+commit 87790bbd0d8dc2bd7fd86cb947e32886db9e9766
+Author: Matthew Wilcox <willy@linux.intel.com>
+Date: Tue Feb 2 16:57:52 2016 -0800
+
+ radix-tree: fix race in gang lookup
+
+ If the indirect_ptr bit is set on a slot, that indicates we need to redo
+ the lookup. Introduce a new function radix_tree_iter_retry() which
+ forces the loop to retry the lookup by setting 'slot' to NULL and
+ turning the iterator back to point at the problematic entry.
+
+ This is a pretty rare problem to hit at the moment; the lookup has to
+ race with a grow of the radix tree from a height of 0. The consequences
+ of hitting this race are that gang lookup could return a pointer to a
+ radix_tree_node instead of a pointer to whatever the user had inserted
+ in the tree.
+
+ Fixes: cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
+ Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/radix-tree.h | 16 ++++++++++++++++
+ lib/radix-tree.c | 12 ++++++++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+commit bf628043b4589c910919a0f221ae7f42aa8cea93
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed Feb 3 02:11:03 2016 +0100
+
+ unix: correctly track in-flight fds in sending process user_struct
+
+ The commit referenced in the Fixes tag incorrectly accounted the number
+ of in-flight fds over a unix domain socket to the original opener
+ of the file-descriptor. This allows another process to arbitrary
+ deplete the original file-openers resource limit for the maximum of
+ open files. Instead the sending processes and its struct cred should
+ be credited.
+
+ To do so, we add a reference counted struct user_struct pointer to the
+ scm_fp_list and use it to account for the number of inflight unix fds.
+
+ Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
+ Reported-by: David Herrmann <dh.herrmann@gmail.com>
+ Cc: David Herrmann <dh.herrmann@gmail.com>
+ Cc: Willy Tarreau <w@1wt.eu>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/af_unix.h | 4 ++--
+ include/net/scm.h | 1 +
+ net/core/scm.c | 7 +++++++
+ net/unix/af_unix.c | 4 ++--
+ net/unix/garbage.c | 8 ++++----
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+commit e830db443ff78d70b7b63536e688d73907face0c
+Author: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri Jan 15 16:57:37 2016 -0800
+
+ fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
+
+ Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
+ argument end is of type pgoff_t. It was being converted to a vaddr
+ offset and passed to unmap_hugepage_range. However, end was also being
+ used as an argument to the vma_interval_tree_foreach controlling loop.
+ In addition, the conversion of end to vaddr offset was incorrect.
+
+ hugetlb_vmtruncate_list is called as part of a file truncate or
+ fallocate hole punch operation.
+
+ When truncating a hugetlbfs file, this bug could prevent some pages from
+ being unmapped. This is possible if there are multiple vmas mapping the
+ file, and there is a sufficiently sized hole between the mappings. The
+ size of the hole between two vmas (A,B) must be such that the starting
+ virtual address of B is greater than (ending virtual address of A <<
+ PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
+ pages are not properly unmapped during truncate, the following BUG is
+ hit:
+
+ kernel BUG at fs/hugetlbfs/inode.c:428!
+
+ In the fallocate hole punch case, this bug could prevent pages from
+ being unmapped as in the truncate case. However, for hole punch the
+ result is that unmapped pages will not be removed during the operation.
+ For hole punch, it is also possible that more pages than desired will be
+ unmapped. This unnecessary unmapping will cause page faults to
+ reestablish the mappings on subsequent page access.
+
+ Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
+ Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+ Cc: Davidlohr Bueso <dave@stgolabs.net>
+ Cc: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org> [4.3]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/hugetlbfs/inode.c | 19 +++++++++++--------
+ 1 files changed, 11 insertions(+), 8 deletions(-)
+
+commit cdb3ba4a9113b779347387f3b6c6ea72dd4db12f
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Feb 4 17:06:13 2016 +0100
+
+ ALSA: timer: Fix leftover link at closing
+
+ In ALSA timer core, the active timer instance is managed in
+ active_list linked list. Each element is added / removed dynamically
+ at timer start, stop and in timer interrupt. The problem is that
+ snd_timer_interrupt() has a thinko and leaves the element in
+ active_list when it's the last opened element. This eventually leads
+ to list corruption or use-after-free error.
