 2 +-
fs/ext4/resize.c | 16 +-
fs/ext4/super.c | 4 +-
fs/ext4/xattr.c | 5 +-
fs/file.c | 4 +-
fs/fs_struct.c | 8 +-
fs/fscache/cookie.c | 40 +-
- fs/fscache/internal.h | 200 +-
+ fs/fscache/internal.h | 202 +-
fs/fscache/object.c | 26 +-
- fs/fscache/operation.c | 30 +-
+ fs/fscache/operation.c | 38 +-
fs/fscache/page.c | 110 +-
- fs/fscache/stats.c | 344 +-
+ fs/fscache/stats.c | 348 +-
fs/fuse/cuse.c | 10 +-
fs/fuse/dev.c | 4 +-
- fs/fuse/dir.c | 2 +-
fs/gfs2/glock.c | 22 +-
fs/gfs2/glops.c | 4 +-
fs/gfs2/quota.c | 6 +-
- fs/hostfs/hostfs_kern.c | 2 +-
fs/hugetlbfs/inode.c | 13 +-
fs/inode.c | 4 +-
fs/jffs2/erase.c | 3 +-
fs/jfs/super.c | 2 +-
fs/kernfs/dir.c | 2 +-
fs/kernfs/file.c | 20 +-
- fs/kernfs/symlink.c | 2 +-
- fs/libfs.c | 12 +-
+ fs/libfs.c | 10 +-
fs/lockd/clntproc.c | 4 +-
- fs/namei.c | 24 +-
+ fs/namei.c | 16 +-
fs/namespace.c | 16 +-
fs/nfs/callback_xdr.c | 2 +-
fs/nfs/inode.c | 6 +-
fs/notify/fanotify/fanotify_user.c | 4 +-
fs/notify/notification.c | 4 +-
fs/ntfs/dir.c | 2 +-
- fs/ntfs/file.c | 2 +-
fs/ntfs/super.c | 6 +-
fs/ocfs2/localalloc.c | 2 +-
fs/ocfs2/ocfs2.h | 10 +-
fs/ocfs2/suballoc.c | 12 +-
fs/ocfs2/super.c | 20 +-
- fs/pipe.c | 59 +-
+ fs/pipe.c | 72 +-
fs/posix_acl.c | 4 +-
fs/proc/array.c | 20 +
fs/proc/base.c | 4 +-
fs/proc/kcore.c | 34 +-
fs/proc/meminfo.c | 2 +-
fs/proc/nommu.c | 2 +-
- fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/proc_sysctl.c | 26 +-
fs/proc/task_mmu.c | 39 +-
fs/proc/task_nommu.c | 4 +-
fs/proc/vmcore.c | 16 +-
fs/reiserfs/reiserfs.h | 4 +-
fs/seq_file.c | 4 +-
fs/splice.c | 43 +-
+ fs/squashfs/xattr.c | 12 +-
fs/sysv/sysv.h | 2 +-
- fs/ubifs/io.c | 2 +-
+ fs/tracefs/inode.c | 8 +-
fs/udf/misc.c | 2 +-
fs/ufs/swab.h | 4 +-
+ fs/userfaultfd.c | 2 +-
fs/xattr.c | 21 +
fs/xfs/libxfs/xfs_bmap.c | 2 +-
fs/xfs/xfs_dir2_readdir.c | 7 +-
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_linux.h | 4 +-
include/asm-generic/4level-fixup.h | 2 +
- include/asm-generic/atomic-long.h | 214 +-
+ include/asm-generic/atomic-long.h | 156 +-
include/asm-generic/atomic64.h | 12 +
- include/asm-generic/barrier.h | 2 +-
include/asm-generic/bitops/__fls.h | 2 +-
include/asm-generic/bitops/fls.h | 2 +-
include/asm-generic/bitops/fls64.h | 4 +-
+ include/asm-generic/bug.h | 6 +-
include/asm-generic/cache.h | 4 +-
include/asm-generic/emergency-restart.h | 2 +-
include/asm-generic/kmap_types.h | 4 +-
include/asm-generic/pgtable-nopmd.h | 18 +-
include/asm-generic/pgtable-nopud.h | 15 +-
include/asm-generic/pgtable.h | 16 +
+ include/asm-generic/sections.h | 1 +
include/asm-generic/uaccess.h | 16 +
- include/asm-generic/vmlinux.lds.h | 10 +-
+ include/asm-generic/vmlinux.lds.h | 15 +-
include/crypto/algapi.h | 2 +-
include/drm/drmP.h | 16 +-
include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/drm_mm.h | 2 +-
include/drm/i915_pciids.h | 2 +-
