-commit bdc543e6fa0c1cf74bca28aeb344a1e225d7e09b
-Merge: 672a089 d0fff4d
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Jul 28 19:37:49 2015 -0400
-
- Merge branch 'pax-test' into grsec-test
-
-commit d0fff4d52431b3b92fb24b3baa7f25d5b7b88439
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Tue Jul 28 19:37:28 2015 -0400
-
- Revert PCID changes
+commit 87790bbd0d8dc2bd7fd86cb947e32886db9e9766
+Author: Matthew Wilcox <willy@linux.intel.com>
+Date: Tue Feb 2 16:57:52 2016 -0800
+
+ radix-tree: fix race in gang lookup
+
+ If the indirect_ptr bit is set on a slot, that indicates we need to redo
+ the lookup. Introduce a new function radix_tree_iter_retry() which
+ forces the loop to retry the lookup by setting 'slot' to NULL and
+ turning the iterator back to point at the problematic entry.
+
+ This is a pretty rare problem to hit at the moment; the lookup has to
+ race with a grow of the radix tree from a height of 0. The consequences
+ of hitting this race are that gang lookup could return a pointer to a
+ radix_tree_node instead of a pointer to whatever the user had inserted
+ in the tree.
+
+ Fixes: cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
+ Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- arch/x86/include/asm/cpufeature.h | 1 -
- arch/x86/include/asm/mmu_context.h | 10 +++++-----
- arch/x86/include/asm/tlbflush.h | 20 +++++++++-----------
- arch/x86/kernel/cpu/common.c | 31 ++++++++++++++-----------------
- init/main.c | 3 ++-
- 5 files changed, 30 insertions(+), 35 deletions(-)
+ include/linux/radix-tree.h | 16 ++++++++++++++++
+ lib/radix-tree.c | 12 ++++++++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
-commit 672a0895cf976099d985d2a2ef0978fa3b5b5423
-Author: Dave Hansen <dave.hansen@linux.intel.com>
-Date: Mon Jul 20 16:01:53 2015 -0700
+commit bf628043b4589c910919a0f221ae7f42aa8cea93
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed Feb 3 02:11:03 2016 +0100
- x86/mm: Add parenthesis for TLB tracepoint size calculation
+ unix: correctly track in-flight fds in sending process user_struct
- flush_tlb_info->flush_start/end are both normal virtual
- addresses. When calculating 'nr_pages' (only used for the
- tracepoint), I neglected to put parenthesis in.
+ The commit referenced in the Fixes tag incorrectly accounted the number
+ of in-flight fds over a unix domain socket to the original opener
+ of the file-descriptor. This allows another process to arbitrary
+ deplete the original file-openers resource limit for the maximum of
+ open files. Instead the sending processes and its struct cred should
+ be credited.
- Thanks to David Koufaty for pointing this out.
+ To do so, we add a reference counted struct user_struct pointer to the
+ scm_fp_list and use it to account for the number of inflight unix fds.
- Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
- Cc: Andrew Morton <akpm@linux-foundation.org>
+ Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
+ Reported-by: David Herrmann <dh.herrmann@gmail.com>
+ Cc: David Herrmann <dh.herrmann@gmail.com>
+ Cc: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
- Cc: Peter Zijlstra <peterz@infradead.org>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: dave@sr71.net
- Cc: <stable@vger.kernel.org>
- Link: http://lkml.kernel.org/r/20150720230153.9E834081@viggo.jf.intel.com
- Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
- arch/x86/mm/tlb.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
-commit 5f1e4f78d034c849ab516a7e5d45475b95eb9a13
-Author: Toshi Kani <toshi.kani@hp.com>
-Date: Thu Jul 16 17:23:15 2015 -0600
-
- x86/mm: Remove region_is_ram() call from ioremap
-
- __ioremap_caller() calls region_is_ram() to walk through the
- iomem_resource table to check if a target range is in RAM, which was
- added to improve the lookup performance over page_is_ram() (commit
- 906e36c5c717 "x86: use optimized ioresource lookup in ioremap
- function"). page_is_ram() was no longer used when this change was
- added, though.
-
- __ioremap_caller() then calls walk_system_ram_range(), which had
- replaced page_is_ram() to improve the lookup performance (commit
- c81c8a1eeede "x86, ioremap: Speed up check for RAM pages").
-
- Since both checks walk through the same iomem_resource table for
- the same purpose, there is no need to call both functions.
-
- Aside of that walk_system_ram_range() is the only useful check at the
- moment because region_is_ram() always returns -1 due to an
- implementation bug. That bug in region_is_ram() cannot be fixed
- without breaking existing ioremap callers, which rely on the subtle
- difference of walk_system_ram_range() versus non page aligned ranges.
-
- Once these offending callers are fixed we can use region_is_ram() and
- remove walk_system_ram_range().
-
- [ tglx: Massaged changelog ]
-
- Signed-off-by: Toshi Kani <toshi.kani@hp.com>
- Reviewed-by: Dan Williams <dan.j.williams@intel.com>
- Cc: Roland Dreier <roland@purestorage.com>
- Cc: Mike Travis <travis@sgi.com>
- Cc: Luis R. Rodriguez <mcgrof@suse.com>
- Cc: H. Peter Anvin <hpa@zytor.com>
- Cc: Ingo Molnar <mingo@redhat.com>
- Cc: Borislav Petkov <bp@alien8.de>
- Cc: linux-mm@kvack.org
- Link: http://lkml.kernel.org/r/1437088996-28511-3-git-send-email-toshi.kani@hp.com
- Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ include/net/af_unix.h | 4 ++--
+ include/net/scm.h | 1 +
+ net/core/scm.c | 7 +++++++
+ net/unix/af_unix.c | 4 ++--
+ net/unix/garbage.c | 8 ++++----
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+commit e830db443ff78d70b7b63536e688d73907face0c
+Author: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri Jan 15 16:57:37 2016 -0800
+
+ fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
+
+ Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
+ argument end is of type pgoff_t. It was being converted to a vaddr
+ offset and passed to unmap_hugepage_range. However, end was also being
+ used as an argument to the vma_interval_tree_foreach controlling loop.
+ In addition, the conversion of end to vaddr offset was incorrect.
+
+ hugetlb_vmtruncate_list is called as part of a file truncate or
+ fallocate hole punch operation.
+
+ When truncating a hugetlbfs file, this bug could prevent some pages from
+ being unmapped. This is possible if there are multiple vmas mapping the
+ file, and there is a sufficiently sized hole between the mappings. The
+ size of the hole between two vmas (A,B) must be such that the starting
+ virtual address of B is greater than (ending virtual address of A <<
+ PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
+ pages are not properly unmapped during truncate, the following BUG is
+ hit:
+
+ kernel BUG at fs/hugetlbfs/inode.c:428!
+
+ In the fallocate hole punch case, this bug could prevent pages from
+ being unmapped as in the truncate case. However, for hole punch the
+ result is that unmapped pages will not be removed during the operation.
+ For hole punch, it is also possible that more pages than desired will be
+ unmapped. This unnecessary unmapping will cause page faults to
+ reestablish the mappings on subsequent page access.
+
+ Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
+ Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+ Cc: Davidlohr Bueso <dave@stgolabs.net>
+ Cc: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org> [4.3]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- arch/x86/mm/ioremap.c | 24 ++++++------------------
- 1 files changed, 6 insertions(+), 18 deletions(-)
+ fs/hugetlbfs/inode.c | 19 +++++++++++--------
+ 1 files changed, 11 insertions(+), 8 deletions(-)
-commit 4eed17a1f681e80501895c461980734de2bf0c26
-Author: Toshi Kani <toshi.kani@hp.com>
-Date: Thu Jul 16 17:23:14 2015 -0600
+commit cdb3ba4a9113b779347387f3b6c6ea72dd4db12f
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Feb 4 17:06:13 2016 +0100
- x86/mm: Move warning from __ioremap_check_ram() to the call site
-
- __ioremap_check_ram() has a WARN_ONCE() which is emitted when the
- given pfn range is not RAM. The warning is bogus in two aspects:
+ ALSA: timer: Fix leftover link at closing
- - it never triggers since walk_system_ram_range() only calls
- __ioremap_check_ram() for RAM ranges.
+ In ALSA timer core, the active timer instance is managed in
+ active_list linked list. Each element is added / removed dynamically
+ at timer start, stop and in timer interrupt. The problem is that
+ snd_timer_interrupt() has a thinko and leaves the element in
+ active_list when it's the last opened element. This eventually leads
+ to list corruption or use-after-free error.
- - the warning message is wrong as it says: "ioremap on RAM' after it
- established that the pfn range is not RAM.
+ This hasn't been revealed because we used to delete the list forcibly
+ in snd_timer_stop() in the past. However, the recent fix avoids the
+ double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link
+ corruption due to double start or stop]), and this leak hits reality.
- Move the WARN_ONCE() to __ioremap_caller(), and update the message to
- include the address range so we get an actual warning when something
- tries to ioremap system RAM.
+ This patch fixes the link management in snd_timer_interrupt(). Now it
+ simply unlinks no matter which stream is.
- [ tglx: Massaged changelog ]
-
- Signed-off-by: Toshi Kani <toshi.kani@hp.com>
- Reviewed-by: Dan Williams <dan.j.williams@intel.com>
- Cc: Roland Dreier <roland@purestorage.com>
- Cc: Luis R. Rodriguez <mcgrof@suse.com>
- Cc: H. Peter Anvin <hpa@zytor.com>
- Cc: Ingo Molnar <mingo@redhat.com>
- Cc: Borislav Petkov <bp@alien8.de>
- Cc: linux-mm@kvack.org
- Link: http://lkml.kernel.org/r/1437088996-28511-2-git-send-email-toshi.kani@hp.com
- Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- arch/x86/mm/ioremap.c | 7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
+ sound/core/timer.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit 9af4e75578b65827a05cae89a9cdb77d6caef754
-Author: Toshi Kani <toshi.kani@hp.com>
-Date: Thu Jul 16 17:23:16 2015 -0600
+commit 47d9647902f6a2f46a2be1e0140ba0f6f8c06008
+Author: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Fri Feb 5 15:37:01 2016 -0800
- mm: Fix bugs in region_is_ram()
-
- region_is_ram() looks up the iomem_resource table to check if
- a target range is in RAM. However, it always returns with -1
- due to invalid range checks. It always breaks the loop at the
- first entry of the table.
+ radix-tree: fix oops after radix_tree_iter_retry
- Another issue is that it compares p->flags and flags, but it always
- fails. flags is declared as int, which makes it as a negative value
- with IORESOURCE_BUSY (0x80000000) set while p->flags is unsigned long.
+ Helper radix_tree_iter_retry() resets next_index to the current index.
+ In following radix_tree_next_slot current chunk size becomes zero. This
+ isn't checked and it tries to dereference null pointer in slot.
- Fix the range check and flags so that region_is_ram() works as
- advertised.
+ Tagged iterator is fine because retry happens only at slot 0 where tag
+ bitmask in iter->tags is filled with single bit.
- Signed-off-by: Toshi Kani <toshi.kani@hp.com>
- Reviewed-by: Dan Williams <dan.j.williams@intel.com>
- Cc: Mike Travis <travis@sgi.com>
- Cc: Luis R. Rodriguez <mcgrof@suse.com>
- Cc: Andrew Morton <akpm@linux-foundation.org>
- Cc: Roland Dreier <roland@purestorage.com>
- Cc: linux-mm@kvack.org
- Link: http://lkml.kernel.org/r/1437088996-28511-4-git-send-email-toshi.kani@hp.com
- Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+ Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
+ Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+ Cc: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Jeremiah Mahler <jmmahler@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- kernel/resource.c | 6 +++---
+ include/linux/radix-tree.h | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
-commit db002defded430624dbef2561ceb76501c8f956b
-Author: Tomas Winkler <tomas.winkler@intel.com>
-Date: Thu Jun 18 11:41:03 2015 +0300
+commit 95b5dcb3c01958502af00b0bc0da1d906aae11a2
+Merge: 438be0b 256aeaf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:33 2016 -0500
- mei: prevent unloading mei hw modules while the device is opened.
-
- chrdev_open() increases reference counter on cdev->owner. Instead of
- assigning the owner to mei subsystem, the owner has to be set to the
- underlaying HW module (mei_me or mei_txe), so once the device is opened
- the HW module cannot be unloaded.
-
- Cc: <stable@vger.kernel.org> #3.17+
- Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
- Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+ Merge branch 'pax-test' into grsec-test
+
+commit 256aeaf87c22de8edf1f03682a572c590ae07771
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:09 2016 -0500
+
+ Update to pax-linux-4.3.5-test28.patch:
+ - fixed an integer truncation bug in numa_clear_kernel_node_hotplug caught by the size overflow plugin, reported by x14sg1 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4374)
+ - spender fixed UDEREF on arm
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ arch/x86/mm/numa.c | 2 +-
+ security/Kconfig | 1 -
+ 10 files changed, 60 insertions(+), 70 deletions(-)
+
+commit 438be0bd112bd17942b2628c53054dc1007558a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 19:50:31 2016 -0500
+
+ Fix a number of issues caused by the upstream merging of a UDEREF ripoff resulting in unbootable
+ ARM systems reported on the forums
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ security/Kconfig | 1 -
+ 9 files changed, 59 insertions(+), 69 deletions(-)
+
+commit 4ffdd5ef1f87e611af1efb4f251ada92abe9f4c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:21:53 2016 -0500
+
+ Fix another compiler warning
+
+ net/ipv4/tcp_input.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 30b5b7bc0fd67d458bdd5ab35e4689769eabd2ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:16:12 2016 -0500
+
+ Fix two compiler warnings
+
+ kernel/pid.c | 5 ++---
+ kernel/ptrace.c | 3 ++-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+commit dda4d2a21914c480750f10bd55c6e3203d415d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:22:40 2016 -0500
+
+ Apply fix for integer truncation in NUMA init code, reported by
+ x14sg1 on the forums:
+ https://forums.grsecurity.net/viewtopic.php?f=3&t=4374
- drivers/misc/mei/main.c | 2 +-
+ arch/x86/mm/numa.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
-commit 426a498250be1cf7eb47a4b211754eac4c856fc9
-Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
-Date: Fri Jul 24 10:38:12 2015 -0400
+commit 477505f7c893cb6a2c3e22f83eefd9c985d7b3ca
+Merge: a781740 016d0d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:58 2016 -0500
- ftrace: Fix breakage of set_ftrace_pid
-
- Commit 4104d326b670 ("ftrace: Remove global function list and call function
- directly") simplified the ftrace code by removing the global_ops list with a
- new design. But this cleanup also broke the filtering of PIDs that are added
- to the set_ftrace_pid file.
-
- Add back the proper hooks to have pid filtering working once again.