+
+ This hasn't been revealed because we used to delete the list forcibly
+ in snd_timer_stop() in the past. However, the recent fix avoids the
+ double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link
+ corruption due to double start or stop]), and this leak hits reality.
+
+ This patch fixes the link management in snd_timer_interrupt(). Now it
+ simply unlinks no matter which stream is.
+
+ BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 47d9647902f6a2f46a2be1e0140ba0f6f8c06008
+Author: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Fri Feb 5 15:37:01 2016 -0800
+
+ radix-tree: fix oops after radix_tree_iter_retry
+
+ Helper radix_tree_iter_retry() resets next_index to the current index.
+ In following radix_tree_next_slot current chunk size becomes zero. This
+ isn't checked and it tries to dereference null pointer in slot.
+
+ Tagged iterator is fine because retry happens only at slot 0 where tag
+ bitmask in iter->tags is filled with single bit.
+
+ Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
+ Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+ Cc: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Jeremiah Mahler <jmmahler@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/radix-tree.h | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 95b5dcb3c01958502af00b0bc0da1d906aae11a2
+Merge: 438be0b 256aeaf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:33 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 256aeaf87c22de8edf1f03682a572c590ae07771
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:09 2016 -0500
+
+ Update to pax-linux-4.3.5-test28.patch:
+ - fixed an integer truncation bug in numa_clear_kernel_node_hotplug caught by the size overflow plugin, reported by x14sg1 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4374)
+ - spender fixed UDEREF on arm
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ arch/x86/mm/numa.c | 2 +-
+ security/Kconfig | 1 -
+ 10 files changed, 60 insertions(+), 70 deletions(-)
+
+commit 438be0bd112bd17942b2628c53054dc1007558a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 19:50:31 2016 -0500
+
+ Fix a number of issues caused by the upstream merging of a UDEREF ripoff resulting in unbootable
+ ARM systems reported on the forums
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ security/Kconfig | 1 -
+ 9 files changed, 59 insertions(+), 69 deletions(-)
+
+commit 4ffdd5ef1f87e611af1efb4f251ada92abe9f4c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:21:53 2016 -0500
+
+ Fix another compiler warning
+
+ net/ipv4/tcp_input.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 30b5b7bc0fd67d458bdd5ab35e4689769eabd2ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:16:12 2016 -0500
+
+ Fix two compiler warnings
+
+ kernel/pid.c | 5 ++---
+ kernel/ptrace.c | 3 ++-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+commit dda4d2a21914c480750f10bd55c6e3203d415d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:22:40 2016 -0500
+
+ Apply fix for integer truncation in NUMA init code, reported by
+ x14sg1 on the forums:
+ https://forums.grsecurity.net/viewtopic.php?f=3&t=4374
+
+ arch/x86/mm/numa.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 477505f7c893cb6a2c3e22f83eefd9c985d7b3ca
+Merge: a781740 016d0d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:58 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 016d0d81a8dd4be1304c82a68e0ccf425868f467
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:10 2016 -0500
+
+ Update to pax-linux-4.3.5-test27.patch:
+ - fixed a bunch of potential REFCOUNT false positives, reported by Emese
+ - restored padding in fpregs_state for storing AVX-512 state in the future