+ include/drm/intel-gtt.h | 4 +-
include/drm/ttm/ttm_memory.h | 2 +-
include/drm/ttm/ttm_page_alloc.h | 1 +
include/keys/asymmetric-subtype.h | 2 +-
include/linux/atmdev.h | 4 +-
- include/linux/atomic.h | 2 +-
+ include/linux/atomic.h | 17 +-
include/linux/audit.h | 2 +-
+ include/linux/average.h | 2 +-
include/linux/binfmts.h | 3 +-
include/linux/bitmap.h | 2 +-
- include/linux/bitops.h | 6 +-
+ include/linux/bitops.h | 8 +-
include/linux/blkdev.h | 2 +-
include/linux/blktrace_api.h | 2 +-
include/linux/cache.h | 8 +
include/linux/cdrom.h | 1 -
include/linux/cleancache.h | 2 +-
include/linux/clk-provider.h | 1 +
- include/linux/compat.h | 4 +-
- include/linux/compiler-gcc4.h | 20 +
- include/linux/compiler-gcc5.h | 19 +
- include/linux/compiler.h | 89 +-
- include/linux/completion.h | 12 +-
+ include/linux/compat.h | 6 +-
+ include/linux/compiler-gcc.h | 28 +-
+ include/linux/compiler.h | 157 +-
include/linux/configfs.h | 2 +-
include/linux/cpufreq.h | 3 +-
include/linux/cpuidle.h | 5 +-
include/linux/cpumask.h | 14 +-
- include/linux/crypto.h | 6 +-
+ include/linux/crypto.h | 4 +-
include/linux/ctype.h | 2 +-
include/linux/dcache.h | 4 +-
include/linux/decompress/mm.h | 2 +-
include/linux/devfreq.h | 2 +-
include/linux/device.h | 7 +-
include/linux/dma-mapping.h | 2 +-
- include/linux/dmaengine.h | 4 +-
include/linux/efi.h | 1 +
include/linux/elf.h | 2 +
include/linux/err.h | 4 +-
include/linux/extcon.h | 2 +-
include/linux/fb.h | 3 +-
include/linux/fdtable.h | 2 +-
- include/linux/frontswap.h | 2 +-
- include/linux/fs.h | 3 +-
+ include/linux/fs.h | 5 +-
include/linux/fs_struct.h | 2 +-
- include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache-cache.h | 2 +-
include/linux/fscache.h | 2 +-
include/linux/fsnotify.h | 2 +-
include/linux/genhd.h | 4 +-
include/linux/interrupt.h | 6 +-
include/linux/iommu.h | 2 +-
include/linux/ioport.h | 2 +-
- include/linux/irq.h | 3 +-
- include/linux/irqchip/arm-gic.h | 2 +-
+ include/linux/ipc.h | 2 +-
+ include/linux/irq.h | 5 +-
include/linux/irqdesc.h | 2 +-
- include/linux/jiffies.h | 14 +-
- include/linux/kernel.h | 2 +-
+ include/linux/irqdomain.h | 3 +
+ include/linux/jiffies.h | 16 +-
include/linux/key-type.h | 2 +-
include/linux/kgdb.h | 6 +-
include/linux/kmemleak.h | 4 +-
include/linux/kobject.h | 3 +-
include/linux/kobject_ns.h | 2 +-
include/linux/kref.h | 2 +-
- include/linux/kvm_host.h | 4 +-
include/linux/libata.h | 2 +-
include/linux/linkage.h | 1 +
include/linux/list.h | 15 +
include/linux/lockref.h | 26 +-
include/linux/math64.h | 10 +-
include/linux/mempolicy.h | 7 +
- include/linux/mm.h | 104 +-
+ include/linux/mm.h | 102 +-
include/linux/mm_types.h | 20 +
- include/linux/mmc/core.h | 2 +-
include/linux/mmiotrace.h | 4 +-
include/linux/mmzone.h | 2 +-
include/linux/mod_devicetable.h | 4 +-
- include/linux/module.h | 60 +-