-
- Cc: stable@vger.kernel.org # 3.16+
- Reported-by: Matt Fleming <matt@console-pimps.org>
- Reported-by: Richard Weinberger <richard.weinberger@gmail.com>
- Tested-by: Matt Fleming <matt@console-pimps.org>
- Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+ Merge branch 'pax-test' into grsec-test
- include/linux/ftrace.h | 3 ++
- kernel/trace/ftrace.c | 52 +++++++++++++++++++++++++++++++----------------
- 2 files changed, 37 insertions(+), 18 deletions(-)
-
-commit ecf07c60ecb962a459c5b466cafc51be06433e4d
-Author: Matt Fleming <matt.fleming@intel.com>
-Date: Tue Jul 21 15:55:09 2015 +0100
-
- perf/x86/intel/cqm: Return cached counter value from IRQ context
-
- Peter reported the following potential crash which I was able to
- reproduce with his test program,
-
- [ 148.765788] ------------[ cut here ]------------
- [ 148.765796] WARNING: CPU: 34 PID: 2840 at kernel/smp.c:417 smp_call_function_many+0xb6/0x260()
- [ 148.765797] Modules linked in:
- [ 148.765800] CPU: 34 PID: 2840 Comm: perf Not tainted 4.2.0-rc1+ #4
- [ 148.765803] ffffffff81cdc398 ffff88085f105950 ffffffff818bdfd5 0000000000000007
- [ 148.765805] 0000000000000000 ffff88085f105990 ffffffff810e413a 0000000000000000
- [ 148.765807] ffffffff82301080 0000000000000022 ffffffff8107f640 ffffffff8107f640
- [ 148.765809] Call Trace:
- [ 148.765810] <NMI> [<ffffffff818bdfd5>] dump_stack+0x45/0x57
- [ 148.765818] [<ffffffff810e413a>] warn_slowpath_common+0x8a/0xc0
- [ 148.765822] [<ffffffff8107f640>] ? intel_cqm_stable+0x60/0x60
- [ 148.765824] [<ffffffff8107f640>] ? intel_cqm_stable+0x60/0x60
- [ 148.765825] [<ffffffff810e422a>] warn_slowpath_null+0x1a/0x20
- [ 148.765827] [<ffffffff811613f6>] smp_call_function_many+0xb6/0x260
- [ 148.765829] [<ffffffff8107f640>] ? intel_cqm_stable+0x60/0x60
- [ 148.765831] [<ffffffff81161748>] on_each_cpu_mask+0x28/0x60
- [ 148.765832] [<ffffffff8107f6ef>] intel_cqm_event_count+0x7f/0xe0
- [ 148.765836] [<ffffffff811cdd35>] perf_output_read+0x2a5/0x400
- [ 148.765839] [<ffffffff811d2e5a>] perf_output_sample+0x31a/0x590
- [ 148.765840] [<ffffffff811d333d>] ? perf_prepare_sample+0x26d/0x380
- [ 148.765841] [<ffffffff811d3497>] perf_event_output+0x47/0x60
- [ 148.765843] [<ffffffff811d36c5>] __perf_event_overflow+0x215/0x240
- [ 148.765844] [<ffffffff811d4124>] perf_event_overflow+0x14/0x20
- [ 148.765847] [<ffffffff8107e7f4>] intel_pmu_handle_irq+0x1d4/0x440
- [ 148.765849] [<ffffffff811d07a6>] ? __perf_event_task_sched_in+0x36/0xa0
- [ 148.765853] [<ffffffff81219bad>] ? vunmap_page_range+0x19d/0x2f0
- [ 148.765854] [<ffffffff81219d11>] ? unmap_kernel_range_noflush+0x11/0x20
- [ 148.765859] [<ffffffff814ce6fe>] ? ghes_copy_tofrom_phys+0x11e/0x2a0
- [ 148.765863] [<ffffffff8109e5db>] ? native_apic_msr_write+0x2b/0x30
- [ 148.765865] [<ffffffff8109e44d>] ? x2apic_send_IPI_self+0x1d/0x20
- [ 148.765869] [<ffffffff81065135>] ? arch_irq_work_raise+0x35/0x40
- [ 148.765872] [<ffffffff811c8d86>] ? irq_work_queue+0x66/0x80
- [ 148.765875] [<ffffffff81075306>] perf_event_nmi_handler+0x26/0x40
- [ 148.765877] [<ffffffff81063ed9>] nmi_handle+0x79/0x100
- [ 148.765879] [<ffffffff81064422>] default_do_nmi+0x42/0x100
- [ 148.765880] [<ffffffff81064563>] do_nmi+0x83/0xb0
- [ 148.765884] [<ffffffff818c7c0f>] end_repeat_nmi+0x1e/0x2e
- [ 148.765886] [<ffffffff811d07a6>] ? __perf_event_task_sched_in+0x36/0xa0
- [ 148.765888] [<ffffffff811d07a6>] ? __perf_event_task_sched_in+0x36/0xa0
- [ 148.765890] [<ffffffff811d07a6>] ? __perf_event_task_sched_in+0x36/0xa0
- [ 148.765891] <<EOE>> [<ffffffff8110ab66>] finish_task_switch+0x156/0x210
- [ 148.765898] [<ffffffff818c1671>] __schedule+0x341/0x920
- [ 148.765899] [<ffffffff818c1c87>] schedule+0x37/0x80
- [ 148.765903] [<ffffffff810ae1af>] ? do_page_fault+0x2f/0x80
- [ 148.765905] [<ffffffff818c1f4a>] schedule_user+0x1a/0x50
- [ 148.765907] [<ffffffff818c666c>] retint_careful+0x14/0x32
- [ 148.765908] ---[ end trace e33ff2be78e14901 ]---
-
- The CQM task events are not safe to be called from within interrupt
- context because they require performing an IPI to read the counter value
- on all sockets. And performing IPIs from within IRQ context is a
- "no-no".
-
- Make do with the last read counter value currently event in
- event->count when we're invoked in this context.
-
- Reported-by: Peter Zijlstra <peterz@infradead.org>
- Signed-off-by: Matt Fleming <matt.fleming@intel.com>
- Cc: Thomas Gleixner <tglx@linutronix.de>
- Cc: Vikas Shivappa <vikas.shivappa@intel.com>
- Cc: Kanaka Juvva <kanaka.d.juvva@intel.com>
- Cc: Will Auld <will.auld@intel.com>
+commit 016d0d81a8dd4be1304c82a68e0ccf425868f467
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:10 2016 -0500
+
+ Update to pax-linux-4.3.5-test27.patch:
+ - fixed a bunch of potential REFCOUNT false positives, reported by Emese
+ - restored padding in fpregs_state for storing AVX-512 state in the future
+ - constified netlink_dump_control
+ - added const version of debug_gimple_stmt for gcc plugins, by Emese
+ - Emese fixed a bug in initify that could have initified too much
+ - Emese fixed a false positive intentional integer overflow in xfrm4_extract_header, reported by corsac
+
+ arch/x86/include/asm/fpu/types.h | 1 +
+ arch/x86/include/asm/mmu_context.h | 2 +-
+ block/blk-cgroup.c | 18 ++--
+ block/cfq-iosched.c | 4 +-
+ crypto/crypto_user.c | 8 ++-
+ drivers/acpi/apei/ghes.c | 6 +-
+ drivers/char/ipmi/ipmi_ssif.c | 12 ++--
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.c | 2 +-
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.h | 2 +-
+ drivers/gpu/drm/amd/scheduler/sched_fence.c | 2 +-
+ drivers/infiniband/core/netlink.c | 5 +-
+ drivers/infiniband/hw/cxgb4/device.c | 6 +-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +-
+ drivers/md/bcache/alloc.c | 2 +-
+ drivers/md/bcache/bcache.h | 10 +-
+ drivers/md/bcache/btree.c | 2 +-
+ drivers/md/bcache/io.c | 10 +-
+ drivers/md/bcache/journal.c | 2 +-
+ drivers/md/bcache/stats.c | 26 +++---
+ drivers/md/bcache/stats.h | 16 ++--
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bcache/sysfs.c | 20 +++---
+ drivers/md/dm-cache-target.c | 98 ++++++++++++------------
+ drivers/md/dm-raid.c | 2 +-
+ drivers/md/md.c | 6 +-
+ drivers/md/md.h | 2 +-
+ drivers/md/raid1.c | 2 +-
+ drivers/md/raid10.c | 2 +-
+ drivers/md/raid5.c | 4 +-
+ drivers/media/pci/zoran/zoran.h | 1 -
+ drivers/media/pci/zoran/zoran_driver.c | 3 -
+ drivers/net/ethernet/sfc/selftest.c | 20 +++---
+ drivers/net/irda/vlsi_ir.c | 18 ++--
+ drivers/net/irda/vlsi_ir.h | 14 ++--
+ drivers/net/wireless/ath/carl9170/carl9170.h | 6 +-
+ drivers/net/wireless/ath/carl9170/debug.c | 6 +-
+ drivers/net/wireless/ath/carl9170/main.c | 10 +-
+ drivers/net/wireless/ath/carl9170/tx.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/d3.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 2 +-
+ drivers/scsi/hptiop.c | 2 -
+ drivers/scsi/hptiop.h | 1 -
+ drivers/scsi/ipr.c | 6 +-
+ drivers/scsi/ipr.h | 2 +-
+ drivers/scsi/qla2xxx/qla_target.c | 10 +-
+ drivers/scsi/qla2xxx/qla_target.h | 2 +-
+ fs/btrfs/ctree.c | 2 +-
+ fs/btrfs/ctree.h | 4 +-
+ fs/btrfs/delayed-ref.c | 4 +-
+ fs/btrfs/disk-io.c | 4 +-
+ fs/btrfs/file.c | 4 +-
+ fs/btrfs/raid56.c | 32 ++++----
+ fs/btrfs/tests/btrfs-tests.c | 2 +-
+ fs/btrfs/transaction.c | 2 +-
+ fs/btrfs/tree-log.c | 8 +-
+ fs/btrfs/volumes.c | 14 ++--
+ fs/btrfs/volumes.h | 22 +++---
+ fs/jbd2/commit.c | 2 +-
+ fs/jbd2/transaction.c | 4 +-
+ fs/ocfs2/dlm/dlmcommon.h | 4 +-
+ fs/ocfs2/dlm/dlmdebug.c | 10 +-
+ fs/ocfs2/dlm/dlmdomain.c | 4 +-
+ fs/ocfs2/dlm/dlmmaster.c | 4 +-
+ include/acpi/ghes.h | 2 +-
+ include/linux/blk-cgroup.h | 24 +++---
+ include/linux/jbd2.h | 2 +-
+ include/linux/netlink.h | 12 ++--
+ include/net/cfg802154.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ kernel/rcu/tree_plugin.h | 4 +-
+ net/batman-adv/routing.c | 4 +-
+ net/batman-adv/soft-interface.c | 2 +-
+ net/batman-adv/translation-table.c | 14 ++--
+ net/batman-adv/types.h | 2 +-
+ net/core/neighbour.c | 14 ++--
+ net/core/rtnetlink.c | 2 +-
+ net/ipv4/arp.c | 2 +-
+ net/ipv4/inet_diag.c | 4 +-
+ net/ipv4/xfrm4_state.c | 4 +-
+ net/ipv6/ndisc.c | 2 +-
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/debugfs_key.c | 2 +-
+ net/mac80211/key.c | 4 +-
+ net/mac80211/tx.c | 2 +-
+ net/mac80211/wpa.c | 10 +-
+ net/mac802154/iface.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 22 +++---
+ net/netfilter/nf_tables_api.c | 13 ++--
+ net/netfilter/nfnetlink_acct.c | 7 +-
+ net/netfilter/nfnetlink_cthelper.c | 2 +-
+ net/netfilter/nfnetlink_cttimeout.c | 2 +-
+ net/netlink/af_netlink.c | 10 ++-
+ net/netlink/diag.c | 2 +-
+ net/netlink/genetlink.c | 14 ++--
+ net/packet/af_packet.c | 18 ++--
+ net/packet/diag.c | 2 +-
+ net/packet/internal.h | 6 +-
+ net/unix/diag.c | 2 +-
+ net/xfrm/xfrm_user.c | 2 +-
+ security/apparmor/include/policy.h | 2 +-
+ security/apparmor/policy.c | 4 +-
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ sound/core/seq/seq_fifo.c | 6 +-
+ sound/core/seq/seq_fifo.h | 2 +-
+ tools/gcc/gcc-common.h | 24 ++++--
+ tools/gcc/initify_plugin.c | 7 +-
+ tools/lib/api/Makefile | 2 +-
+ 109 files changed, 399 insertions(+), 391 deletions(-)
+
+commit a7817402ac837b1aee07fac42537a02097055098
+Author: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Fri Jan 29 11:36:10 2016 +0000
+
+ x86/mm/pat: Avoid truncation when converting cpa->numpages to address
+
+ There are a couple of nasty truncation bugs lurking in the pageattr
+ code that can be triggered when mapping EFI regions, e.g. when we pass
+ a cpa->pgd pointer. Because cpa->numpages is a 32-bit value, shifting
+ left by PAGE_SHIFT will truncate the resultant address to 32-bits.
+
+ Viorel-Cătălin managed to trigger this bug on his Dell machine that
+ provides a ~5GB EFI region which requires 1236992 pages to be mapped.
+ When calling populate_pud() the end of the region gets calculated
+ incorrectly in the following buggy expression,
+
+ end = start + (cpa->numpages << PAGE_SHIFT);
+
+ And only 188416 pages are mapped. Next, populate_pud() gets invoked
+ for a second time because of the loop in __change_page_attr_set_clr(),
+ only this time no pages get mapped because shifting the remaining
+ number of pages (1048576) by PAGE_SHIFT is zero. At which point the
+ loop in __change_page_attr_set_clr() spins forever because we fail to
+ map progress.
+
+ Hitting this bug depends very much on the virtual address we pick to
+ map the large region at and how many pages we map on the initial run
+ through the loop. This explains why this issue was only recently hit
+ with the introduction of commit
+
+ a5caa209ba9c ("x86/efi: Fix boot crash by mapping EFI memmap
+ entries bottom-up at runtime, instead of top-down")
+
+ It's interesting to note that safe uses of cpa->numpages do exist in
+ the pageattr code. If instead of shifting ->numpages we multiply by
+ PAGE_SIZE, no truncation occurs because PAGE_SIZE is a UL value, and
+ so the result is unsigned long.
+
+ To avoid surprises when users try to convert very large cpa->numpages
+ values to addresses, change the data type from 'int' to 'unsigned
+ long', thereby making it suitable for shifting by PAGE_SHIFT without
+ any type casting.
+
+ The alternative would be to make liberal use of casting, but that is
+ far more likely to cause problems in the future when someone adds more
+ code and fails to cast properly; this bug was difficult enough to
+ track down in the first place.
+
+ Reported-and-tested-by: Viorel-Cătălin Răpițeanu <rapiteanu.catalin@gmail.com>
+ Acked-by: Borislav Petkov <bp@alien8.de>
+ Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
Cc: <stable@vger.kernel.org>
- Link: http://lkml.kernel.org/r/1437490509-15373-1-git-send-email-matt@codeblueprint.co.uk
+ Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=110131
+ Link: http://lkml.kernel.org/r/1454067370-10374-1-git-send-email-matt@codeblueprint.co.uk
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
- arch/x86/kernel/cpu/perf_event_intel_cqm.c | 8 ++++++++
- 1 files changed, 8 insertions(+), 0 deletions(-)
+ arch/x86/mm/pageattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit f0b71d674319afc7cd3d408a95c315ab9332fea6
-Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
-Date: Thu Jul 23 12:05:40 2015 +0200
+commit 64dd9d7a67a742fda257cdd16510c29e695c34b5
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Tue Jan 26 04:15:18 2016 -0700
- inet: frags: remove INET_FRAG_EVICTED and use list_evictor for the test
-
- We can simply remove the INET_FRAG_EVICTED flag to avoid all the flags
- race conditions with the evictor and use a participation test for the
- evictor list, when we're at that point (after inet_frag_kill) in the
- timer there're 2 possible cases:
+ x86/mm: Fix types used in pgprot cacheability flags translations
- 1. The evictor added the entry to its evictor list while the timer was
- waiting for the chainlock
- or
- 2. The timer unchained the entry and the evictor won't see it
+ For PAE kernels "unsigned long" is not suitable to hold page protection
+ flags, since _PAGE_NX doesn't fit there. This is the reason for quite a
+ few W+X pages getting reported as insecure during boot (observed namely
+ for the entire initrd range).
- In both cases we should be able to see list_evictor correctly due
- to the sync on the chainlock.
-
- Joint work with Florian Westphal.
-
- Tested-by: Frank Schreuder <fschreuder@transip.nl>
- Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
- Signed-off-by: Florian Westphal <fw@strlen.de>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Fixes: 281d4078be ("x86: Make page cache mode a real type")
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Reviewed-by: Juergen Gross <JGross@suse.com>
+ Cc: stable@vger.kernel.org
+ Link: http://lkml.kernel.org/r/56A7635602000078000CAFF1@prv-mh.provo.novell.com
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
- include/net/inet_frag.h | 7 +++++--
- net/ipv4/inet_fragment.c | 1 -
- net/ipv4/ip_fragment.c | 2 +-
- net/ipv6/reassembly.c | 2 +-
- 4 files changed, 7 insertions(+), 5 deletions(-)
+ arch/x86/include/asm/pgtable_types.h | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
-commit 5bab758a94075d04d16c2e693620149e80c80a6b
-Author: Florian Westphal <fw@strlen.de>
-Date: Thu Jul 23 12:05:39 2015 +0200
+commit bb9a3a9df0d8dfc96d521676e64c42b37ba22aea
+Merge: 682d661 f74425b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:06:25 2016 -0500
- inet: frag: don't wait for timer deletion when evicting
-
- Frank reports 'NMI watchdog: BUG: soft lockup' errors when
- load is high. Instead of (potentially) unbounded restarts of the
- eviction process, just skip to the next entry.
-
- One caveat is that, when a netns is exiting, a timer may still be running
- by the time inet_evict_bucket returns.