+ - constified netlink_dump_control
+ - added const version of debug_gimple_stmt for gcc plugins, by Emese
+ - Emese fixed a bug in initify that could have initified too much
+ - Emese fixed a false positive intentional integer overflow in xfrm4_extract_header, reported by corsac
+
+ arch/x86/include/asm/fpu/types.h | 1 +
+ arch/x86/include/asm/mmu_context.h | 2 +-
+ block/blk-cgroup.c | 18 ++--
+ block/cfq-iosched.c | 4 +-
+ crypto/crypto_user.c | 8 ++-
+ drivers/acpi/apei/ghes.c | 6 +-
+ drivers/char/ipmi/ipmi_ssif.c | 12 ++--
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.c | 2 +-
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.h | 2 +-
+ drivers/gpu/drm/amd/scheduler/sched_fence.c | 2 +-
+ drivers/infiniband/core/netlink.c | 5 +-
+ drivers/infiniband/hw/cxgb4/device.c | 6 +-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +-
+ drivers/md/bcache/alloc.c | 2 +-
+ drivers/md/bcache/bcache.h | 10 +-
+ drivers/md/bcache/btree.c | 2 +-
+ drivers/md/bcache/io.c | 10 +-
+ drivers/md/bcache/journal.c | 2 +-
+ drivers/md/bcache/stats.c | 26 +++---
+ drivers/md/bcache/stats.h | 16 ++--
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bcache/sysfs.c | 20 +++---
+ drivers/md/dm-cache-target.c | 98 ++++++++++++------------
+ drivers/md/dm-raid.c | 2 +-
+ drivers/md/md.c | 6 +-
+ drivers/md/md.h | 2 +-
+ drivers/md/raid1.c | 2 +-
+ drivers/md/raid10.c | 2 +-
+ drivers/md/raid5.c | 4 +-
+ drivers/media/pci/zoran/zoran.h | 1 -
+ drivers/media/pci/zoran/zoran_driver.c | 3 -
+ drivers/net/ethernet/sfc/selftest.c | 20 +++---
+ drivers/net/irda/vlsi_ir.c | 18 ++--
+ drivers/net/irda/vlsi_ir.h | 14 ++--
+ drivers/net/wireless/ath/carl9170/carl9170.h | 6 +-
+ drivers/net/wireless/ath/carl9170/debug.c | 6 +-
+ drivers/net/wireless/ath/carl9170/main.c | 10 +-
+ drivers/net/wireless/ath/carl9170/tx.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/d3.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 2 +-
+ drivers/scsi/hptiop.c | 2 -
+ drivers/scsi/hptiop.h | 1 -
+ drivers/scsi/ipr.c | 6 +-
+ drivers/scsi/ipr.h | 2 +-
+ drivers/scsi/qla2xxx/qla_target.c | 10 +-
+ drivers/scsi/qla2xxx/qla_target.h | 2 +-
+ fs/btrfs/ctree.c | 2 +-
+ fs/btrfs/ctree.h | 4 +-
+ fs/btrfs/delayed-ref.c | 4 +-
+ fs/btrfs/disk-io.c | 4 +-
+ fs/btrfs/file.c | 4 +-
+ fs/btrfs/raid56.c | 32 ++++----
+ fs/btrfs/tests/btrfs-tests.c | 2 +-
+ fs/btrfs/transaction.c | 2 +-
+ fs/btrfs/tree-log.c | 8 +-
+ fs/btrfs/volumes.c | 14 ++--
+ fs/btrfs/volumes.h | 22 +++---
+ fs/jbd2/commit.c | 2 +-
+ fs/jbd2/transaction.c | 4 +-
+ fs/ocfs2/dlm/dlmcommon.h | 4 +-
+ fs/ocfs2/dlm/dlmdebug.c | 10 +-
+ fs/ocfs2/dlm/dlmdomain.c | 4 +-
+ fs/ocfs2/dlm/dlmmaster.c | 4 +-
+ include/acpi/ghes.h | 2 +-
+ include/linux/blk-cgroup.h | 24 +++---
+ include/linux/jbd2.h | 2 +-
+ include/linux/netlink.h | 12 ++--
+ include/net/cfg802154.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ kernel/rcu/tree_plugin.h | 4 +-
+ net/batman-adv/routing.c | 4 +-
+ net/batman-adv/soft-interface.c | 2 +-
+ net/batman-adv/translation-table.c | 14 ++--
+ net/batman-adv/types.h | 2 +-
+ net/core/neighbour.c | 14 ++--
+ net/core/rtnetlink.c | 2 +-
+ net/ipv4/arp.c | 2 +-
+ net/ipv4/inet_diag.c | 4 +-
+ net/ipv4/xfrm4_state.c | 4 +-
+ net/ipv6/ndisc.c | 2 +-
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/debugfs_key.c | 2 +-
+ net/mac80211/key.c | 4 +-
+ net/mac80211/tx.c | 2 +-
+ net/mac80211/wpa.c | 10 +-
+ net/mac802154/iface.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 22 +++---
+ net/netfilter/nf_tables_api.c | 13 ++--
+ net/netfilter/nfnetlink_acct.c | 7 +-
+ net/netfilter/nfnetlink_cthelper.c | 2 +-
+ net/netfilter/nfnetlink_cttimeout.c | 2 +-
+ net/netlink/af_netlink.c | 10 ++-