+ include/linux/module.h | 69 +-
include/linux/moduleloader.h | 16 +
include/linux/moduleparam.h | 4 +-
- include/linux/namei.h | 4 +-
include/linux/net.h | 2 +-
include/linux/netdevice.h | 7 +-
include/linux/netfilter.h | 2 +-
include/linux/padata.h | 2 +-
include/linux/pci_hotplug.h | 3 +-
include/linux/percpu.h | 2 +-
- include/linux/perf_event.h | 10 +-
+ include/linux/perf_event.h | 12 +-
include/linux/pipe_fs_i.h | 8 +-
include/linux/pm.h | 1 +
include/linux/pm_domain.h | 4 +-
include/linux/ppp-comp.h | 2 +-
include/linux/preempt.h | 21 +
include/linux/proc_ns.h | 2 +-
+ include/linux/psci.h | 2 +-
include/linux/quota.h | 2 +-
- include/linux/random.h | 23 +-
- include/linux/rculist.h | 20 +-
- include/linux/rcupdate.h | 2 +-
+ include/linux/random.h | 19 +-
+ include/linux/rculist.h | 16 +
include/linux/reboot.h | 14 +-
include/linux/regset.h | 3 +-
include/linux/relay.h | 2 +-
include/linux/rio.h | 2 +-
include/linux/rmap.h | 4 +-
- include/linux/sched.h | 70 +-
+ include/linux/sched.h | 72 +-
include/linux/sched/sysctl.h | 1 +
- include/linux/security.h | 2 -
include/linux/semaphore.h | 2 +-
include/linux/seq_file.h | 1 +
include/linux/signal.h | 2 +-
- include/linux/skbuff.h | 10 +-
- include/linux/slab.h | 48 +-
+ include/linux/skbuff.h | 12 +-
+ include/linux/slab.h | 47 +-
include/linux/slab_def.h | 14 +-
include/linux/slub_def.h | 2 +-
include/linux/smp.h | 2 +
include/linux/sunrpc/svc.h | 2 +-
include/linux/sunrpc/svc_rdma.h | 18 +-
include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swapops.h | 10 +-
include/linux/swiotlb.h | 3 +-
- include/linux/syscalls.h | 17 +-
+ include/linux/syscalls.h | 21 +-
include/linux/syscore_ops.h | 2 +-
include/linux/sysctl.h | 3 +-
include/linux/sysfs.h | 9 +-
include/linux/sysrq.h | 3 +-
+ include/linux/tcp.h | 14 +-
include/linux/thread_info.h | 7 +
include/linux/tty.h | 4 +-
include/linux/tty_driver.h | 2 +-
include/linux/uaccess.h | 6 +-
include/linux/uio_driver.h | 2 +-
include/linux/unaligned/access_ok.h | 24 +-
- include/linux/usb.h | 4 +-
+ include/linux/usb.h | 12 +-
+ include/linux/usb/hcd.h | 1 +
include/linux/usb/renesas_usbhs.h | 2 +-
include/linux/vermagic.h | 21 +-
include/linux/vga_switcheroo.h | 8 +-
include/net/genetlink.h | 2 +-
include/net/gro_cells.h | 2 +-
include/net/inet_connection_sock.h | 2 +-
+ include/net/inet_sock.h | 2 +-
include/net/inetpeer.h | 2 +-
include/net/ip_fib.h | 2 +-
include/net/ip_vs.h | 8 +-
+ include/net/ipv6.h | 2 +-
include/net/irda/ircomm_tty.h | 1 +
include/net/iucv/af_iucv.h | 2 +-
include/net/llc_c_ac.h | 2 +-
include/net/llc_c_st.h | 2 +-
include/net/llc_s_ac.h | 2 +-
include/net/llc_s_st.h | 2 +-
- include/net/mac80211.h | 2 +-
+ include/net/mac80211.h | 4 +-
include/net/neighbour.h | 2 +-
- include/net/net_namespace.h | 16 +-
+ include/net/net_namespace.h | 18 +-