+ Merge branch 'pax-test' into grsec-test
- We use the frag memory accounting to wait for outstanding timers,
- so that when we free the percpu counter we can be sure no running
- timer will trip over it.
+ Conflicts:
+ drivers/net/slip/slhc.c
+ include/linux/sched.h
+ net/unix/af_unix.c
+ sound/core/timer.c
+
+commit f74425b5705bfe52aff9e97659ef10c4a14176c3
+Merge: d14af1f 849a2d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:02:55 2016 -0500
+
+ Merge branch 'linux-4.3.y' into pax-test
- Reported-and-tested-by: Frank Schreuder <fschreuder@transip.nl>
- Signed-off-by: Florian Westphal <fw@strlen.de>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Conflicts:
+ arch/x86/include/asm/mmu_context.h
- net/ipv4/inet_fragment.c | 29 +++++++++++------------------
- 1 files changed, 11 insertions(+), 18 deletions(-)
+commit 682d6611d75542e351c973c8dd74a99d3966c073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 30 13:05:03 2016 -0500
-commit 243266640fe195843ebaf0f06f00b81861d79083
-Author: Florian Westphal <fw@strlen.de>
-Date: Thu Jul 23 12:05:38 2015 +0200
+ Based on a report from Mathias Krause, fix up a number of additional instances
+ of ulong overflow when passing in values to gr_learn_resource by saturating
+ to ULONG_MAX
+
+ mm/mlock.c | 11 ++++++++---
+ mm/mmap.c | 16 +++++++++++++---
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+commit adb52e95fb9ad4ac9c56cd5d47bd668f47c33096
+Author: Jann Horn <jann@thejh.net>
+Date: Sat Dec 26 06:00:48 2015 +0100
- inet: frag: change *_frag_mem_limit functions to take netns_frags as argument
+ seccomp: always propagate NO_NEW_PRIVS on tsync
- Followup patch will call it after inet_frag_queue was freed, so q->net
- doesn't work anymore (but netf = q->net; free(q); mem_limit(netf) would).
+ Before this patch, a process with some permissive seccomp filter
+ that was applied by root without NO_NEW_PRIVS was able to add
+ more filters to itself without setting NO_NEW_PRIVS by setting
+ the new filter from a throwaway thread with NO_NEW_PRIVS.
- Tested-by: Frank Schreuder <fschreuder@transip.nl>
- Signed-off-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+
+ kernel/seccomp.c | 22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
+
+commit b85450498a3bbf269441c8963d7574bb3079c838
+Merge: 59c216f d14af1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:54:13 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d14af1f1dd66511f3f0674deee2b572972012b39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:53:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test26.patch:
+ - Emese fixed a few intentional overflows introduced by gcc, reported by StalkR (https://forums.grsecurity.net/viewtopic.php?f=3&t=4370)
+
+ fs/cifs/file.c | 2 +-
+ fs/gfs2/file.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 96 ++++++++++++++++++--
+ tools/gcc/size_overflow_plugin/size_overflow.h | 2 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 6 +-
+ .../size_overflow_transform_core.c | 5 +
+ 7 files changed, 102 insertions(+), 15 deletions(-)
+
+commit 59c216f13587eacdd692386b7a403ae78ed84fb6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 27 17:57:21 2016 -0500
+
+ Fix a size_overflow report reported by Mathias Krause in our
+ truncation of an loff_t to an unsigned long when being passed
+ to gr_learn_resource() (as all resource checks are against unsigned long
+ values)
+
+ fs/attr.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 70636c6ad60fc1db3af764ecc789b827b7497a97
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Wed Jan 6 12:42:38 2016 -0800
+
+ tcp: fix zero cwnd in tcp_cwnd_reduction
+
+ Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
+ conditionally") introduced a bug that cwnd may become 0 when both
+ inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
+ to a div-by-zero if the connection starts another cwnd reduction
+ phase by setting tp->prior_cwnd to the current cwnd (0) in
+ tcp_init_cwnd_reduction().
+
+ To prevent this we skip PRR operation when nothing is acked or
+ sacked. Then cwnd must be positive in all cases as long as ssthresh
+ is positive:
+
+ 1) The proportional reduction mode
+ inflight > ssthresh > 0
+
+ 2) The reduction bound mode
+ a) inflight == ssthresh > 0
+
+ b) inflight < ssthresh
+ sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
+
+ Therefore in all cases inflight and sndcnt can not both be 0.
+ We check invalid tp->prior_cwnd to avoid potential div0 bugs.
+
+ In reality this bug is triggered only with a sequence of less common
+ events. For example, the connection is terminating an ECN-triggered
+ cwnd reduction with an inflight 0, then it receives reordered/old
+ ACKs or DSACKs from prior transmission (which acks nothing). Or the
+ connection is in fast recovery stage that marks everything lost,
+ but fails to retransmit due to local issues, then receives data
+ packets from other end which acks nothing.
+
+ Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
+ Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Signed-off-by: Neal Cardwell <ncardwell@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- include/net/inet_frag.h | 8 ++++----
- net/ieee802154/6lowpan/reassembly.c | 6 +++---
- net/ipv4/inet_fragment.c | 4 ++--
- net/ipv4/ip_fragment.c | 10 +++++-----
- net/ipv6/netfilter/nf_conntrack_reasm.c | 6 +++---
- net/ipv6/reassembly.c | 6 +++---
- 6 files changed, 20 insertions(+), 20 deletions(-)
+ net/ipv4/tcp_input.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
-commit 980c50f6c86defb6bc40d7912008fb5d7057b345
-Author: Florian Westphal <fw@strlen.de>
-Date: Thu Jul 23 12:05:37 2015 +0200
+commit dac1da2bedbb43195d371c7a192cfeeb45683df0
+Author: Eric Dumazet <edumazet@google.com>
+Date: Sun Jan 24 13:53:50 2016 -0800
- inet: frag: don't re-use chainlist for evictor
-
- commit 65ba1f1ec0eff ("inet: frags: fix a race between inet_evict_bucket
- and inet_frag_kill") describes the bug, but the fix doesn't work reliably.
-
- Problem is that ->flags member can be set on other cpu without chainlock
- being held by that task, i.e. the RMW-Cycle can clear INET_FRAG_EVICTED
- bit after we put the element on the evictor private list.
+ af_unix: fix struct pid memory leak
- We can crash when walking the 'private' evictor list since an element can
- be deleted from list underneath the evictor.
+ Dmitry reported a struct pid leak detected by a syzkaller program.
- Join work with Nikolay Alexandrov.
+ Bug happens in unix_stream_recvmsg() when we break the loop when a
+ signal is pending, without properly releasing scm.
- Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
- Reported-by: Johan Schuijt <johan@transip.nl>
- Tested-by: Frank Schreuder <fschreuder@transip.nl>
- Signed-off-by: Nikolay Alexandrov <nikolay@cumulusnetworks.com>
- Signed-off-by: Florian Westphal <fw@strlen.de>
+ Fixes: b3ca9b02b007 ("net: fix multithreaded signal handling in unix recv routines")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- include/net/inet_frag.h | 2 ++
- net/ipv4/inet_fragment.c | 8 +++-----
- 2 files changed, 5 insertions(+), 5 deletions(-)
+ net/unix/af_unix.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit 18dbb7c79efd6ad05708d5015e9ba1013b5e8d78
-Author: Johan Hedberg <johan.hedberg@intel.com>
-Date: Mon Jul 20 20:31:25 2015 +0300
+commit 15cc47f127520d1ac0c1fe76d993c2c27f0f2571
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jan 22 01:39:43 2016 +0100
- Bluetooth: Fix NULL pointer dereference in smp_conn_security
+ pptp: fix illegal memory access caused by multiple bind()s
+
+ Several times already this has been reported as kasan reports caused by
+ syzkaller and trinity and people always looked at RCU races, but it is
+ much more simple. :)
+
+ In case we bind a pptp socket multiple times, we simply add it to
+ the callid_sock list but don't remove the old binding. Thus the old
+ socket stays in the bucket with unused call_id indexes and doesn't get
+ cleaned up. This causes various forms of kasan reports which were hard
+ to pinpoint.
- The l2cap_conn->smp pointer may be NULL for various valid reasons where SMP has
- failed to initialize properly. One such scenario is when crypto support is
- missing, another when the adapter has been powered on through a legacy method.
- The smp_conn_security() function should have the appropriate check for this
- situation to avoid NULL pointer dereferences.
+ Simply don't allow multiple binds and correct error handling in
+ pptp_bind. Also keep sk_state bits in place in pptp_connect.
- Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
- Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
- Cc: stable@vger.kernel.org # 4.0+
+ Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
+ Cc: Dmitry Kozlov <xeb@mail.ru>
+ Cc: Sasha Levin <sasha.levin@oracle.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dave Jones <davej@codemonkey.org.uk>
+ Reported-by: Dave Jones <davej@codemonkey.org.uk>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- net/bluetooth/smp.c | 4 ++++
- 1 files changed, 4 insertions(+), 0 deletions(-)
+ drivers/net/ppp/pptp.c | 34 ++++++++++++++++++++++++----------
+ 1 files changed, 24 insertions(+), 10 deletions(-)
-commit f7806e7d24320350c2673c37682a4ebcede48fbb
-Merge: 7da4469 9188503
+commit e2b7b8c66851c85188fa6dab2d2b2a6c85bc7332
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 26 19:15:42 2015 -0400
+Date: Tue Jan 26 18:17:10 2016 -0500
- Merge branch 'pax-test' into grsec-test
+ Add info about cpupower/powertop to GRKERNSEC_KMEM, was present on our
+ wiki but was removed from the config help at some point
-commit 918850373a254f92f9c146bcaa66ccbcc4da5aa2
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 26 19:15:21 2015 -0400
-
- Update to pax-linux-4.1.3-test10.patch:
- - fixed compile errors on arm, reported by Michael Tremer <michael.tremer@ipfire.org>
- - fixed the new pax_nouderef mechanism
-
- arch/arm/include/asm/cpuidle.h | 2 +-
- arch/arm/kernel/cpuidle.c | 2 +-
- arch/x86/include/asm/cpufeature.h | 1 +
- arch/x86/include/asm/mmu_context.h | 10 +++++-----
- arch/x86/include/asm/tlbflush.h | 20 +++++++++++---------
- arch/x86/kernel/cpu/common.c | 2 ++
- drivers/clk/clk-mux.c | 4 ++--
- drivers/clk/samsung/clk.h | 2 +-
- drivers/gpio/gpio-omap.c | 2 +-
- drivers/gpu/drm/tegra/sor.c | 7 +++++--
- drivers/scsi/be2iscsi/be_main.c | 2 +-
- include/linux/clk-provider.h | 6 +++---
- init/main.c | 1 +
- 13 files changed, 35 insertions(+), 26 deletions(-)
-
-commit 7da446903dcd5e93faba1291772a19f3e0e1f261
-Merge: 8fa9f45 47942a0
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 26 11:26:15 2015 -0400
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
- Merge branch 'pax-test' into grsec-test
+commit ce2e88efa000fc32bfcd84098f57c8ed8310fefc
+Author: Thomas Egerer <hakke_007@gmx.de>
+Date: Mon Jan 25 12:58:44 2016 +0100
-commit 47942a0e37ae866e4a24bbd468fc1f6fe881589d
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 26 11:25:51 2015 -0400
+ ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
+
+ The ESP algorithms using CBC mode require echainiv. Hence INET*_ESP have
+ to select CRYPTO_ECHAINIV in order to work properly. This solves the
+ issues caused by a misconfiguration as described in [1].
+ The original approach, patching crypto/Kconfig was turned down by
+ Herbert Xu [2].
+
+ [1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html
+ [2] http://marc.info/?l=linux-crypto-vger&m=145224655809562&w=2
+
+ Signed-off-by: Thomas Egerer <hakke_007@gmx.de>
+ Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- Update to pax-linux-4.1.3-test9.patch:
- - pax_nouderef no longer disables PCID/INVPCID so that they are still available in guest VMs
- - fixed userland crashes under amd64/UDEREF/KERNEXEC caused by an oversight while backporting the NMI fixes, reported by Victor, ajj146 and Nicolas Simond
+ net/ipv4/Kconfig | 1 +
+ net/ipv6/Kconfig | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
- arch/x86/kernel/cpu/common.c | 31 ++++++++++++++++---------------
- arch/x86/kernel/entry_64.S | 10 +++++++++-
- init/main.c | 2 --
- 3 files changed, 25 insertions(+), 18 deletions(-)
+commit fca5a303155ea67d28aece0caf2b03ffc3b2668d
+Merge: 904114c 6339c1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:08:40 2016 -0500
-commit 8fa9f4585fd2d0f71bcf2f6472643f1bcfced4ef
+ Merge branch 'pax-test' into grsec-test
+
+commit 6339c1f9a9beafd417bf9f04d4b257e62aeb45b7
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 16:12:36 2015 -0400
+Date: Tue Jan 26 18:07:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test25.patch:
+ - fixed incorrect handling of VM_DONTCOPY during fork that would trigger a consistency check in the vma mirroring logic, reported by Mathias Krause <minipli@googlemail.com>
+ - fixed init_new_context on !MODIFY_LDT_SYSCALL configs, reported by tjh (https://forums.grsecurity.net/viewtopic.php?f=3&t=4368)
+ - fixed a few REFCOUNT false positives in SNMP related statistics
+
+ arch/x86/Kconfig | 2 +-
+ arch/x86/include/asm/mmu_context.h | 17 +++++++++++++++++
+ include/net/snmp.h | 10 +++++-----
+ kernel/fork.c | 11 +++++++++--
+ net/ipv4/proc.c | 8 ++++----
+ net/ipv6/addrconf.c | 4 ++--
+ net/ipv6/proc.c | 10 +++++-----
+ 7 files changed, 43 insertions(+), 19 deletions(-)
+
+commit 904114c2fce3fdff5d57e763da56a78960db4e19
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Jan 22 18:08:52 2016 -0500
- Protect kexec_load_disabled as well, even though it's disabled under
- GRKERNSEC_KMEM already
+ make sure that freeing shmem fast symlinks is RCU-delayed
+
+ Cc: stable@vger.kernel.org # v4.2+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- kernel/kexec.c | 2 +-
- kernel/sysctl.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ include/linux/shmem_fs.h | 5 +----
+ mm/shmem.c | 9 ++++-----
+ 2 files changed, 5 insertions(+), 9 deletions(-)
-commit b16ef6f1b3f856c0fd8fad389ab82294dd34fb37
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 15:10:12 2015 -0400
+commit ab86adee64312a2f827dd516cb199521327943ed
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon Jan 18 19:23:51 2016 -0500
- Add additional missing Broadcom firmware
+ netfilter: nf_conntrack: use safer way to lock all buckets
+
+ When we need to lock all buckets in the connection hashtable we'd attempt to
+ lock 1024 spinlocks, which is way more preemption levels than supported by
+ the kernel. Furthermore, this behavior was hidden by checking if lockdep is
+ enabled, and if it was - use only 8 buckets(!).
+
+ Fix this by using a global lock and synchronize all buckets on it when we
+ need to lock them all. This is pretty heavyweight, but is only done when we
+ need to resize the hashtable, and that doesn't happen often enough (or at all).
+
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+ Reviewed-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ Conflicts:
+
+ net/netfilter/nfnetlink_cttimeout.c
+
+ include/net/netfilter/nf_conntrack_core.h | 8 ++----
+ net/netfilter/nf_conntrack_core.c | 38 +++++++++++++++++++++-------
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 2 +-
+ 4 files changed, 33 insertions(+), 17 deletions(-)
+
+commit 37014723527225481c720484bb788a1a6358072f
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Jan 18 16:36:09 2016 +0100
+
+ pipe: limit the per-user amount of pages allocated in pipes
+
+ On no-so-small systems, it is possible for a single process to cause an
+ OOM condition by filling large pipes with data that are never read. A
+ typical process filling 4000 pipes with 1 MB of data will use 4 GB of
+ memory. On small systems it may be tricky to set the pipe max size to
+ prevent this from happening.
+
+ This patch makes it possible to enforce a per-user soft limit above
+ which new pipes will be limited to a single page, effectively limiting
+ them to 4 kB each, as well as a hard limit above which no new pipes may
+ be created for this user. This has the effect of protecting the system
+ against memory abuse without hurting other users, and still allowing
+ pipes to work correctly though with less data at once.