+ net/netlink/diag.c | 2 +-
+ net/netlink/genetlink.c | 14 ++--
+ net/packet/af_packet.c | 18 ++--
+ net/packet/diag.c | 2 +-
+ net/packet/internal.h | 6 +-
+ net/unix/diag.c | 2 +-
+ net/xfrm/xfrm_user.c | 2 +-
+ security/apparmor/include/policy.h | 2 +-
+ security/apparmor/policy.c | 4 +-
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ sound/core/seq/seq_fifo.c | 6 +-
+ sound/core/seq/seq_fifo.h | 2 +-
+ tools/gcc/gcc-common.h | 24 ++++--
+ tools/gcc/initify_plugin.c | 7 +-
+ tools/lib/api/Makefile | 2 +-
+ 109 files changed, 399 insertions(+), 391 deletions(-)
+
+commit a7817402ac837b1aee07fac42537a02097055098
+Author: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Fri Jan 29 11:36:10 2016 +0000
+
+ x86/mm/pat: Avoid truncation when converting cpa->numpages to address
+
+ There are a couple of nasty truncation bugs lurking in the pageattr
+ code that can be triggered when mapping EFI regions, e.g. when we pass
+ a cpa->pgd pointer. Because cpa->numpages is a 32-bit value, shifting
+ left by PAGE_SHIFT will truncate the resultant address to 32-bits.
+
+ Viorel-Cătălin managed to trigger this bug on his Dell machine that
+ provides a ~5GB EFI region which requires 1236992 pages to be mapped.
+ When calling populate_pud() the end of the region gets calculated
+ incorrectly in the following buggy expression,
+
+ end = start + (cpa->numpages << PAGE_SHIFT);
+
+ And only 188416 pages are mapped. Next, populate_pud() gets invoked
+ for a second time because of the loop in __change_page_attr_set_clr(),
+ only this time no pages get mapped because shifting the remaining
+ number of pages (1048576) by PAGE_SHIFT is zero. At which point the
+ loop in __change_page_attr_set_clr() spins forever because we fail to
+ map progress.
+
+ Hitting this bug depends very much on the virtual address we pick to
+ map the large region at and how many pages we map on the initial run
+ through the loop. This explains why this issue was only recently hit
+ with the introduction of commit
+
+ a5caa209ba9c ("x86/efi: Fix boot crash by mapping EFI memmap
+ entries bottom-up at runtime, instead of top-down")
+
+ It's interesting to note that safe uses of cpa->numpages do exist in
+ the pageattr code. If instead of shifting ->numpages we multiply by
+ PAGE_SIZE, no truncation occurs because PAGE_SIZE is a UL value, and
+ so the result is unsigned long.
+
+ To avoid surprises when users try to convert very large cpa->numpages
+ values to addresses, change the data type from 'int' to 'unsigned
+ long', thereby making it suitable for shifting by PAGE_SHIFT without
+ any type casting.
+
+ The alternative would be to make liberal use of casting, but that is
+ far more likely to cause problems in the future when someone adds more
+ code and fails to cast properly; this bug was difficult enough to
+ track down in the first place.
+
+ Reported-and-tested-by: Viorel-Cătălin Răpițeanu <rapiteanu.catalin@gmail.com>
+ Acked-by: Borislav Petkov <bp@alien8.de>
+ Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=110131
+ Link: http://lkml.kernel.org/r/1454067370-10374-1-git-send-email-matt@codeblueprint.co.uk
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/mm/pageattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 64dd9d7a67a742fda257cdd16510c29e695c34b5
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Tue Jan 26 04:15:18 2016 -0700
+
+ x86/mm: Fix types used in pgprot cacheability flags translations
+
+ For PAE kernels "unsigned long" is not suitable to hold page protection
+ flags, since _PAGE_NX doesn't fit there. This is the reason for quite a
+ few W+X pages getting reported as insecure during boot (observed namely
+ for the entire initrd range).