include/net/netlink.h | 2 +-
include/net/netns/conntrack.h | 6 +-
include/net/netns/ipv4.h | 4 +-
include/net/sctp/checksum.h | 4 +-
include/net/sctp/sm.h | 4 +-
include/net/sctp/structs.h | 2 +-
- include/net/sock.h | 8 +-
+ include/net/sock.h | 12 +-
include/net/tcp.h | 8 +-
include/net/xfrm.h | 13 +-
include/rdma/iw_cm.h | 2 +-
include/scsi/libfc.h | 3 +-
include/scsi/scsi_device.h | 6 +-
+ include/scsi/scsi_driver.h | 2 +-
include/scsi/scsi_transport_fc.h | 3 +-
+ include/scsi/sg.h | 2 +-
include/sound/compress_driver.h | 2 +-
include/sound/soc.h | 4 +-
- include/target/target_core_base.h | 2 +-
include/trace/events/irq.h | 4 +-
include/uapi/linux/a.out.h | 8 +
include/uapi/linux/bcache.h | 5 +-
include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/connector.h | 2 +-
include/uapi/linux/elf.h | 28 +
include/uapi/linux/screen_info.h | 3 +-
include/uapi/linux/swab.h | 6 +-
init/do_mounts_md.c | 6 +-
init/init_task.c | 4 +
init/initramfs.c | 38 +-
- init/main.c | 78 +-
- ipc/compat.c | 2 +-
+ init/main.c | 30 +-
+ ipc/compat.c | 4 +-
ipc/ipc_sysctl.c | 8 +-
ipc/mq_sysctl.c | 4 +-
+ ipc/sem.c | 4 +-
ipc/shm.c | 6 +
kernel/audit.c | 8 +-
kernel/auditsc.c | 4 +-
kernel/compat.c | 38 +-
kernel/debug/debug_core.c | 16 +-
kernel/debug/kdb/kdb_main.c | 4 +-
- kernel/events/core.c | 28 +-
+ kernel/events/core.c | 26 +-
kernel/events/internal.h | 10 +-
kernel/events/uprobes.c | 2 +-
kernel/exit.c | 2 +-
- kernel/fork.c | 161 +-
+ kernel/fork.c | 167 +-
kernel/futex.c | 11 +-
kernel/futex_compat.c | 2 +-
kernel/gcov/base.c | 7 +-
kernel/irq/manage.c | 2 +-
+ kernel/irq/msi.c | 19 +-
kernel/irq/spurious.c | 2 +-
kernel/jump_label.c | 5 +
kernel/kallsyms.c | 37 +-
kernel/kprobes.c | 4 +-
kernel/ksysfs.c | 2 +-
kernel/locking/lockdep.c | 7 +-
- kernel/locking/mcs_spinlock.h | 2 +-
kernel/locking/mutex-debug.c | 12 +-
kernel/locking/mutex-debug.h | 4 +-
kernel/locking/mutex.c | 6 +-
- kernel/locking/osq_lock.c | 10 +-
- kernel/locking/rtmutex-tester.c | 24 +-
- kernel/module.c | 357 +-
+ kernel/module.c | 422 +-
kernel/notifier.c | 17 +-
kernel/padata.c | 4 +-
kernel/panic.c | 5 +-
kernel/ptrace.c | 8 +-
kernel/rcu/rcutorture.c | 60 +-
kernel/rcu/tiny.c | 4 +-
- kernel/rcu/tiny_plugin.h | 6 +-
- kernel/rcu/tree.c | 128 +-
- kernel/rcu/tree.h | 26 +-
- kernel/rcu/tree_plugin.h | 42 +-
- kernel/rcu/tree_trace.c | 22 +-
- kernel/rcu/update.c | 10 +-
+ kernel/rcu/tree.c | 44 +-
+ kernel/rcu/tree.h | 14 +-
+ kernel/rcu/tree_plugin.h | 14 +-
+ kernel/rcu/tree_trace.c | 12 +-
kernel/sched/auto_group.c | 4 +-
- kernel/sched/completion.c | 6 +-
kernel/sched/core.c | 45 +-
- kernel/sched/fair.c | 4 +-
+ kernel/sched/fair.c | 2 +-
kernel/sched/sched.h | 2 +-
kernel/signal.c | 12 +-
kernel/smpboot.c | 4 +-
kernel/sys.c | 10 +-
kernel/sysctl.c | 34 +-
kernel/time/alarmtimer.c | 2 +-
- kernel/time/hrtimer.c | 2 +-