+
+ The limit are controlled by two new sysctls : pipe-user-pages-soft, and
+ pipe-user-pages-hard. Both may be disabled by setting them to zero. The
+ default soft limit allows the default number of FDs per process (1024)
+ to create pipes of the default size (64kB), thus reaching a limit of 64MB
+ before starting to create only smaller pipes. With 256 processes limited
+ to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
+ 1084 MB of memory allocated for a user. The hard limit is disabled by
+ default to avoid breaking existing applications that make intensive use
+ of pipes (eg: for splicing).
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- firmware/Makefile | 1 +
- firmware/WHENCE | 1 +
- firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 ++++++++++++++++++++++++++++++
- 3 files changed, 5806 insertions(+), 0 deletions(-)
+ Documentation/sysctl/fs.txt | 23 +++++++++++++++++++++
+ fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++-
+ include/linux/pipe_fs_i.h | 4 +++
+ include/linux/sched.h | 1 +
+ kernel/sysctl.c | 14 ++++++++++++
+ 5 files changed, 87 insertions(+), 2 deletions(-)
-commit dc3a346dcef9b4aec5c6529c786350da2e470aea
-Merge: 5523ddd 24124ed
+commit 51645fa198d194f746651dcfbc5f24a4cf8b9fb8
+Merge: 540f2af 7791ecb
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 12:48:23 2015 -0400
+Date: Sat Jan 23 10:57:11 2016 -0500
Merge branch 'pax-test' into grsec-test
-commit 24124edb545ae3bdbd00f4f3657a0a30a883580f
+commit 7791ecb84f840343a5646236fd0d34e1fb450793
+Merge: 470069c 399588c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 12:47:40 2015 -0400
+Date: Sat Jan 23 10:56:47 2016 -0500
- Update to pax-linux-4.1.3-test8.patch:
- - backported the recent NMI fixes for CVE-2015-3290, CVE-2015-3291 and CVE-2015-5157, by Andy Lutomirski <luto@kernel.org> (https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git/log/?h=x86/nmi-backport and http://seclists.org/oss-sec/2015/q3/168)
+ Merge branch 'linux-4.3.y' into pax-test
- arch/x86/kernel/entry_64.S | 314 +++++++++++++++++++++++++++++---------------
- arch/x86/kernel/nmi.c | 139 +++++++++-----------
- 2 files changed, 267 insertions(+), 186 deletions(-)
-
-commit 5523ddde21cc0a2c16a0aed628e3488de0598f58
+commit 540f2affebd42cdc26a699208ab4f1cb0cb75e33
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 11:49:44 2015 -0400
+Date: Tue Jan 19 21:18:47 2016 -0500
- compile fix
+ Update size_overflow hash table
- kernel/sysctl.c | 4 +++-
+ .../size_overflow_plugin/size_overflow_hash.data | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
-commit 4e0fa4c29dab6b0cf5e183d31b7f84dd83d86d9d
+commit 7e649765626a28437f573f0fbe7a51a04615f041
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 11:28:15 2015 -0400
+Date: Tue Jan 19 20:29:46 2016 -0500
- Implement modify_ldt sysctl toggle from https://lkml.org/lkml/2015/7/25/103,
- make it not depend on CONFIG_MODIFY_LDT_SYSCALL, force modify_ldt to off
- regardless of config setting if grsec is enabled (with the allowance to
- turn it on at runtime), and harden up the implementation a bit
+ Backport fix from: https://lkml.org/lkml/2015/12/13/187
- Documentation/sysctl/kernel.txt | 15 +++++++++++++++
- arch/x86/Kconfig | 16 ++++++++++++++++
- arch/x86/kernel/ldt.c | 18 ++++++++++++++++++
- kernel/sysctl.c | 8 ++++++++
- 4 files changed, 57 insertions(+), 0 deletions(-)
+ fs/ext4/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit 532568688f8e8535f3045cba322a8ecde5c47653
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 11:02:49 2015 -0400
+commit 53b859cd0a5f5b6ad54fe0c879dfedaa3c5a3005
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:30 2016 +0100
- compile fix
+ compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
+
+ This replaces all code in fs/compat_ioctl.c that translated
+ ioctl arguments into a in-kernel structure, then performed
+ do_ioctl under set_fs(KERNEL_DS), with code that allocates
+ data on the user stack and can call the VFS ioctl handler
+ under USER_DS.
+
+ This is done as a hardening measure because the caller
+ does not know what kind of ioctl handler will be invoked,
+ only that no corresponding compat_ioctl handler exists and
+ what the ioctl command number is. The accidental
+ invocation of an unlocked_ioctl handler that unexpectedly
+ calls copy_to_user could be a severe security issue.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/compat_ioctl.c
- grsecurity/grsec_sysctl.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ fs/compat_ioctl.c | 130 ++++++++++++++++++++++++++++-------------------------
+ 1 files changed, 68 insertions(+), 62 deletions(-)
-commit 5e354cb8e19b2584a7b98bf998abb798cdc3a673
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 10:59:07 2015 -0400
+commit 3e89e770ae27e931cd1583f021abac41eeebc3e7
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Jan 7 09:53:30 2016 -0500
- compile fix
+ compat_ioctl: don't pass fd around when not needed
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- include/linux/sysctl.h | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
+ fs/compat_ioctl.c | 103 ++++++++++++++++++++++++++--------------------------
+ fs/internal.h | 7 ++++
+ fs/ioctl.c | 4 +-
+ include/linux/fs.h | 2 -
+ 4 files changed, 61 insertions(+), 55 deletions(-)
+
+commit 9d4e04082752d4d2d68445c4e6faf33a2613df55
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:29 2016 +0100
+
+ compat_ioctl: don't look up the fd twice
+
+ In code in fs/compat_ioctl.c that translates ioctl arguments
+ into a in-kernel structure, then performs sys_ioctl, possibly
+ under set_fs(KERNEL_DS), this commit changes the sys_ioctl
+ calls to do_ioctl calls. do_ioctl is a new function that does
+ the same thing as sys_ioctl, but doesn't look up the fd again.
+
+ This change is made to avoid (potential) security issues
+ because of ioctl handlers that accept one of the ioctl
+ commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
+ TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
+ This can happen for multiple reasons:
+
+ - The ioctl command number could be reused.
+ - The ioctl handler might not check the full ioctl
+ command. This is e.g. true for drm_ioctl.
+ - The ioctl handler is very special, e.g. cuse_file_ioctl
+
+ The real issue is that set_fs(KERNEL_DS) is used here,
+ but that's fixed in a separate commit
+ "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".
+
+ This change mitigates potential security issues by
+ preventing a race that permits invocation of
+ unlocked_ioctl handlers under KERNEL_DS through compat
+ code even if a corresponding compat_ioctl handler exists.
+
+ So far, no way has been identified to use this to damage
+ kernel memory without having CAP_SYS_ADMIN in the init ns
+ (with the capability, doing reads/writes at arbitrary
+ kernel addresses should be easy through CUSE's ioctl
+ handler with FUSE_IOCTL_UNRESTRICTED set).
+
+ [AV: two missed sys_ioctl() taken care of]
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-commit ff2992ddd0298fb7a507e599be8240ab5f6b2503
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 25 10:50:51 2015 -0400
-
- Add framework for having ambiently read-only sysctl variables.
- Add all grsecurity sysctl entries to it, as well as security-relevant
- upstream sysctl values (modules_disabled, kptr_restrict, etc)
-
- grsecurity/grsec_init.c | 104 ++++++++++++++++++++++----------------------
- grsecurity/grsec_sysctl.c | 104 ++++++++++++++++++++++----------------------
- include/linux/sysctl.h | 2 +
- kernel/events/core.c | 6 +-
- kernel/module.c | 2 +-
- kernel/printk/printk.c | 2 +-
- kernel/sysctl.c | 89 +++++++++++++++++++++++++++++++++++---
- lib/vsprintf.c | 4 +-
- 8 files changed, 195 insertions(+), 118 deletions(-)
-
-commit d265460434f9f8ab420d67e961b5a80b3cd3dc82
-Author: Alex Williamson <alex.williamson@redhat.com>
-Date: Tue Jul 14 14:48:53 2015 -0600
-
- iommu/vt-d: Fix VM domain ID leak
-
- This continues the attempt to fix commit fb170fb4c548 ("iommu/vt-d:
- Introduce helper functions to make code symmetric for readability").
- The previous attempt in commit 71684406905f ("iommu/vt-d: Detach
- domain *only* from attached iommus") overlooked the fact that
- dmar_domain.iommu_bmp gets cleared for VM domains when devices are
- detached:
-
- intel_iommu_detach_device
- domain_remove_one_dev_info
- domain_detach_iommu
-
- The domain is detached from the iommu, but the iommu is still attached
- to the domain, for whatever reason. Thus when we get to domain_exit(),
- we can't rely on iommu_bmp for VM domains to find the active iommus,
- we must check them all. Without that, the corresponding bit in
- intel_iommu.domain_ids doesn't get cleared and repeated VM domain
- creation and destruction will run out of domain IDs. Meanwhile we
- still can't call iommu_detach_domain() on arbitrary non-VM domains or
- we risk clearing in-use domain IDs, as 71684406905f attempted to
- address.
-
- It's tempting to modify iommu_detach_domain() to test the domain
- iommu_bmp, but the call ordering from domain_remove_one_dev_info()
- prevents it being able to work as fb170fb4c548 seems to have intended.
- Caching of unused VM domains on the iommu object seems to be the root
- of the problem, but this code is far too fragile for that kind of
- rework to be proposed for stable, so we simply revert this chunk to
- its state prior to fb170fb4c548.
-
- Fixes: fb170fb4c548 ("iommu/vt-d: Introduce helper functions to make
- code symmetric for readability")
- Fixes: 71684406905f ("iommu/vt-d: Detach domain *only* from attached
- iommus")
- Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
- Cc: Jiang Liu <jiang.liu@linux.intel.com>
- Cc: stable@vger.kernel.org # v3.17+
- Signed-off-by: Joerg Roedel <jroedel@suse.de>
-
- drivers/iommu/intel-iommu.c | 9 ++++++---
- 1 files changed, 6 insertions(+), 3 deletions(-)
+ fs/compat_ioctl.c | 122 +++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 68 insertions(+), 54 deletions(-)
-commit 2a4ff00000e1d36651ec534b8ef59435b9798835
-Author: Eric W. Biederman <ebiederm@xmission.com>
-Date: Fri Jul 17 14:54:27 2015 -0500
+commit 5bf9e1ed4ebb278cd956ba142914fc04a024309c
+Author: Vasily Kulikov <segoon@openwall.com>
+Date: Fri Jan 15 16:57:55 2016 -0800
- mnt: In detach_mounts detach the appropriate unmounted mount
+ include/linux/poison.h: use POISON_POINTER_DELTA for poison pointers
- The handling of in detach_mounts of unmounted but connected mounts is
- buggy and can lead to an infinite loop.
+ TIMER_ENTRY_STATIC is defined as a poison pointers which
+ should point to nowhere. Redefine them using POISON_POINTER_DELTA
+ arithmetics to make sure they really point to non-mappable area declared
+ by the target architecture.
- Correct the handling of unmounted mounts in detach_mount. When the
- mountpoint of an unmounted but connected mount is connected to a
- dentry, and that dentry is deleted we need to disconnect that mount
- from the parent mount and the deleted dentry.
+ Signed-off-by: Vasily Kulikov <segoon@openwall.com>
+ Acked-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Solar Designer <solar@openwall.com>
+ Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- Nothing changes for the unmounted and connected children. They can be
- safely ignored.
+ Conflicts:
- Cc: stable@vger.kernel.org
- Fixes: ce07d891a0891d3c0d0c2d73d577490486b809e1 mnt: Honor MNT_LOCKED when detaching mounts
- Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ include/linux/poison.h
- fs/namespace.c | 7 ++-----
- 1 files changed, 2 insertions(+), 5 deletions(-)
+ include/linux/poison.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 60f2e0a05ab8f56c804a9334a23e2b446305d110
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 19:41:44 2016 -0500
-commit 4056b87d96d91d73041c360e8260a4a7b6d803ca
-Author: Eric W. Biederman <ebiederm@xmission.com>
-Date: Fri Jul 17 14:15:30 2015 -0500
+ Fix ARM compilation, reported by Austin Sepp
- mnt: Clarify and correct the disconnect logic in umount_tree
-
- rmdir mntpoint will result in an infinite loop when there is
- a mount locked on the mountpoint in another mount namespace.
+ grsecurity/grsec_sig.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e15383743443dc43460a2fd73e0db0b608610dca
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Mon Jan 18 13:52:47 2016 +0100
+
+ ALSA: hrtimer: Fix stall by hrtimer_cancel()
- This is because the logic to test to see if a mount should
- be disconnected in umount_tree is buggy.
+ hrtimer_cancel() waits for the completion from the callback, thus it
+ must not be called inside the callback itself. This was already a
+ problem in the past with ALSA hrtimer driver, and the early commit
+ [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
- Move the logic to decide if a mount should remain connected to
- it's mountpoint into it's own function disconnect_mount so that
- clarity of expression instead of terseness of expression becomes
- a virtue.
+ However, the previous fix is still insufficient: it may still cause a
+ lockup when the ALSA timer instance reprograms itself in its callback.
+ Then it invokes the start function even in snd_timer_interrupt() that
+ is called in hrtimer callback itself, results in a CPU stall. This is
+ no hypothetical problem but actually triggered by syzkaller fuzzer.
- When the conditions where it is invalid to leave a mount connected
- are first ruled out, the logic for deciding if a mount should
- be disconnected becomes much clearer and simpler.
+ This patch tries to fix the issue again. Now we call
+ hrtimer_try_to_cancel() at both start and stop functions so that it
+ won't fall into a deadlock, yet giving some chance to cancel the queue
+ if the functions have been called outside the callback. The proper
+ hrtimer_cancel() is called in anyway at closing, so this should be
+ enough.
- Fixes: e0c9c0afd2fc958ffa34b697972721d81df8a56f mnt: Update detach_mounts to leave mounts connected
- Fixes: ce07d891a0891d3c0d0c2d73d577490486b809e1 mnt: Honor MNT_LOCKED when detaching mounts
- Cc: stable@vger.kernel.org
- Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+ Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- fs/namespace.c | 35 +++++++++++++++++++++++++++++++----
- fs/pnode.h | 2 --
- 2 files changed, 31 insertions(+), 6 deletions(-)
+ sound/core/hrtimer.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit beae0745e79a74772b8d9a0c4ece83d23d851716
-Author: Nicolas Schichan <nschichan@freebox.fr>
-Date: Tue Jul 21 14:14:12 2015 +0200
+commit 12d874daf706e6e7c1ae709141859c809599297e
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 12:38:02 2016 +0100
- ARM: net: fix condition for load_order > 0 when translating load instructions.
-
- To check whether the load should take the fast path or not, the code
- would check that (r_skb_hlen - load_order) is greater than the offset
- of the access using an "Unsigned higher or same" condition. For
- halfword accesses and an skb length of 1 at offset 0, that test is
- valid, as we end up comparing 0xffffffff(-1) and 0, so the fast path
- is taken and the filter allows the load to wrongly succeed. A similar
- issue exists for word loads at offset 0 and an skb length of less than
- 4.
+ ALSA: seq: Fix missing NULL check at remove_events ioctl
- Fix that by using the condition "Signed greater than or equal"
- condition for the fast path code for load orders greater than 0.
+ snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
+ unconditionally even if there is no FIFO assigned, and this leads to
+ an Oops due to NULL dereference. The fix is just to add a proper NULL
+ check.
- Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- arch/arm/net/bpf_jit_32.c | 2 +-
+ sound/core/seq/seq_clientmgr.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
-commit 36523ec244eb01a4fce02a1cbc0643eb80a55324
-Author: Nicolas Schichan <nschichan@freebox.fr>
-Date: Tue Jul 21 14:14:13 2015 +0200
+commit 2eb0632df1351378946507e7ef7ba0682632a7b5
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 15:36:27 2016 +0100
- ARM: net: handle negative offsets in BPF JIT.
+ ALSA: seq: Fix race at timer setup and close
- Previously, the JIT would reject negative offsets known during code
- generation and mishandle negative offsets provided at runtime.
+ ALSA sequencer code has an open race between the timer setup ioctl and
+ the close of the client. This was triggered by syzkaller fuzzer, and
+ a use-after-free was caught there as a result.
- Fix that by calling bpf_internal_load_pointer_neg_helper()
- appropriately in the jit_get_skb_{b,h,w} slow path helpers and by forcing
- the execution flow to the slow path helpers when the offset is
- negative.