+
+ Fixes: 281d4078be ("x86: Make page cache mode a real type")
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Reviewed-by: Juergen Gross <JGross@suse.com>
+ Cc: stable@vger.kernel.org
+ Link: http://lkml.kernel.org/r/56A7635602000078000CAFF1@prv-mh.provo.novell.com
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/include/asm/pgtable_types.h | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
+
+commit bb9a3a9df0d8dfc96d521676e64c42b37ba22aea
+Merge: 682d661 f74425b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:06:25 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/slip/slhc.c
+ include/linux/sched.h
+ net/unix/af_unix.c
+ sound/core/timer.c
+
+commit f74425b5705bfe52aff9e97659ef10c4a14176c3
+Merge: d14af1f 849a2d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:02:55 2016 -0500
+
+ Merge branch 'linux-4.3.y' into pax-test
+
+ Conflicts:
+ arch/x86/include/asm/mmu_context.h
+
+commit 682d6611d75542e351c973c8dd74a99d3966c073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 30 13:05:03 2016 -0500
+
+ Based on a report from Mathias Krause, fix up a number of additional instances
+ of ulong overflow when passing in values to gr_learn_resource by saturating
+ to ULONG_MAX
+
+ mm/mlock.c | 11 ++++++++---
+ mm/mmap.c | 16 +++++++++++++---
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+commit adb52e95fb9ad4ac9c56cd5d47bd668f47c33096
+Author: Jann Horn <jann@thejh.net>
+Date: Sat Dec 26 06:00:48 2015 +0100
+
+ seccomp: always propagate NO_NEW_PRIVS on tsync
+
+ Before this patch, a process with some permissive seccomp filter
+ that was applied by root without NO_NEW_PRIVS was able to add
+ more filters to itself without setting NO_NEW_PRIVS by setting
+ the new filter from a throwaway thread with NO_NEW_PRIVS.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+
+ kernel/seccomp.c | 22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
+
+commit b85450498a3bbf269441c8963d7574bb3079c838
+Merge: 59c216f d14af1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:54:13 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d14af1f1dd66511f3f0674deee2b572972012b39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:53:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test26.patch:
+ - Emese fixed a few intentional overflows introduced by gcc, reported by StalkR (https://forums.grsecurity.net/viewtopic.php?f=3&t=4370)
+
+ fs/cifs/file.c | 2 +-
+ fs/gfs2/file.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 96 ++++++++++++++++++--
+ tools/gcc/size_overflow_plugin/size_overflow.h | 2 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 6 +-
+ .../size_overflow_transform_core.c | 5 +
+ 7 files changed, 102 insertions(+), 15 deletions(-)
+
+commit 59c216f13587eacdd692386b7a403ae78ed84fb6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 27 17:57:21 2016 -0500
+
+ Fix a size_overflow report reported by Mathias Krause in our
+ truncation of an loff_t to an unsigned long when being passed
+ to gr_learn_resource() (as all resource checks are against unsigned long
+ values)
+
+ fs/attr.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 70636c6ad60fc1db3af764ecc789b827b7497a97
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Wed Jan 6 12:42:38 2016 -0800
+
+ tcp: fix zero cwnd in tcp_cwnd_reduction
+
+ Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
+ conditionally") introduced a bug that cwnd may become 0 when both
+ inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
+ to a div-by-zero if the connection starts another cwnd reduction
+ phase by setting tp->prior_cwnd to the current cwnd (0) in
+ tcp_init_cwnd_reduction().
+
+ To prevent this we skip PRR operation when nothing is acked or
+ sacked. Then cwnd must be positive in all cases as long as ssthresh
+ is positive:
+
+ 1) The proportional reduction mode
+ inflight > ssthresh > 0
+
+ 2) The reduction bound mode
+ a) inflight == ssthresh > 0
+
+ b) inflight < ssthresh
+ sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
+
+ Therefore in all cases inflight and sndcnt can not both be 0.