kernel/time/posix-cpu-timers.c | 4 +-
kernel/time/posix-timers.c | 24 +-
- kernel/time/timer.c | 4 +-
+ kernel/time/timer.c | 2 +-
kernel/time/timer_stats.c | 10 +-
- kernel/torture.c | 10 +-
kernel/trace/blktrace.c | 6 +-
kernel/trace/ftrace.c | 15 +-
kernel/trace/ring_buffer.c | 96 +-
kernel/workqueue.c | 2 +-
lib/Kconfig.debug | 8 +-
lib/Makefile | 2 +-
- lib/average.c | 2 +-
- lib/bitmap.c | 10 +-
+ lib/bitmap.c | 8 +-
lib/bug.c | 2 +
lib/debugobjects.c | 2 +-
+ lib/decompress_bunzip2.c | 3 +-
+ lib/decompress_unlzma.c | 4 +-
lib/div64.c | 4 +-
lib/dma-debug.c | 4 +-
lib/inflate.c | 2 +-
lib/vsprintf.c | 12 +-
mm/Kconfig | 6 +-
mm/backing-dev.c | 4 +-
+ mm/debug.c | 3 +
mm/filemap.c | 2 +-
mm/gup.c | 13 +-
- mm/highmem.c | 7 +-
+ mm/highmem.c | 6 +-
mm/hugetlb.c | 70 +-
- mm/internal.h | 3 +-
+ mm/internal.h | 1 +
mm/maccess.c | 4 +-
mm/madvise.c | 37 +
- mm/memory-failure.c | 30 +-
- mm/memory.c | 410 +-
+ mm/memory-failure.c | 6 +-
+ mm/memory.c | 424 +-
mm/mempolicy.c | 25 +
mm/mlock.c | 15 +-
mm/mm_init.c | 2 +-
- mm/mmap.c | 586 +-
+ mm/mmap.c | 582 +-
mm/mprotect.c | 137 +-
- mm/mremap.c | 44 +-
+ mm/mremap.c | 39 +-
mm/nommu.c | 21 +-
mm/page-writeback.c | 2 +-
- mm/page_alloc.c | 48 +-
+ mm/page_alloc.c | 49 +-
mm/percpu.c | 2 +-
mm/process_vm_access.c | 14 +-
mm/rmap.c | 45 +-
mm/slab.h | 22 +-
mm/slab_common.c | 86 +-
mm/slob.c | 218 +-
- mm/slub.c | 101 +-
+ mm/slub.c | 102 +-
mm/sparse-vmemmap.c | 4 +-
mm/sparse.c | 2 +-
- mm/swap.c | 3 +
+ mm/swap.c | 2 +
mm/swapfile.c | 12 +-
mm/util.c | 6 +
- mm/vmalloc.c | 112 +-
+ mm/vmalloc.c | 114 +-
mm/vmstat.c | 12 +-
net/8021q/vlan.c | 5 +-
net/8021q/vlan_netlink.c | 2 +-
- net/9p/client.c | 6 +-
net/9p/mod.c | 4 +-
net/9p/trans_fd.c | 2 +-
net/atm/atm_misc.c | 8 +-
net/ceph/messenger.c | 4 +-
net/compat.c | 24 +-
net/core/datagram.c | 2 +-
- net/core/dev.c | 18 +-
+ net/core/dev.c | 16 +-
net/core/filter.c | 2 +-
net/core/flow.c | 6 +-
net/core/neighbour.c | 4 +-
net/core/net_namespace.c | 8 +-
net/core/netpoll.c | 4 +-
net/core/rtnetlink.c | 15 +-
- net/core/scm.c | 8 +-
+ net/core/scm.c | 14 +-
net/core/skbuff.c | 8 +-
net/core/sock.c | 28 +-
- net/core/sock_diag.c | 9 +-
+ net/core/sock_diag.c | 15 +-
net/core/sysctl_net_core.c | 22 +-
net/decnet/af_decnet.c | 1 +
net/decnet/sysctl_net_decnet.c | 4 +-
+ net/dsa/dsa.c | 2 +-
net/hsr/hsr_netlink.c | 2 +-
net/ieee802154/6lowpan/core.c | 2 +-
net/ieee802154/6lowpan/reassembly.c | 14 +-
net/ipv4/devinet.c | 18 +-
net/ipv4/fib_frontend.c | 6 +-
net/ipv4/fib_semantics.c | 2 +-
- net/ipv4/fou.c | 4 +-
+ net/ipv4/inet_connection_sock.c | 4 +-
+ net/ipv4/inet_timewait_sock.c | 2 +-
net/ipv4/inetpeer.c | 2 +-
net/ipv4/ip_fragment.c | 15 +-
net/ipv4/ip_gre.c | 6 +-
net/ipv4/raw.c | 14 +-
net/ipv4/route.c | 32 +-
net/ipv4/sysctl_net_ipv4.c | 22 +-
- net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_input.c | 6 +-