+ This patch papers over it by adding a proper queue->timer_mutex lock
+ around the timer-related calls in the relevant code path.
- Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- arch/arm/net/bpf_jit_32.c | 47 ++++++++++++++++++++++++++++++++++++--------
- 1 files changed, 38 insertions(+), 9 deletions(-)
+ sound/core/seq/seq_queue.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
-commit 7202f5f549b01fe9fa5837c7102668895ea6916e
-Author: Nicolas Schichan <nschichan@freebox.fr>
-Date: Tue Jul 21 14:14:14 2015 +0200
+commit b9e55ab955e59b4a636d78a748be90334a48b485
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Jan 14 16:30:58 2016 +0100
- ARM: net: fix vlan access instructions in ARM JIT.
+ ALSA: timer: Harden slave timer list handling
- This makes BPF_ANC | SKF_AD_VLAN_TAG and BPF_ANC | SKF_AD_VLAN_TAG_PRESENT
- have the same behaviour as the in kernel VM and makes the test_bpf LD_VLAN_TAG
- and LD_VLAN_TAG_PRESENT tests pass.
+ A slave timer instance might be still accessible in a racy way while
+ operating the master instance as it lacks of locking. Since the
+ master operation is mostly protected with timer->lock, we should cope
+ with it while changing the slave instance, too. Also, some linked
+ lists (active_list and ack_list) of slave instances aren't unlinked
+ immediately at stopping or closing, and this may lead to unexpected
+ accesses.
- Signed-off-by: Nicolas Schichan <nschichan@freebox.fr>
- Signed-off-by: David S. Miller <davem@davemloft.net>
-
- arch/arm/net/bpf_jit_32.c | 8 +++++---
- 1 files changed, 5 insertions(+), 3 deletions(-)
-
-commit 87b1904179ce906f1d9926a19184f6e38448e527
-Author: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
-Date: Fri Jul 17 14:01:11 2015 +0300
-
- net: ratelimit warnings about dst entry refcount underflow or overflow
+ This patch tries to address these issues. It adds spin lock of
+ timer->lock (either from master or slave, which is equivalent) in a
+ few places. For avoiding a deadlock, we ensure that the global
+ slave_active_lock is always locked at first before each timer lock.
- Kernel generates a lot of warnings when dst entry reference counter
- overflows and becomes negative. That bug was seen several times at
- machines with outdated 3.10.y kernels. Most like it's already fixed
- in upstream. Anyway that flood completely kills machine and makes
- further debugging impossible.
+ Also, ack and active_list of slave instances are properly unlinked at
+ snd_timer_stop() and snd_timer_close().
- Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Last but not least, remove the superfluous call of _snd_timer_stop()
+ at removing slave links. This is a noop, and calling it may confuse
+ readers wrt locking. Further cleanup will follow in a later patch.
+
+ Actually we've got reports of use-after-free by syzkaller fuzzer, and
+ this hopefully fixes these issues.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- net/core/dst.c | 4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
+ sound/core/timer.c | 18 ++++++++++++++----
+ 1 files changed, 14 insertions(+), 4 deletions(-)
-commit ba84fb968446cbe2499439d812ca80886a17d5c9
-Author: Simon Guinot <simon.guinot@sequanux.org>
-Date: Sun Jul 19 13:00:53 2015 +0200
+commit f1ce0547bdfda1b42ae8a66c222f2a897cbe1586
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 17:48:01 2016 +0100
- net: mvneta: fix refilling for Rx DMA buffers
+ ALSA: timer: Fix race among timer ioctls
- With the actual code, if a memory allocation error happens while
- refilling a Rx descriptor, then the original Rx buffer is both passed
- to the networking stack (in a SKB) and let in the Rx ring. This leads
- to various kernel oops and crashes.
+ ALSA timer ioctls have an open race and this may lead to a
+ use-after-free of timer instance object. A simplistic fix is to make
+ each ioctl exclusive. We have already tread_sem for controlling the
+ tread, and extend this as a global mutex to be applied to each ioctl.
- As a fix, this patch moves Rx descriptor refilling ahead of building
- SKB with the associated Rx buffer. In case of a memory allocation
- failure, data is dropped and the original DMA buffer is put back into
- the Rx ring.
+ The downside is, of course, the worse concurrency. But these ioctls
+ aren't to be parallel accessible, in anyway, so it should be fine to
+ serialize there.
- Signed-off-by: Simon Guinot <simon.guinot@sequanux.org>
- Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
- Cc: <stable@vger.kernel.org> # v3.8+
- Tested-by: Yoann Sculo <yoann@sculo.fr>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- drivers/net/ethernet/marvell/mvneta.c | 22 ++++++++++------------
- 1 files changed, 10 insertions(+), 12 deletions(-)
+ sound/core/timer.c | 32 +++++++++++++++++++-------------
+ 1 files changed, 19 insertions(+), 13 deletions(-)
-commit b884f1d8eecd2404cf6f6dd1aba1ac0b93a37bca
-Author: Daniel Borkmann <daniel@iogearbox.net>
-Date: Fri Jul 17 22:38:43 2015 +0200
+commit 8347d8461ed48a98f9c76cc3cfcdad8217d314bc
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 21:35:06 2016 +0100
- sched: cls_bpf: fix panic on filter replace
+ ALSA: timer: Fix double unlink of active_list
- The following test case causes a NULL pointer dereference in cls_bpf:
+ ALSA timer instance object has a couple of linked lists and they are
+ unlinked unconditionally at snd_timer_stop(). Meanwhile
+ snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
+ the element list itself unchanged. This ends up with unlinking twice,
+ and it was caught by syzkaller fuzzer.
- FOO="1,6 0 0 4294967295,"
- tc filter add dev foo parent 1: bpf bytecode "$FOO" flowid 1:1 action ok
- tc filter replace dev foo parent 1: pref 49152 handle 0x1 \
- bpf bytecode "$FOO" flowid 1:1 action drop
+ The fix is to use list_del_init() variant properly there, too.
- The problem is that commit 1f947bf151e9 ("net: sched: rcu'ify cls_bpf")
- accidentally swapped the arguments of list_replace_rcu(), the old
- element needs to be the first argument and the new element the second.
-
- Fixes: 1f947bf151e9 ("net: sched: rcu'ify cls_bpf")
- Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Acked-by: John Fastabend <john.r.fastabend@intel.com>
- Acked-by: Alexei Starovoitov <ast@plumgrid.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
- net/sched/cls_bpf.c | 2 +-
+ sound/core/timer.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
-commit b7bc68bc309cdb7ad58f8e4ec6b5db95f921178b
-Author: Daniel Borkmann <daniel@iogearbox.net>
-Date: Fri Jul 17 22:38:45 2015 +0200
+commit 243aebb7ae71d6e11ea9880faa893d1d0d60cd75
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jan 18 18:03:48 2016 +0100
- sched: cls_flow: fix panic on filter replace
+ ovs: limit ovs recursions in ovs_execute_actions to not corrupt stack
- The following test case causes a NULL pointer dereference in cls_flow:
+ It was seen that defective configurations of openvswitch could overwrite
+ the STACK_END_MAGIC and cause a hard crash of the kernel because of too
+ many recursions within ovs.
- tc filter add dev foo parent 1: handle 0x1 flow hash keys dst action ok
- tc filter replace dev foo parent 1: pref 49152 handle 0x1 \
- flow hash keys mark action drop
+ This problem arises due to the high stack usage of openvswitch. The rest
+ of the kernel is fine with the current limit of 10 (RECURSION_LIMIT).
- To be more precise, actually two different panics are fixed, the first
- occurs because tcf_exts_init() is not called on the newly allocated
- filter when we do a replace. And the second panic uncovered after that
- happens since the arguments of list_replace_rcu() are swapped, the old
- element needs to be the first argument and the new element the second.
+ We use the already existing recursion counter in ovs_execute_actions to
+ implement an upper bound of 5 recursions.
- Fixes: 70da9f0bf999 ("net: sched: cls_flow use RCU")
- Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Acked-by: John Fastabend <john.r.fastabend@intel.com>
+ Cc: Pravin Shelar <pshelar@ovn.org>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/sched/cls_flow.c | 5 +++--
- 1 files changed, 3 insertions(+), 2 deletions(-)
+ net/openvswitch/actions.c | 19 ++++++++++++++-----
+ 1 files changed, 14 insertions(+), 5 deletions(-)
-commit f17540910375d47fe675bc5f1080cac1418b7332
-Author: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
-Date: Mon Jul 13 11:32:43 2015 +0200
+commit 8080793479c6d5befe37a67b1dbd9e4e0a61af96
+Author: Ursula Braun <ursula.braun@de.ibm.com>
+Date: Tue Jan 19 10:41:33 2016 +0100
- parisc: mm: Fix a memory leak related to pmd not attached to the pgd
-
- Commit 0e0da48dee8d ("parisc: mm: don't count preallocated pmds")
- introduced a memory leak.
+ af_iucv: Validate socket address length in iucv_sock_bind()
- After this commit, the 'return' statement in pmd_free is executed in all
- cases. Even for pmd that are not attached to the pgd. So 'free_pages'
- can never be called anymore, leading to a memory leak.
+ Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Reviewed-by: Evgeny Cherkashin <Eugene.Crosser@ru.ibm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/iucv/af_iucv.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 50a383c1c91ed7409c3cbdd41e662d6891463d1b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 19:32:54 2016 -0500
+
+ Apply the same fix as everyone else for the recent keys vulnerability that is
+ unexploitable under PAX_REFCOUNT
- Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
- Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
- Acked-by: Mikulas Patocka <mpatocka@redhat.com>
- Acked-by: Helge Deller <deller@gmx.de>
- Cc: stable@vger.kernel.org # v4.0+
- Signed-off-by: Helge Deller <deller@gmx.de>
+ Make a couple more changes that no one else can/will
- arch/parisc/include/asm/pgalloc.h | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
+ include/linux/key-type.h | 4 ++--
+ ipc/msgutil.c | 4 ++--
+ security/keys/internal.h | 2 +-
+ security/keys/process_keys.c | 1 +
+ 4 files changed, 6 insertions(+), 5 deletions(-)
-commit ad167680a92c235b342491acdde96e38987e6aa3
-Author: Seymour, Shane M <shane.seymour@hp.com>
-Date: Thu Jul 2 12:01:10 2015 +0000
-
- st: null pointer dereference panic caused by use after kref_put by st_open
-
- Two SLES11 SP3 servers encountered similar crashes simultaneously
- following some kind of SAN/tape target issue:
-
- ...
- qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
- qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 -- 1 2002.
- qla2xxx [0000:81:00.0]-8009:3: DEVICE RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
- qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
- qla2xxx [0000:81:00.0]-800f:3: DEVICE RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
- qla2xxx [0000:81:00.0]-8009:3: TARGET RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
- qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
- qla2xxx [0000:81:00.0]-800f:3: TARGET RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
- qla2xxx [0000:81:00.0]-8012:3: BUS RESET ISSUED nexus=3:0:2.
- qla2xxx [0000:81:00.0]-802b:3: BUS RESET SUCCEEDED nexus=3:0:2.
- qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
- qla2xxx [0000:81:00.0]-8018:3: ADAPTER RESET ISSUED nexus=3:0:2.
- qla2xxx [0000:81:00.0]-00af:3: Performing ISP error recovery - ha=ffff88bf04d18000.
- rport-3:0-0: blocked FC remote port time out: removing target and saving binding
- qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
- qla2xxx [0000:81:00.0]-8017:3: ADAPTER RESET SUCCEEDED nexus=3:0:2.
- rport-2:0-0: blocked FC remote port time out: removing target and saving binding
- sg_rq_end_io: device detached
- BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
- IP: [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
- PGD 7e6586f067 PUD 7e5af06067 PMD 0 [1739975.390354] Oops: 0002 [#1] SMP
- CPU 0
- ...
- Supported: No, Proprietary modules are loaded [1739975.390463]
- Pid: 27965, comm: ABCD Tainted: PF X 3.0.101-0.29-default #1 HP ProLiant DL580 Gen8
- RIP: 0010:[<ffffffff8133b268>] [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
- RSP: 0018:ffff8839dc1e7c68 EFLAGS: 00010202
- RAX: 0000000000000000 RBX: ffff883f0592fc00 RCX: 0000000000000090
- RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000138
- RBP: 0000000000000138 R08: 0000000000000010 R09: ffffffff81bd39d0
- R10: 00000000000009c0 R11: ffffffff81025790 R12: 0000000000000001
- R13: ffff883022212b80 R14: 0000000000000004 R15: ffff883022212b80
- FS: 00007f8e54560720(0000) GS:ffff88407f800000(0000) knlGS:0000000000000000
- CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
- CR2: 00000000000002a8 CR3: 0000007e6ced6000 CR4: 00000000001407f0
- DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
- DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
- Process ABCD (pid: 27965, threadinfo ffff8839dc1e6000, task ffff883592e0c640)
- Stack:
- ffff883f0592fc00 00000000fffffffa 0000000000000001 ffff883022212b80
- ffff883eff772400 ffffffffa03fa309 0000000000000000 0000000000000000
- ffffffffa04003a0 ffff883f063196c0 ffff887f0379a930 ffffffff8115ea1e
- Call Trace:
- [<ffffffffa03fa309>] st_open+0x129/0x240 [st]
- [<ffffffff8115ea1e>] chrdev_open+0x13e/0x200
- [<ffffffff811588a8>] __dentry_open+0x198/0x310
- [<ffffffff81167d74>] do_last+0x1f4/0x800
- [<ffffffff81168fe9>] path_openat+0xd9/0x420
- [<ffffffff8116946c>] do_filp_open+0x4c/0xc0
- [<ffffffff8115a00f>] do_sys_open+0x17f/0x250
- [<ffffffff81468d92>] system_call_fastpath+0x16/0x1b
- [<00007f8e4f617fd0>] 0x7f8e4f617fcf
- Code: eb d3 90 48 83 ec 28 40 f6 c6 04 48 89 6c 24 08 4c 89 74 24 20 48 89 fd 48 89 1c 24 4c 89 64 24 10 41 89 f6 4c 89 6c 24 18 74 11 <f0> ff 8f 70 01 00 00 0f 94 c0 45 31 ed 84 c0 74 2b 4c 8d a5 a0
- RIP [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
- RSP <ffff8839dc1e7c68>
- CR2: 00000000000002a8
-
- Analysis reveals the cause of the crash to be due to STp->device
- being NULL. The pointer was NULLed via scsi_tape_put(STp) when it
- calls scsi_tape_release(). In st_open() we jump to err_out after
- scsi_block_when_processing_errors() completes and returns the
- device as offline (sdev_state was SDEV_DEL):
-
- 1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host
- 1181 module count. */
- 1182 static int st_open(struct inode *inode, struct file *filp)
- 1183 {
- 1184 int i, retval = (-EIO);
- 1185 int resumed = 0;
- 1186 struct scsi_tape *STp;
- 1187 struct st_partstat *STps;
- 1188 int dev = TAPE_NR(inode);
- 1189 char *name;
- ...
- 1217 if (scsi_autopm_get_device(STp->device) < 0) {
- 1218 retval = -EIO;
- 1219 goto err_out;
- 1220 }
- 1221 resumed = 1;
- 1222 if (!scsi_block_when_processing_errors(STp->device)) {
- 1223 retval = (-ENXIO);
- 1224 goto err_out;
- 1225 }
- ...
- 1264 err_out:
- 1265 normalize_buffer(STp->buffer);
- 1266 spin_lock(&st_use_lock);
- 1267 STp->in_use = 0;
- 1268 spin_unlock(&st_use_lock);
- 1269 scsi_tape_put(STp); <-- STp->device = 0 after this
- 1270 if (resumed)
- 1271 scsi_autopm_put_device(STp->device);
- 1272 return retval;
-
- The ref count for the struct scsi_tape had already been reduced
- to 1 when the .remove method of the st module had been called.