+ We check invalid tp->prior_cwnd to avoid potential div0 bugs.
+
+ In reality this bug is triggered only with a sequence of less common
+ events. For example, the connection is terminating an ECN-triggered
+ cwnd reduction with an inflight 0, then it receives reordered/old
+ ACKs or DSACKs from prior transmission (which acks nothing). Or the
+ connection is in fast recovery stage that marks everything lost,
+ but fails to retransmit due to local issues, then receives data
+ packets from other end which acks nothing.
+
+ Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
+ Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Signed-off-by: Neal Cardwell <ncardwell@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_input.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit dac1da2bedbb43195d371c7a192cfeeb45683df0
+Author: Eric Dumazet <edumazet@google.com>
+Date: Sun Jan 24 13:53:50 2016 -0800
+
+ af_unix: fix struct pid memory leak
+
+ Dmitry reported a struct pid leak detected by a syzkaller program.
+
+ Bug happens in unix_stream_recvmsg() when we break the loop when a
+ signal is pending, without properly releasing scm.
+
+ Fixes: b3ca9b02b007 ("net: fix multithreaded signal handling in unix recv routines")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 15cc47f127520d1ac0c1fe76d993c2c27f0f2571
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jan 22 01:39:43 2016 +0100
+
+ pptp: fix illegal memory access caused by multiple bind()s
+
+ Several times already this has been reported as kasan reports caused by
+ syzkaller and trinity and people always looked at RCU races, but it is
+ much more simple. :)
+
+ In case we bind a pptp socket multiple times, we simply add it to
+ the callid_sock list but don't remove the old binding. Thus the old
+ socket stays in the bucket with unused call_id indexes and doesn't get
+ cleaned up. This causes various forms of kasan reports which were hard
+ to pinpoint.
+
+ Simply don't allow multiple binds and correct error handling in
+ pptp_bind. Also keep sk_state bits in place in pptp_connect.
+
+ Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
+ Cc: Dmitry Kozlov <xeb@mail.ru>
+ Cc: Sasha Levin <sasha.levin@oracle.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dave Jones <davej@codemonkey.org.uk>
+ Reported-by: Dave Jones <davej@codemonkey.org.uk>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ppp/pptp.c | 34 ++++++++++++++++++++++++----------
+ 1 files changed, 24 insertions(+), 10 deletions(-)
+
+commit e2b7b8c66851c85188fa6dab2d2b2a6c85bc7332
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:17:10 2016 -0500
+
+ Add info about cpupower/powertop to GRKERNSEC_KMEM, was present on our
+ wiki but was removed from the config help at some point
+
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit ce2e88efa000fc32bfcd84098f57c8ed8310fefc
+Author: Thomas Egerer <hakke_007@gmx.de>
+Date: Mon Jan 25 12:58:44 2016 +0100
+
+ ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
+
+ The ESP algorithms using CBC mode require echainiv. Hence INET*_ESP have
+ to select CRYPTO_ECHAINIV in order to work properly. This solves the
+ issues caused by a misconfiguration as described in [1].
+ The original approach, patching crypto/Kconfig was turned down by
+ Herbert Xu [2].