net/ipv4/tcp_probe.c | 2 +-
net/ipv4/udp.c | 10 +-
net/ipv4/xfrm4_policy.c | 18 +-
- net/ipv6/addrconf.c | 14 +-
+ net/ipv6/addrconf.c | 18 +-
net/ipv6/af_inet6.c | 2 +-
net/ipv6/datagram.c | 2 +-
net/ipv6/icmp.c | 2 +-
net/l2tp/l2tp_ip6.c | 2 +-
net/mac80211/cfg.c | 8 +-
net/mac80211/ieee80211_i.h | 3 +-
- net/mac80211/iface.c | 16 +-
+ net/mac80211/iface.c | 20 +-
net/mac80211/main.c | 2 +-
- net/mac80211/pm.c | 6 +-
+ net/mac80211/pm.c | 4 +-
net/mac80211/rate.c | 2 +-
+ net/mac80211/sta_info.c | 2 +-
net/mac80211/util.c | 8 +-
+ net/mpls/af_mpls.c | 6 +-
net/netfilter/ipset/ip_set_core.c | 2 +-
net/netfilter/ipvs/ip_vs_conn.c | 6 +-
net/netfilter/ipvs/ip_vs_core.c | 4 +-
net/netfilter/xt_statistic.c | 8 +-
net/netlink/af_netlink.c | 4 +-
net/openvswitch/vport-internal_dev.c | 2 +-
- net/openvswitch/vport.c | 16 +-
- net/openvswitch/vport.h | 8 +-
- net/packet/af_packet.c | 10 +-
+ net/packet/af_packet.c | 8 +-
net/phonet/pep.c | 6 +-
net/phonet/socket.c | 2 +-
net/phonet/sysctl.c | 2 +-
net/sunrpc/clnt.c | 4 +-
net/sunrpc/sched.c | 4 +-
net/sunrpc/svc.c | 4 +-
- net/sunrpc/svcauth_unix.c | 4 +-
+ net/sunrpc/svcauth_unix.c | 2 +-
net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 +-
net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
scripts/Kbuild.include | 2 +-
scripts/Makefile.build | 2 +-
scripts/Makefile.clean | 3 +-
- scripts/Makefile.host | 63 +-
+ scripts/Makefile.host | 69 +-
scripts/basic/fixdep.c | 12 +-
+ scripts/dtc/checks.c | 14 +-
+ scripts/dtc/data.c | 6 +-
+ scripts/dtc/flattree.c | 8 +-
+ scripts/dtc/livetree.c | 4 +-
scripts/gcc-plugin.sh | 51 +
scripts/headers_install.sh | 1 +
+ scripts/kallsyms.c | 4 +-
+ scripts/kconfig/lkc.h | 5 +-
+ scripts/kconfig/menu.c | 2 +-
+ scripts/kconfig/symbol.c | 6 +-
scripts/link-vmlinux.sh | 2 +-
scripts/mod/file2alias.c | 14 +-
scripts/mod/modpost.c | 25 +-
scripts/sortextable.h | 6 +-
scripts/tags.sh | 2 +-
security/Kconfig | 692 +-
- security/apparmor/lsm.c | 2 +-
security/integrity/ima/ima.h | 4 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/ima/ima_fs.c | 4 +-
security/integrity/ima/ima_queue.c | 2 +-
- security/keys/compat.c | 2 +-
- security/keys/internal.h | 2 +-
security/keys/key.c | 18 +-
- security/keys/keyctl.c | 8 +-
- security/security.c | 9 +-
security/selinux/avc.c | 6 +-
- security/selinux/hooks.c | 10 +-
security/selinux/include/xfrm.h | 2 +-
- security/smack/smack_lsm.c | 2 +-
- security/tomoyo/tomoyo.c | 2 +-
- security/yama/yama_lsm.c | 22 +-
+ security/yama/yama_lsm.c | 2 +-
sound/aoa/codecs/onyx.c | 7 +-
sound/aoa/codecs/onyx.h | 1 +
sound/core/oss/pcm_oss.c | 18 +-
sound/core/pcm_compat.c | 2 +-
sound/core/pcm_native.c | 4 +-
- sound/core/seq/seq_device.c | 8 +-
sound/core/sound.c | 2 +-
sound/drivers/mts64.c | 14 +-
sound/drivers/opl4/opl4_lib.c | 2 +-