- The kref_put() in scsi_tape_put() caused scsi_tape_release()
- to be called:
-
- 0266 static void scsi_tape_put(struct scsi_tape *STp)
- 0267 {
- 0268 struct scsi_device *sdev = STp->device;
- 0269
- 0270 mutex_lock(&st_ref_mutex);
- 0271 kref_put(&STp->kref, scsi_tape_release); <-- calls this
- 0272 scsi_device_put(sdev);
- 0273 mutex_unlock(&st_ref_mutex);
- 0274 }
-
- In scsi_tape_release() the struct scsi_device in the struct
- scsi_tape gets set to NULL:
-
- 4273 static void scsi_tape_release(struct kref *kref)
- 4274 {
- 4275 struct scsi_tape *tpnt = to_scsi_tape(kref);
- 4276 struct gendisk *disk = tpnt->disk;
- 4277
- 4278 tpnt->device = NULL; <<<---- where the dev is nulled
- 4279
- 4280 if (tpnt->buffer) {
- 4281 normalize_buffer(tpnt->buffer);
- 4282 kfree(tpnt->buffer->reserved_pages);
- 4283 kfree(tpnt->buffer);
- 4284 }
- 4285
- 4286 disk->private_data = NULL;
- 4287 put_disk(disk);
- 4288 kfree(tpnt);
- 4289 return;
- 4290 }
-
- Although the problem was reported on SLES11.3 the problem appears
- in linux-next as well.
-
- The crash is fixed by reordering the code so we no longer access
- the struct scsi_tape after the kref_put() is done on it in st_open().
-
- Signed-off-by: Shane Seymour <shane.seymour@hp.com>
- Signed-off-by: Darren Lavender <darren.lavender@hp.com>
- Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com>
- Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
- Cc: stable@vger.kernel.org
- Signed-off-by: James Bottomley <JBottomley@Odin.com>
+commit b56c3a63f431c193400aee17543021950bd14bc4
+Merge: 38b1a3d 470069c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 18:30:19 2016 -0500
- drivers/scsi/st.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit 17389660416307cfab2095080c1e4471ee804f99
-Author: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
-Date: Fri Jul 17 16:23:42 2015 -0700
-
- include, lib: add __printf attributes to several function prototypes
-
- Using __printf attributes helps to detect several format string issues
- at compile time (even though -Wformat-security is currently disabled in
- Makefile). For example it can detect when formatting a pointer as a
- number, like the issue fixed in commit a3fa71c40f18 ("wl18xx: show
- rx_frames_per_rates as an array as it really is"), or when the arguments
- do not match the format string, c.f. for example commit 5ce1aca81435
- ("reiserfs: fix __RASSERT format string").
-
- To prevent similar bugs in the future, add a __printf attribute to every
- function prototype which needs one in include/linux/ and lib/. These
- functions were mostly found by using gcc's -Wsuggest-attribute=format
- flag.
-
- Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
- Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
- Cc: Felipe Balbi <balbi@ti.com>
- Cc: Joel Becker <jlbec@evilplan.org>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+commit 470069cfedef2180313233d275be5901bd6d1135
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 18:29:59 2016 -0500
+
+ Update to pax-linux-4.3.3-test22.patch:
+ - Emesed fixed a gcc induced intentional integer overflow in asix_rx_fixup_internal, reported by thomas callison caffrey
+ - fixed some more fallout from the drm_drivers constification, reported by Colin Childs and Toralf Foerster
+
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 ++++----------
+ drivers/gpu/drm/drm_pci.c | 3 +++
+ drivers/gpu/drm/gma500/psb_drv.c | 4 ----
+ drivers/gpu/drm/i915/i915_drv.c | 16 ++++++++--------
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 6 +++---
+ drivers/gpu/drm/radeon/radeon_drv.c | 4 +---
+ drivers/net/usb/asix_common.c | 3 ++-
+ include/drm/drmP.h | 1 +
+ 8 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 38b1a3d676f407865c3d41840df8213c5ad639c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 12:33:53 2016 -0500
+
+ As reported by Luis Ressel, the Kconfig help for GRKERNSEC_BRUTE
+ mentioned banning execution of suid/sgid binaries, though the kernel
+ source clearly only mentions banning execution of suid binaries. Since
+ there's no reason for us to not ban execution of sgid binaries as well,
+ make the implementation match the Kconfig description.
+
+ fs/exec.c | 4 ++--
+ grsecurity/grsec_sig.c | 27 ++++++++++++++-------------
+ include/linux/sched.h | 4 ++--
+ 3 files changed, 18 insertions(+), 17 deletions(-)
+
+commit 8c3bcb7dbf7f606acfa0983e81f0f928da1f1ace
+Merge: d141a86 ea4a835
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 14:12:22 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
Conflicts:
-
- include/linux/clkdev.h
- include/linux/configfs.h
- include/linux/printk.h
-
- include/linux/clkdev.h | 5 +++--
- include/linux/compat.h | 2 +-
- include/linux/configfs.h | 3 ++-
- include/linux/cpu.h | 7 ++++---
- include/linux/dcache.h | 3 ++-
- include/linux/device.h | 15 +++++++--------
- include/linux/iommu.h | 2 +-
- include/linux/kernel.h | 9 +++++----
- include/linux/kobject.h | 5 +++--
- include/linux/mmiotrace.h | 2 +-
- include/linux/printk.h | 6 +++---
- lib/kobject.c | 5 +++--
- 12 files changed, 35 insertions(+), 29 deletions(-)
-
-commit 41d349e4ee5c4982523f42946a91bb78aa2a7cf6
-Author: Joonsoo Kim <js1304@gmail.com>
-Date: Fri Jul 17 16:24:15 2015 -0700
-
- mm/page_owner: fix possible access violation
-
- When I tested my new patches, I found that page pointer which is used
- for setting page_owner information is changed. This is because page
- pointer is used to set new migratetype in loop. After this work, page
- pointer could be out of bound. If this wrong pointer is used for
- page_owner, access violation happens. Below is error message that I
- got.
-
- BUG: unable to handle kernel paging request at 0000000000b00018
- IP: [<ffffffff81025f30>] save_stack_address+0x30/0x40
- PGD 1af2d067 PUD 166e0067 PMD 0
- Oops: 0002 [#1] SMP
- ...snip...
- Call Trace:
- print_context_stack+0xcf/0x100
- dump_trace+0x15f/0x320
- save_stack_trace+0x2f/0x50
- __set_page_owner+0x46/0x70
- __isolate_free_page+0x1f7/0x210
- split_free_page+0x21/0xb0
- isolate_freepages_block+0x1e2/0x410
- compaction_alloc+0x22d/0x2d0
- migrate_pages+0x289/0x8b0
- compact_zone+0x409/0x880
- compact_zone_order+0x6d/0x90
- try_to_compact_pages+0x110/0x210
- __alloc_pages_direct_compact+0x3d/0xe6
- __alloc_pages_nodemask+0x6cd/0x9a0
- alloc_pages_current+0x91/0x100
- runtest_store+0x296/0xa50
- simple_attr_write+0xbd/0xe0
- __vfs_write+0x28/0xf0
- vfs_write+0xa9/0x1b0
- SyS_write+0x46/0xb0
- system_call_fastpath+0x16/0x75
-
- This patch fixes this error by moving up set_page_owner().
-
- Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
- Cc: Mel Gorman <mgorman@suse.de>
- Cc: Vlastimil Babka <vbabka@suse.cz>
- Acked-by: Minchan Kim <minchan@kernel.org>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ drivers/gpu/drm/i810/i810_drv.c
- mm/page_alloc.c | 4 +++-
- 1 files changed, 3 insertions(+), 1 deletions(-)
+commit ea4a835328ada6513ac013986764d6caea8cd348
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 14:11:30 2016 -0500
+
+ Update to pax-linux-4.3.3-test21.patch:
+ - fixed some fallout from the drm_drivers constification, reported by spender
+
+ drivers/gpu/drm/armada/armada_drv.c | 3 +--
+ drivers/gpu/drm/exynos/exynos_drm_drv.c | 1 -
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 6 +++++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 5 files changed, 8 insertions(+), 6 deletions(-)
+
+commit d141a86fd66194bc3f896b6809b189e2f12a9a83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 13:16:36 2016 -0500
+
+ compile fix
-commit c7fc195271c087aaf6e7b9c19d632a03d0dcd44f
-Author: Joonsoo Kim <js1304@gmail.com>
-Date: Fri Jul 17 16:24:20 2015 -0700
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 4 +++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+commit 0d9dc4b25ea32c14561bcfe6b5b24f1b00fe0270
+Merge: 5fa135d bbda879
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:59:22 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit bbda87914edf63e27fb46670bf3a373f2b963c73
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:58:04 2016 -0500
+
+ Update to pax-linux-4.3.3-test20.patch:
+ - constified drm_driver
+ - Emese fixed a special case in handling __func__ in the initify plugin
+ - Emese fixed a false positive size overflow report in handling inbufBits, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=567048)
+ - fixed regression that caused perf to not resolve kernel code addresses under KERNEXEC/i386, reported by minipli
+
+ arch/x86/kernel/cpu/perf_event.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_ds.c | 7 +-
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 4 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/mm/mpx.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 8 ++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
+ drivers/gpu/drm/drm_pci.c | 6 +-
+ drivers/gpu/drm/gma500/psb_drv.c | 5 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.c | 15 ++--
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_irq.c | 88 ++++++++++----------
+ drivers/gpu/drm/mga/mga_drv.c | 5 +-
+ drivers/gpu/drm/mga/mga_drv.h | 2 +-
+ drivers/gpu/drm/mga/mga_state.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 13 ++--
+ drivers/gpu/drm/qxl/qxl_drv.c | 8 ++-
+ drivers/gpu/drm/qxl/qxl_ioctl.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.c | 4 +-
+ drivers/gpu/drm/r128/r128_drv.h | 2 +-
+ drivers/gpu/drm/r128/r128_state.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.c | 17 +++-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_kms.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 2 +-
+ drivers/gpu/drm/savage/savage_bci.c | 2 +-
+ drivers/gpu/drm/savage/savage_drv.c | 5 +-
+ drivers/gpu/drm/savage/savage_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_drv.c | 5 +-
+ drivers/gpu/drm/sis/sis_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_mm.c | 2 +-
+ drivers/gpu/drm/via/via_dma.c | 2 +-
+ drivers/gpu/drm/via/via_drv.c | 5 +-
+ drivers/gpu/drm/via/via_drv.h | 2 +-
+ include/drm/drmP.h | 2 +-
+ mm/slab.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 6 +-
+ tools/gcc/initify_plugin.c | 15 +++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 3 +-
+ 42 files changed, 156 insertions(+), 110 deletions(-)
+
+commit 5fa135dc116350e0205c39ef65eaf6496ed2748a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:19:23 2016 -0500
- mm/cma_debug: fix debugging alloc/free interface
+ compile fix
+
+ grsecurity/grsec_sig.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit a9090fa58f33f75c7450fda5721a9b13625a47d9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:10:37 2016 -0500
+
+ As pointed out by Jann Horn, some distros are starting to circumvent
+ previous assumptions about the attainability of a user to control
+ multiple UIDs by handing out suid binaries that allow a user to run
+ processes (including exploits) under a number of other pre-defined
+ UIDs. As this could potentially be used to bypass GRKERNSEC_BRUTE
+ (though it would have to involve some code path that doesn't involve
+ locks) fix that here by ensuring no more than 8 users on a system can
+ be banned before a reboot is required. If more are banned, a panic
+ is triggered.
+
+ grsecurity/grsec_sig.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit a8d37776e9521c567ebff6730d49312f72435f08
+Author: Eric Dumazet <edumazet@google.com>
+Date: Thu Dec 3 11:12:07 2015 -0800
+
+ proc: add a reschedule point in proc_readfd_common()
- CMA has alloc/free interface for debugging. It is intended that
- alloc/free occurs in specific CMA region, but, currently, alloc/free
- interface is on root dir due to the bug so we can't select CMA region
- where alloc/free happens.
+ User can pass an arbitrary large buffer to getdents().
- This patch fixes this problem by making alloc/free interface per CMA
- region.
+ It is typically a 32KB buffer used by libc scandir() implementation.
- Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
- Acked-by: Michal Nazarewicz <mina86@mina86.com>
- Cc: Sasha Levin <sasha.levin@oracle.com>
- Cc: Stefan Strogin <stefan.strogin@gmail.com>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ When scanning /proc/{pid}/fd, we can hold cpu way too long,
+ so add a cond_resched() to be kind with other tasks.
+
+ We've seen latencies of more than 50ms on real workloads.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- mm/cma_debug.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
+ fs/proc/fd.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit bdce4b16c357b6f1aa0de2ebc1e9e737de7b3835
-Author: Joonsoo Kim <js1304@gmail.com>
-Date: Fri Jul 17 16:24:23 2015 -0700
+commit 0adba75f8708f13b1f5d98ebe3fc2fb961e100c8
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 12 20:17:08 2016 +0100
- mm/cma_debug: correct size input to bitmap function
+ net: bpf: reject invalid shifts
- In CMA, 1 bit in bitmap means 1 << order_per_bits pages so size of
- bitmap is cma->count >> order_per_bits rather than just cma->count.
- This patch fixes it.
+ On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
+ constant shift that can't be encoded in the immediate field of the
+ UBFM/SBFM instructions is passed to the JIT. Since these shifts
+ amounts, which are negative or >= regsize, are invalid, reject them in
+ the eBPF verifier and the classic BPF filter checker, for all
+ architectures.
- Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
- Acked-by: Michal Nazarewicz <mina86@mina86.com>
- Cc: Sasha Levin <sasha.levin@oracle.com>
- Cc: Stefan Strogin <stefan.strogin@gmail.com>
- Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
- Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- mm/cma_debug.c | 7 ++++---
- 1 files changed, 4 insertions(+), 3 deletions(-)
+ kernel/bpf/verifier.c | 10 ++++++++++
+ net/core/filter.c | 5 +++++
+ 2 files changed, 15 insertions(+), 0 deletions(-)
-commit 9fdcb2243392e451c0dead8c1056085cedc295d9
-Author: Ming Lei <ming.lei@canonical.com>
-Date: Thu Jul 16 19:53:22 2015 +0800
+commit c248e115a73496625a1c64660d0eeefd67e55cbf
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri Jan 8 11:00:54 2016 -0200
- blk-mq: set default timeout as 30 seconds
+ sctp: fix use-after-free in pr_debug statement
- It is reasonable to set default timeout of request as 30 seconds instead of
- 30000 ticks, which may be 300 seconds if HZ is 100, for example, some arm64
- based systems may choose 100 HZ.
+ Dmitry Vyukov reported a use-after-free in the code expanded by the
+ macro debug_post_sfx, which is caused by the use of the asoc pointer
+ after it was freed within sctp_side_effect() scope.
- Signed-off-by: Ming Lei <ming.lei@canonical.com>
- Fixes: c76cbbcf4044 ("blk-mq: put blk_queue_rq_timeout together in blk_mq_init_queue()"
- Signed-off-by: Jens Axboe <axboe@fb.com>
+ This patch fixes it by allowing sctp_side_effect to clear that asoc
+ pointer when the TCB is freed.
+
+ As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
+ because it will trigger DELETE_TCB too on that same loop.
+
+ Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
+ but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
+ above. Fix it by returning SCTP_DISPOSITION_ABORT instead.
+
+ The macro is already prepared to handle such NULL pointer.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- block/blk-mq.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ net/sctp/sm_sideeffect.c | 11 ++++++-----
+ net/sctp/sm_statefuns.c | 17 ++++-------------
+ 2 files changed, 10 insertions(+), 18 deletions(-)
-commit 1a4d0e757cc0e4685c9df14a70a1ac589f25a094
-Author: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Tue Jul 14 16:35:54 2015 +0300
-
- ipvlan: use rcu_deference_bh() in ipvlan_queue_xmit()
-
- In tx path rcu_read_lock_bh() is held, so we need rcu_deference_bh().
- This fixes the following warning:
-
- ===============================
- [ INFO: suspicious RCU usage. ]
- 4.1.0-rc1+ #1007 Not tainted
- -------------------------------
- drivers/net/ipvlan/ipvlan.h:106 suspicious rcu_dereference_check() usage!