+
+ [1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html
+ [2] http://marc.info/?l=linux-crypto-vger&m=145224655809562&w=2
+
+ Signed-off-by: Thomas Egerer <hakke_007@gmx.de>
+ Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/Kconfig | 1 +
+ net/ipv6/Kconfig | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
+
+commit fca5a303155ea67d28aece0caf2b03ffc3b2668d
+Merge: 904114c 6339c1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:08:40 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 6339c1f9a9beafd417bf9f04d4b257e62aeb45b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:07:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test25.patch:
+ - fixed incorrect handling of VM_DONTCOPY during fork that would trigger a consistency check in the vma mirroring logic, reported by Mathias Krause <minipli@googlemail.com>
+ - fixed init_new_context on !MODIFY_LDT_SYSCALL configs, reported by tjh (https://forums.grsecurity.net/viewtopic.php?f=3&t=4368)
+ - fixed a few REFCOUNT false positives in SNMP related statistics
+
+ arch/x86/Kconfig | 2 +-
+ arch/x86/include/asm/mmu_context.h | 17 +++++++++++++++++
+ include/net/snmp.h | 10 +++++-----
+ kernel/fork.c | 11 +++++++++--
+ net/ipv4/proc.c | 8 ++++----
+ net/ipv6/addrconf.c | 4 ++--
+ net/ipv6/proc.c | 10 +++++-----
+ 7 files changed, 43 insertions(+), 19 deletions(-)
+
+commit 904114c2fce3fdff5d57e763da56a78960db4e19
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Jan 22 18:08:52 2016 -0500
+
+ make sure that freeing shmem fast symlinks is RCU-delayed
+
+ Cc: stable@vger.kernel.org # v4.2+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ include/linux/shmem_fs.h | 5 +----
+ mm/shmem.c | 9 ++++-----
+ 2 files changed, 5 insertions(+), 9 deletions(-)
+
+commit ab86adee64312a2f827dd516cb199521327943ed
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon Jan 18 19:23:51 2016 -0500
+
+ netfilter: nf_conntrack: use safer way to lock all buckets
+
+ When we need to lock all buckets in the connection hashtable we'd attempt to
+ lock 1024 spinlocks, which is way more preemption levels than supported by
+ the kernel. Furthermore, this behavior was hidden by checking if lockdep is
+ enabled, and if it was - use only 8 buckets(!).
+
+ Fix this by using a global lock and synchronize all buckets on it when we
+ need to lock them all. This is pretty heavyweight, but is only done when we
+ need to resize the hashtable, and that doesn't happen often enough (or at all).
+
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+ Reviewed-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ Conflicts:
+
+ net/netfilter/nfnetlink_cttimeout.c
+
+ include/net/netfilter/nf_conntrack_core.h | 8 ++----
+ net/netfilter/nf_conntrack_core.c | 38 +++++++++++++++++++++-------
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 2 +-
+ 4 files changed, 33 insertions(+), 17 deletions(-)
+
+commit 37014723527225481c720484bb788a1a6358072f
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Jan 18 16:36:09 2016 +0100
+
+ pipe: limit the per-user amount of pages allocated in pipes
+
+ On no-so-small systems, it is possible for a single process to cause an
+ OOM condition by filling large pipes with data that are never read. A
+ typical process filling 4000 pipes with 1 MB of data will use 4 GB of
+ memory. On small systems it may be tricky to set the pipe max size to
+ prevent this from happening.
+
+ This patch makes it possible to enforce a per-user soft limit above
+ which new pipes will be limited to a single page, effectively limiting
+ them to 4 kB each, as well as a hard limit above which no new pipes may
+ be created for this user. This has the effect of protecting the system
+ against memory abuse without hurting other users, and still allowing
+ pipes to work correctly though with less data at once.
+
+ The limit are controlled by two new sysctls : pipe-user-pages-soft, and
+ pipe-user-pages-hard. Both may be disabled by setting them to zero. The
+ default soft limit allows the default number of FDs per process (1024)
+ to create pipes of the default size (64kB), thus reaching a limit of 64MB
+ before starting to create only smaller pipes. With 256 processes limited
+ to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
+ 1084 MB of memory allocated for a user. The hard limit is disabled by
+ default to avoid breaking existing applications that make intensive use
+ of pipes (eg: for splicing).
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Documentation/sysctl/fs.txt | 23 +++++++++++++++++++++
+ fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++-
+ include/linux/pipe_fs_i.h | 4 +++
+ include/linux/sched.h | 1 +
+ kernel/sysctl.c | 14 ++++++++++++
+ 5 files changed, 87 insertions(+), 2 deletions(-)
+
+commit 51645fa198d194f746651dcfbc5f24a4cf8b9fb8
+Merge: 540f2af 7791ecb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 23 10:57:11 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7791ecb84f840343a5646236fd0d34e1fb450793
+Merge: 470069c 399588c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 23 10:56:47 2016 -0500
+
+ Merge branch 'linux-4.3.y' into pax-test
+
commit 540f2affebd42cdc26a699208ab4f1cb0cb75e33
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Jan 19 21:18:47 2016 -0500