sound/pci/hda/hda_codec.c | 2 +-
sound/pci/ymfpci/ymfpci.h | 2 +-
sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/codecs/sti-sas.c | 10 +-
sound/soc/soc-ac97.c | 6 +-
sound/soc/xtensa/xtfpga-i2s.c | 2 +-
- tools/gcc/Makefile | 40 +
+ tools/gcc/Makefile | 42 +
tools/gcc/checker_plugin.c | 150 +
tools/gcc/colorize_plugin.c | 215 +
- tools/gcc/constify_plugin.c | 563 +
- tools/gcc/gcc-common.h | 666 +
+ tools/gcc/constify_plugin.c | 571 +
+ tools/gcc/gcc-common.h | 812 +
+ tools/gcc/initify_plugin.c | 552 +
tools/gcc/kallocstat_plugin.c | 188 +
- tools/gcc/kernexec_plugin.c | 547 +
- tools/gcc/latent_entropy_plugin.c | 474 +
- tools/gcc/size_overflow_plugin/.gitignore | 1 +
- tools/gcc/size_overflow_plugin/Makefile | 20 +
- .../generate_size_overflow_hash.sh | 102 +
- .../insert_size_overflow_asm.c | 409 +
- .../size_overflow_plugin/intentional_overflow.c | 955 +
- tools/gcc/size_overflow_plugin/misc.c | 441 +
+ tools/gcc/kernexec_plugin.c | 549 +
+ tools/gcc/latent_entropy_plugin.c | 470 +
+ tools/gcc/size_overflow_plugin/.gitignore | 2 +
+ tools/gcc/size_overflow_plugin/Makefile | 28 +
+ .../disable_size_overflow_hash.data |12422 ++++++++++++
+ .../generate_size_overflow_hash.sh | 103 +
+ .../insert_size_overflow_asm.c | 416 +
+ .../size_overflow_plugin/intentional_overflow.c | 1010 +
.../size_overflow_plugin/remove_unnecessary_dup.c | 137 +
- tools/gcc/size_overflow_plugin/size_overflow.h | 281 +
- .../gcc/size_overflow_plugin/size_overflow_debug.c | 164 +
- .../size_overflow_plugin/size_overflow_hash.data |27747 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin/size_overflow.h | 323 +
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 194 +
+ .../size_overflow_plugin/size_overflow_hash.data |20735 ++++++++++++++++++++
.../size_overflow_hash_aux.data | 92 +
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 913 +
- .../size_overflow_plugin/size_overflow_plugin.c | 256 +
- .../size_overflow_plugin_hash.c | 345 +
- .../size_overflow_plugin/size_overflow_transform.c | 431 +
- .../size_overflow_transform_core.c | 941 +
- tools/gcc/stackleak_plugin.c | 432 +
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1226 ++
+ .../gcc/size_overflow_plugin/size_overflow_misc.c | 505 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 318 +
+ .../size_overflow_plugin_hash.c | 352 +
+ .../size_overflow_plugin/size_overflow_transform.c | 749 +
+ .../size_overflow_transform_core.c | 1010 +
+ tools/gcc/stackleak_plugin.c | 436 +
tools/gcc/structleak_plugin.c | 287 +
tools/include/linux/compiler.h | 8 +
tools/lib/api/Makefile | 2 +-
tools/perf/util/include/asm/alternative-asm.h | 3 +
tools/virtio/linux/uaccess.h | 2 +-
- virt/kvm/kvm_main.c | 44 +-
- 1899 files changed, 59437 insertions(+), 8692 deletions(-)
+ virt/kvm/kvm_main.c | 42 +-
+ 1944 files changed, 66925 insertions(+), 8949 deletions(-)