-
- other info that might help us debug this:
-
- rcu_scheduler_active = 1, debug_locks = 0
- 1 lock held by dhclient/1076:
- #0: (rcu_read_lock_bh){......}, at: [<ffffffff817e8d84>] rcu_lock_acquire+0x0/0x26
-
- stack backtrace:
- CPU: 2 PID: 1076 Comm: dhclient Not tainted 4.1.0-rc1+ #1007
- Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
- 0000000000000001 ffff8800d381bac8 ffffffff81a4154f 000000003c1a3c19
- ffff8800d4d0a690 ffff8800d381baf8 ffffffff810b849f ffff880117d41148
- ffff880117d40000 ffff880117d40068 0000000000000156 ffff8800d381bb18
- Call Trace:
- [<ffffffff81a4154f>] dump_stack+0x4c/0x65
- [<ffffffff810b849f>] lockdep_rcu_suspicious+0x107/0x110
- [<ffffffff8165a522>] ipvlan_port_get_rcu+0x47/0x4e
- [<ffffffff8165ad14>] ipvlan_queue_xmit+0x35/0x450
- [<ffffffff817ea45d>] ? rcu_read_unlock+0x3e/0x5f
- [<ffffffff810a20bf>] ? local_clock+0x19/0x22
- [<ffffffff810b4781>] ? __lock_is_held+0x39/0x52
- [<ffffffff8165b64c>] ipvlan_start_xmit+0x1b/0x44
- [<ffffffff817edf7f>] dev_hard_start_xmit+0x2ae/0x467
- [<ffffffff817ee642>] __dev_queue_xmit+0x50a/0x60c
- [<ffffffff817ee7a7>] dev_queue_xmit_sk+0x13/0x15
- [<ffffffff81997596>] dev_queue_xmit+0x10/0x12
- [<ffffffff8199b41c>] packet_sendmsg+0xb6b/0xbdf
- [<ffffffff810b5ea7>] ? mark_lock+0x2e/0x226
- [<ffffffff810a1fcc>] ? sched_clock_cpu+0x9e/0xb7
- [<ffffffff817d56f9>] sock_sendmsg_nosec+0x12/0x1d
- [<ffffffff817d7257>] sock_sendmsg+0x29/0x2e
- [<ffffffff817d72cc>] sock_write_iter+0x70/0x91
- [<ffffffff81199563>] __vfs_write+0x7e/0xa7
- [<ffffffff811996bc>] vfs_write+0x92/0xe8
- [<ffffffff811997d7>] SyS_write+0x47/0x7e
- [<ffffffff81a4d517>] system_call_fastpath+0x12/0x6f
-
- Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
- Cc: Mahesh Bandewar <maheshb@google.com>
- Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
- Acked-by: Mahesh Bandewar <maheshb@google.com>
- Acked-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+commit 395ea8a9e73e184fc14153a033000bccf4213213
+Author: willy tarreau <w@1wt.eu>
+Date: Sun Jan 10 07:54:56 2016 +0100
+
+ unix: properly account for FDs passed over unix sockets
+
+ It is possible for a process to allocate and accumulate far more FDs than
+ the process' limit by sending them over a unix socket then closing them
+ to keep the process' fd count low.
+
+ This change addresses this problem by keeping track of the number of FDs
+ in flight per user and preventing non-privileged processes from having
+ more FDs in flight than their configured FD limit.
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/net/ipvlan/ipvlan.h | 5 +++++
- drivers/net/ipvlan/ipvlan_core.c | 2 +-
- 2 files changed, 6 insertions(+), 1 deletions(-)
+ include/linux/sched.h | 1 +
+ net/unix/af_unix.c | 24 ++++++++++++++++++++----
+ net/unix/garbage.c | 13 ++++++++-----
+ 3 files changed, 29 insertions(+), 9 deletions(-)
-commit 748406865b681031a76395feff1a21c70becfbb0
-Author: Alexei Starovoitov <ast@plumgrid.com>
-Date: Tue Jul 14 12:15:19 2015 -0700
+commit cb207ab8fbd71dcfc4a49d533aba8085012543fd
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Thu Jan 7 14:52:43 2016 -0500
- tc: act_bpf: fix memory leak
+ net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
- prog->bpf_ops is populated when act_bpf is used with classic BPF and
- prog->bpf_name is optionally used with extended BPF.
- Fix memory leak when act_bpf is released.
+ proc_dostring() needs an initialized destination string, while the one
+ provided in proc_sctp_do_hmac_alg() contains stack garbage.
- Fixes: d23b8ad8ab23 ("tc: add BPF based action")
- Fixes: a8cb5f556b56 ("act_bpf: add initial eBPF support for actions")
- Acked-by: Daniel Borkmann <daniel@iogearbox.net>
- Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
+ Thus, writing to cookie_hmac_alg would strlen() that garbage and end up
+ accessing invalid memory.
+
+ Fixes: 3c68198e7 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/sched/act_bpf.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ net/sctp/sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit 2e4619c3f6717c3574c94203d4acf985b6edf05b
-Author: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Tue Jul 14 11:21:58 2015 -0700
+commit 4014e09faf0fe9054119624ccfff1236e886b554
+Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Tue Nov 24 17:13:21 2015 -0500
- fq_codel: fix return value of fq_codel_drop()
+ RDS: fix race condition when sending a message on unbound socket
- The ->drop() is supposed to return the number of bytes it dropped,
- however fq_codel_drop() returns the index of the flow where it drops
- a packet from.
+ commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
- Fix this by introducing a helper to wrap fq_codel_drop().
+ Sasha's found a NULL pointer dereference in the RDS connection code when
+ sending a message to an apparently unbound socket. The problem is caused
+ by the code checking if the socket is bound in rds_sendmsg(), which checks
+ the rs_bound_addr field without taking a lock on the socket. This opens a
+ race where rs_bound_addr is temporarily set but where the transport is not
+ in rds_bind(), leading to a NULL pointer dereference when trying to
+ dereference 'trans' in __rds_conn_create().
- Cc: Eric Dumazet <edumazet@google.com>
- Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
- Signed-off-by: Cong Wang <cwang@twopensource.com>
- Acked-by: Eric Dumazet <edumazet@google.com>
+ Vegard wrote a reproducer for this issue, so kindly ask him to share if
+ you're interested.
+
+ I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+ with this patch, whereas I could without.
+
+ Complete earlier incomplete fix to CVE-2015-6937:
+
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+ Cc: David S. Miller <davem@davemloft.net>
+
+ Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+ Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
+ Conflicts:
+
+ net/rds/send.c
+
+ net/rds/connection.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
+
+commit 206df8d01104344d7588d801016a281a4cd25556
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue Sep 8 10:53:40 2015 -0400
+
+ RDS: verify the underlying transport exists before creating a connection
+
+ There was no verification that an underlying transport exists when creating
+ a connection, this would cause dereferencing a NULL ptr.
+
+ It might happen on sockets that weren't properly bound before attempting to
+ send a message, which will cause a NULL ptr deref:
+
+ [135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+ [135546.051270] Modules linked in:
+ [135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
+ [135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
+ [135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
+ [135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202
+ [135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
+ [135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
+ [135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
+ [135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
+ [135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
+ [135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
+ [135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
+ [135546.064723] Stack:
+ [135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
+ [135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
+ [135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
+ [135546.068629] Call Trace:
+ [135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
+ [135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
+ [135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
+ [135546.071981] rds_sendmsg (net/rds/send.c:1058)
+ [135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
+ [135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
+ [135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
+ [135546.076349] ? __might_fault (mm/memory.c:3795)
+ [135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
+ [135546.078856] SYSC_sendto (net/socket.c:1657)
+ [135546.079596] ? SYSC_connect (net/socket.c:1628)
+ [135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
+ [135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
+ [135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
+ [135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
+ [135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
+
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/sched/sch_fq_codel.c | 11 ++++++++++-
- 1 files changed, 10 insertions(+), 1 deletions(-)
+ net/rds/connection.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit 18294b99527edea4cba5cc5aca498d23eafaa81f
-Author: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Tue Jul 14 11:21:57 2015 -0700
+commit 173fa03f05cf0ad485d49a42cbdee8844d3a689a
+Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+Date: Tue Jan 5 20:32:47 2016 -0500
- net_sched: fix a use-after-free in sfq
+ ftrace/module: Call clean up function when module init fails early
- Fixes: 25331d6ce42b ("net: sched: implement qstat helper routines")
- Cc: John Fastabend <john.fastabend@gmail.com>
- Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
- Signed-off-by: Cong Wang <cwang@twopensource.com>
- Signed-off-by: David S. Miller <davem@davemloft.net>
+ If the module init code fails after calling ftrace_module_init() and before
+ calling do_init_module(), we can suffer from a memory leak. This is because
+ ftrace_module_init() allocates pages to store the locations that ftrace
+ hooks are placed in the module text. If do_init_module() fails, it still
+ calls the MODULE_GOING notifiers which will tell ftrace to do a clean up of
+ the pages it allocated for the module. But if load_module() fails before
+ then, the pages allocated by ftrace_module_init() will never be freed.
+
+ Call ftrace_release_mod() on the module if load_module() fails before
+ getting to do_init_module().
+
+ Link: http://lkml.kernel.org/r/567CEA31.1070507@intel.com
+
+ Reported-by: "Qiu, PeiyangX" <peiyangx.qiu@intel.com>
+ Fixes: a949ae560a511 "ftrace/module: Hardcode ftrace_module_init() call into load_module()"
+ Cc: stable@vger.kernel.org # v2.6.38+
+ Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
- net/sched/sch_sfq.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ include/linux/ftrace.h | 1 +
+ kernel/module.c | 6 ++++++
+ 2 files changed, 7 insertions(+), 0 deletions(-)
-commit c0cd739353abe2da2e9e08fef1f7ae4e6ae94a0f
-Author: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Mon Jul 13 12:30:07 2015 -0700
+commit 1e5a4a81a4c16c8ac2e264b88a02cc2f42ed0399
+Author: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Date: Wed Jan 6 00:18:48 2016 -0800
- fq_codel: fix a use-after-free
+ net: possible use after free in dst_release
- Fixes: 25331d6ce42b ("net: sched: implement qstat helper routines")
- Cc: John Fastabend <john.fastabend@gmail.com>
- Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
- Signed-off-by: Cong Wang <cwang@twopensource.com>
+ dst_release should not access dst->flags after decrementing
+ __refcnt to 0. The dst_entry may be in dst_busy_list and
+ dst_gc_task may dst_destroy it before dst_release gets a chance
+ to access dst->flags.
+
+ Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()")
+ Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
+ Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/sched/sch_fq_codel.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ net/core/dst.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit bfb0455793dd4e0f0b49d34a68b3249ab55565cc
+Author: Alan <gnomes@lxorguk.ukuu.org.uk>
+Date: Wed Jan 6 14:55:02 2016 +0000
-commit 5309e574e2fc2c9eb51e3c6d0c18b963e54b6af3
-Author: Daniel Borkmann <daniel@iogearbox.net>
-Date: Mon Jul 13 00:06:02 2015 +0200
-
- rtnetlink: reject non-IFLA_VF_PORT attributes inside IFLA_VF_PORTS
-
- Similarly as in commit 4f7d2cdfdde7 ("rtnetlink: verify IFLA_VF_INFO
- attributes before passing them to driver"), we have a double nesting
- of netlink attributes, i.e. IFLA_VF_PORTS only contains IFLA_VF_PORT
- that is nested itself. While IFLA_VF_PORTS is a verified attribute
- from ifla_policy[], we only check if the IFLA_VF_PORTS container has
- IFLA_VF_PORT attributes and then pass the attribute's content itself
- via nla_parse_nested(). It would be more correct to reject inner types
- other than IFLA_VF_PORT instead of continuing parsing and also similarly
- as in commit 4f7d2cdfdde7, to check for a minimum of NLA_HDRLEN.
-
- Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
- Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
- Cc: Scott Feldman <sfeldma@gmail.com>
- Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
- Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+ mkiss: fix scribble on freed memory
+
+ commit d79f16c046086f4fe0d42184a458e187464eb83e fixed a user triggerable
+ scribble on free memory but added a new one which allows the user to
+ scribble even more and user controlled data into freed space.
+
+ As with 6pack we need to halt the queue before we free the buffers, because
+ the transmit logic is not protected by the semaphore.
+
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/core/rtnetlink.c | 11 +++++++----
- 1 files changed, 7 insertions(+), 4 deletions(-)
+ drivers/net/hamradio/mkiss.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
-commit 60e851424772877a48d95b4614a35ca7f8922b02
-Author: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Mon Jul 13 16:04:13 2015 +0800
+commit 5cbbcbd32dc1949470f61d342503808fa9555276
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:49 2015 -0500
- net: Clone skb before setting peeked flag
+ mkiss: Fix use after free in mkiss_close().
+
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
- Shared skbs must not be modified and this is crucial for broadcast
- and/or multicast paths where we use it as an optimisation to avoid
- unnecessary cloning.
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b00171576794a98068e069a660f0991a6a5190ff
+Author: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Date: Tue Jan 5 11:51:25 2016 +0000
+
+ 6pack: fix free memory scribbles
- The function skb_recv_datagram breaks this rule by setting peeked
- without cloning the skb first. This causes funky races which leads
- to double-free.
+ commit acf673a3187edf72068ee2f92f4dc47d66baed47 fixed a user triggerable free
+ memory scribble but in doing so replaced it with a different one that allows
+ the user to control the data and scribble even more.
- This patch fixes this by cloning the skb and replacing the skb
- in the list when setting skb->peeked.
+ sixpack_close is called by the tty layer in tty context. The tty context is
+ protected by sp_get() and sp_put(). However network layer activity via
+ sp_xmit() is not protected this way. We must therefore stop the queue
+ otherwise the user gets to dump a buffer mostly of their choice into freed
+ kernel pages.
- Fixes: a59322be07c9 ("[UDP]: Only increment counter on first peek/recv")
- Reported-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/core/datagram.c | 41 ++++++++++++++++++++++++++++++++++++++---
- 1 files changed, 38 insertions(+), 3 deletions(-)
+ drivers/net/hamradio/6pack.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit e8e18c6e6e66399c6c81847457e216931c78888a
-Author: Richard Stearn <richard@rns-stearn.demon.co.uk>
-Date: Mon Jul 13 11:38:24 2015 +0200
+commit 5b64a833907cd230a3106aeba2304b2c1bcd116d
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:32 2015 -0500
- NET: AX.25: Stop heartbeat timer on disconnect.
+ 6pack: Fix use after free in sixpack_close().
- This may result in a kernel panic. The bug has always existed but
- somehow we've run out of luck now and it bites.
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
+
+ Also we need to use del_timer_sync() for the timers so that we don't
+ have any asynchronous references after the unregister.
- Signed-off-by: Richard Stearn <richard@rns-stearn.demon.co.uk>
- Cc: stable@vger.kernel.org # all branches
- Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/ax25/ax25_subr.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ drivers/net/hamradio/6pack.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
-commit 6091b9490e663f1eb1195581b3c93fc752014aeb
-Author: Herbert Xu <herbert@gondor.apana.org.au>
-Date: Mon Jul 13 20:01:42 2015 +0800
+commit 4f9d532742656b3613d579220fd10c78f24ba37b
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 16:23:07 2016 +0100
- net: Fix skb csum races when peeking
-
- When we calculate the checksum on the recv path, we store the
- result in the skb as an optimisation in case we need the checksum
- again down the line.
+ net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
- This is in fact bogus for the MSG_PEEK case as this is done without
- any locking. So multiple threads can peek and then store the result
- to the same skb, potentially resulting in bogus skb states.
+ The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data
+ instructions since it XORs A with X while all the others replace A with
+ some loaded value. All the BPF JITs fail to clear A if this is used as
+ the first instruction in a filter. This was found using american fuzzy
+ lop.
- This patch fixes this by only storing the result if the skb is not
- shared. This preserves the optimisations for the few cases where
- it can be done safely due to locking or other reasons, e.g., SIOCINQ.
+ Add a helper to determine if A needs to be cleared given the first
+ instruction in a filter, and use this in the JITs. Except for ARM, the
+ rest have only been compile-tested.
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
- Acked-by: Eric Dumazet <edumazet@google.com>
+ Fixes: 3480593131e0 ("net: filter: get rid of BPF_S_* enum")
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
- net/core/datagram.c | 15 +++++++++------
- 1 files changed, 9 insertions(+), 6 deletions(-)
+ arch/arm/net/bpf_jit_32.c | 16 +---------------
+ arch/mips/net/bpf_jit.c | 16 +---------------
+ arch/powerpc/net/bpf_jit_comp.c | 13 ++-----------
+ arch/sparc/net/bpf_jit_comp.c | 17 ++---------------
+ include/linux/filter.h | 19 +++++++++++++++++++
+ 5 files changed, 25 insertions(+), 56 deletions(-)
-commit 03c466bdf7bbedcd25ee0ec9c0292967b44cc477
-Author: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Sun Jul 12 01:20:55 2015 +0300
+commit 570d88f8acfffda92b89ae2e1c47320d47256034
+Author: John Fastabend <john.fastabend@gmail.com>
+Date: Tue Jan 5 09:11:36 2016 -0800
- net/xen-netback: off by one in BUG_ON() condition
+ net: sched: fix missing free per cpu on qstats
- The > should be >=. I also added spaces around the '-' operations so
- the code is a little more consistent and matches the condition better.
+ When a qdisc is using per cpu stats (currently just the ingress
+ qdisc) only the bstats are being freed. This also free's the qstats.
- Fixes: f53c3fe8dad7 ('xen-netback: Introduce TX grant mapping')
- Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+ Fixes: b0ab6f92752b9f9d8 ("net: sched: enable per cpu qstats")
+ Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/net/xen-netback/netback.c | 6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
+ net/sched/sch_generic.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
-commit ed39de3e75da10b25c2bb469c3be5c09049474d0
-Author: Neil Horman <nhorman@tuxdriver.com>
-Date: Tue Jul 7 14:02:18 2015 -0400
+commit 32c0ebc51857ee83470a10dcb234d308a0ed1881
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 18:34:04 2016 +0100
- vmxnet3: prevent receive getting out of sequence on napi poll
+ ARM: net: bpf: fix zero right shift
- vmxnet3's current napi path is built to count every rx descriptor we recieve,
- and use that as a count of the napi budget. That means its possible to return
- from a napi poll halfway through recieving a fragmented packet accross multiple
- dma descriptors. If that happens, the next napi poll will start with the
- descriptor ring in an improper state (e.g. the first descriptor we look at may
- have the end-of-packet bit set), which will cause a BUG halt in the driver.
+ The LSR instruction cannot be used to perform a zero right shift since a
+ 0 as the immediate value (imm5) in the LSR instruction encoding means
+ that a shift of 32 is perfomed. See DecodeIMMShift() in the ARM ARM.
- Fix the issue by only counting whole received packets in the napi poll and
- returning that value, rather than the descriptor count.
+ Make the JIT skip generation of the LSR if a zero-shift is requested.
- Tested by the reporter and myself, successfully
+ This was found using american fuzzy lop.
- Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
- CC: Shreyas Bhatewara <sbhatewara@vmware.com>
- CC: "David S. Miller" <davem@davemloft.net>
- Acked-by: Andy Gospodarek <gospo@cumulusnetworks.com>
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/net/vmxnet3/vmxnet3_drv.c | 8 ++++----
- 1 files changed, 4 insertions(+), 4 deletions(-)
+ arch/arm/net/bpf_jit_32.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
-commit 3892929957683de4df7b0e8a0c17d7ebd5ca3e4f
-Author: Johannes Thumshirn <jthumshirn@suse.de>
-Date: Wed Jul 8 17:16:49 2015 +0200
+commit 51f5d291750285efa4d4bbe84e5ec23dc00c8d2d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 6 20:35:57 2016 -0500
- macvtap: Destroy minor_idr on module_exit
+ Don't perform hidden lookups in RBAC against the directory of
+ a file being opened with O_CREAT, reported by Karl Witt
- Destroy minor_idr on module_exit, reclaiming the allocated memory.
+ Conflicts:
- This was detected by the following semantic patch (written by Luis Rodriguez
- <mcgrof@suse.com>)
- <SmPL>
- @ defines_module_init @
- declarer name module_init, module_exit;
- declarer name DEFINE_IDR;
- identifier init;
- @@
+ fs/namei.c
+
+ fs/namei.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 5a8266a6b2769ccdb447256f95bc2577a73cccd1
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jan 5 10:46:00 2016 +0100
+
+ bridge: Only call /sbin/bridge-stp for the initial network namespace
- module_init(init);
+ [I stole this patch from Eric Biederman. He wrote:]
- @ defines_module_exit @
- identifier exit;
- @@
+ > There is no defined mechanism to pass network namespace information
+ > into /sbin/bridge-stp therefore don't even try to invoke it except
+ > for bridge devices in the initial network namespace.
+ >
+ > It is possible for unprivileged users to cause /sbin/bridge-stp to be
+ > invoked for any network device name which if /sbin/bridge-stp does not
+ > guard against unreasonable arguments or being invoked twice on the
+ > same network device could cause problems.
- module_exit(exit);
+ [Hannes: changed patch using netns_eq]
- @ declares_idr depends on defines_module_init && defines_module_exit @
- identifier idr;
- @@
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/bridge/br_stp_if.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 650d535cc39f0aeff2f57e60b6617be25d3ef48b
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Wed Dec 23 16:28:40 2015 -0200
+
+ sctp: use GFP_USER for user-controlled kmalloc
- DEFINE_IDR(idr);
+ Commit cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ missed two other spots.
- @ on_exit_calls_destroy depends on declares_idr && defines_module_exit @
- identifier declares_idr.idr, defines_module_exit.exit;
- @@
+ For connectx, as it's more likely to be used by kernel users of the API,
+ it detects if GFP_USER should be used or not.
- exit(void)
- {
- ...
- idr_destroy(&idr);
- ...
- }
+ Fixes: cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+commit 5718a1f63c41fc156f729783423b002763779d04
+Author: Florian Westphal <fw@strlen.de>
+Date: Thu Dec 31 14:26:33 2015 +0100
+
+ connector: bump skb->users before callback invocation
- @ missing_module_idr_destroy depends on declares_idr && defines_module_exit && !on_exit_calls_destroy @
- identifier declares_idr.idr, defines_module_exit.exit;
- @@
+ Dmitry reports memleak with syskaller program.
+ Problem is that connector bumps skb usecount but might not invoke callback.
- exit(void)
- {
- ...
- +idr_destroy(&idr);
- }
- </SmPL>
+ So move skb_get to where we invoke the callback.
- Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/net/macvtap.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
+ drivers/connector/connector.c | 11 +++--------
+ 1 files changed, 3 insertions(+), 8 deletions(-)
-commit ae8298739e89fcd27c26a55ee7633068ad39f201
-Author: Vaishali Thakkar <vthakkar1994@gmail.com>
-Date: Wed Jul 8 10:49:30 2015 +0530
+commit 2e6372e6a97f8d642416899861f91777f44f13b7
+Author: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Sun Jan 3 18:56:38 2016 +0000
- net: systemport: Use eth_hw_addr_random
+ af_unix: Fix splice-bind deadlock
+
+ On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice
+ system call and AF_UNIX sockets,
+
+ http://lists.openwall.net/netdev/2015/11/06/24
- Use eth_hw_addr_random() instead of calling random_ether_addr().
- Here, this change is setting addr_assign_type to NET_ADDR_RANDOM.
+ The situation was analyzed as
- The Coccinelle semantic patch that performs this transformation
- is as follows:
+ (a while ago) A: socketpair()
+ B: splice() from a pipe to /mnt/regular_file
+ does sb_start_write() on /mnt
+ C: try to freeze /mnt
+ wait for B to finish with /mnt
+ A: bind() try to bind our socket to /mnt/new_socket_name
+ lock our socket, see it not bound yet
+ decide that it needs to create something in /mnt
+ try to do sb_start_write() on /mnt, block (it's
+ waiting for C).
+ D: splice() from the same pipe to our socket
+ lock the pipe, see that socket is connected
+ try to lock the socket, block waiting for A
+ B: get around to actually feeding a chunk from
+ pipe to file, try to lock the pipe. Deadlock.
- @@
- identifier a,b;
- @@
+ on 2015/11/10 by Al Viro,
- -random_ether_addr(a->b);
- +eth_hw_addr_random(a);
+ http://lists.openwall.net/netdev/2015/11/10/4
- Signed-off-by: Vaishali Thakkar <vthakkar1994@gmail.com>
- Tested-by: Florian Fainelli <f.fainelli@gmail.com>
- Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+ The patch fixes this by removing the kern_path_create related code from
+ unix_mknod and executing it as part of unix_bind prior acquiring the
+ readlock of the socket in question. This means that A (as used above)
+ will sb_start_write on /mnt before it acquires the readlock, hence, it
+ won't indirectly block B which first did a sb_start_write and then
+ waited for a thread trying to acquire the readlock. Consequently, A
+ being blocked by C waiting for B won't cause a deadlock anymore
+ (effectively, both A and B acquire two locks in opposite order in the
+ situation described above).
+
+ Dmitry Vyukov(<dvyukov@google.com>) tested the original patch.
+
+ Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-
- drivers/net/ethernet/broadcom/bcmsysport.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-commit eee71120eb1a9bb5289bba524cd8a1d3c86f7916
-Author: Vutla, Lokesh <lokeshvutla@ti.com>
-Date: Thu Jul 2 18:33:28 2015 +0530
-
- crypto: omap-des - Fix unmapping of dma channels
-
- dma_unmap_sg() is being called twice after completing the
- task. Looks like this is a copy paste error when creating
- des driver.
- With this the following warn appears during boot:
-
- [ 4.210457] ------------[ cut here ]------------
- [ 4.215114] WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:1080 check_unmap+0x710/0x9a0()
- [ 4.222899] omap-des 480a5000.des: DMA-API: device driver tries to free DMA memory it has not allocated [device address=0x00000000ab2ce000] [size=8 bytes]
- [ 4.236785] Modules linked in:
- [ 4.239860] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.14.39-02999-g1bc045a-dirty #182
- [ 4.247918] [<c001678c>] (unwind_backtrace) from [<c0012574>] (show_stack+0x10/0x14)
- [ 4.255710] [<c0012574>] (show_stack) from [<c05a37e8>] (dump_stack+0x84/0xb8)
- [ 4.262977] [<c05a37e8>] (dump_stack) from [<c0046464>] (warn_slowpath_common+0x68/0x8c)
- [ 4.271107] [<c0046464>] (warn_slowpath_common) from [<c004651c>] (warn_slowpath_fmt+0x30/0x40)
- [ 4.279854] [<c004651c>] (warn_slowpath_fmt) from [<c02d50a4>] (check_unmap+0x710/0x9a0)
- [ 4.287991] [<c02d50a4>] (check_unmap) from [<c02d5478>] (debug_dma_unmap_sg+0x90/0x19c)
- [ 4.296128] [<c02d5478>] (debug_dma_unmap_sg) from [<c04a77d8>] (omap_des_done_task+0x1cc/0x3e4)
- [ 4.304963] [<c04a77d8>] (omap_des_done_task) from [<c004a090>] (tasklet_action+0x84/0x124)
- [ 4.313370] [<c004a090>] (tasklet_action) from [<c004a4ac>] (__do_softirq+0xf0/0x20c)
- [ 4.321235] [<c004a4ac>] (__do_softirq) from [<c004a840>] (irq_exit+0x98/0xec)
- [ 4.328500] [<c004a840>] (irq_exit) from [<c000f9ac>] (handle_IRQ+0x50/0xb0)
- [ 4.335589] [<c000f9ac>] (handle_IRQ) from [<c0008688>] (gic_handle_irq+0x28/0x5c)
-
- Removing the duplicate call to dma_unmap_sg().
- Cc: stable@vger.kernel.org
- Reported-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
- Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
- Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-
- drivers/crypto/omap-des.c | 3 ---
- 1 files changed, 0 insertions(+), 3 deletions(-)
-
-commit 18664b993af1d940bc2fc3a440845840615d77ad
-Author: Al Viro <viro@zeniv.linux.org.uk>
-Date: Sun Jul 12 10:34:29 2015 -0400
-
- 9p: don't leave a half-initialized inode sitting around
+ Conflicts:
- Cc: stable@vger.kernel.org # all branches
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+ net/unix/af_unix.c
+
+ net/unix/af_unix.c | 70 +++++++++++++++++++++++++++++++--------------------
+ 1 files changed, 42 insertions(+), 28 deletions(-)
+
+commit 2e729e557c571f3253e32472cd7d382ac16cf1c3
+Author: Qiu Peiyang <peiyangx.qiu@intel.com>
+Date: Thu Dec 31 13:11:28 2015 +0800
+
+ tracing: Fix setting of start_index in find_next()
+
+ When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
+ panic at t_show.
+
+ general protection fault: 0000 [#1] PREEMPT SMP
+ CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2
+ RIP: 0010:[<ffffffff811375b2>]
+ [<ffffffff811375b2>] t_show+0x22/0xe0
+ RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
+ RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
+ R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
+ R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
+ FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
+ CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+ CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
+ Call Trace:
+ [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
+ [<ffffffff811b749b>] vfs_read+0x9b/0x160
+ [<ffffffff811b7f69>] SyS_read+0x49/0xb0
+ [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
+ ---[ end trace 5bd9eb630614861e ]---
+ Kernel panic - not syncing: Fatal exception
+
+ When the first time find_next calls find_next_mod_format, it should
+ iterate the trace_bprintk_fmt_list to find the first print format of
+ the module. However in current code, start_index is smaller than *pos
+ at first, and code will not iterate the list. Latter container_of will
+ get the wrong address with former v, which will cause mod_fmt be a
+ meaningless object and so is the returned mod_fmt->fmt.
+
+ This patch will fix it by correcting the start_index. After fixed,
+ when the first time calls find_next_mod_format, start_index will be
+ equal to *pos, and code will iterate the trace_bprintk_fmt_list to
+ get the right module printk format, so is the returned mod_fmt->fmt.
+
+ Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
+
+ Cc: stable@vger.kernel.org # 3.12+
+ Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers"
+ Signed-off-by: Qiu Peiyang <peiyangx.qiu@intel.com>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
- fs/9p/vfs_inode.c | 3 +--
- fs/9p/vfs_inode_dotl.c | 3 +--
- 2 files changed, 2 insertions(+), 4 deletions(-)
+ kernel/trace/trace_printk.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit 5490b434dd429b33e1c7eac3c19f0a8db54bd00e
+commit 0994af4b1930f32aa493dc08145cd304f8bfc8f4
Author: Al Viro <viro@zeniv.linux.org.uk>
-Date: Sun Jul 12 10:39:45 2015 -0400
+Date: Mon Dec 28 20:47:08 2015 -0500
- fix a braino in ovl_d_select_inode()
+ [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64()
- when opening a directory we want the overlayfs inode, not one from
- the topmost layer.
-
- Reported-By: Andrey Jr. Melnikov <temnota.am@gmail.com>
- Tested-By: Andrey Jr. Melnikov <temnota.am@gmail.com>
+ Cc: stable@vger.kernel.org # 3.15+
+ Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
- fs/overlayfs/inode.c | 3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
+ arch/arm/kernel/sys_oabi-compat.c | 73 +++++++++++++++++++------------------
+ 1 files changed, 37 insertions(+), 36 deletions(-)
-commit 36b84539390fc30663a7a026eef598c4656124bc
-Author: Al Viro <viro@ZenIV.linux.org.uk>
-Date: Wed Jul 8 02:42:38 2015 +0100
-
- freeing unlinked file indefinitely delayed
-
- Normally opening a file, unlinking it and then closing will have
- the inode freed upon close() (provided that it's not otherwise busy and
- has no remaining links, of course). However, there's one case where that
- does *not* happen. Namely, if you open it by fhandle with cold dcache,
- then unlink() and close().
-
- In normal case you get d_delete() in unlink(2) notice that dentry
- is busy and unhash it; on the final dput() it will be forcibly evicted from
- dcache, triggering iput() and inode removal. In this case, though, we end
- up with *two* dentries - disconnected (created by open-by-fhandle) and
- regular one (used by unlink()). The latter will have its reference to inode
- dropped just fine, but the former will not - it's considered hashed (it
- is on the ->s_anon list), so it will stay around until the memory pressure
- will finally do it in. As the result, we have the final iput() delayed
- indefinitely. It's trivial to reproduce -
-
- void flush_dcache(void)
- {
- system("mount -o remount,rw /");
- }
-
- static char buf[20 * 1024 * 1024];
-
- main()
- {
- int fd;
- union {
- struct file_handle f;
- char buf[MAX_HANDLE_SZ];
- } x;
- int m;
-
- x.f.handle_bytes = sizeof(x);
- chdir("/root");
- mkdir("foo", 0700);
- fd = open("foo/bar", O_CREAT | O_RDWR, 0600);
- close(fd);
- name_to_handle_at(AT_FDCWD, "foo/bar", &x.f, &m, 0);
- flush_dcache();
- fd = open_by_handle_at(AT_FDCWD, &x.f, O_RDWR);
- unlink("foo/bar");
- write(fd, buf, sizeof(buf));
- system("df ."); /* 20Mb eaten */
- close(fd);
- system("df ."); /* should've freed those 20Mb */
- flush_dcache();
- system("df ."); /* should be the same as #2 */
- }
-
- will spit out something like
- Filesystem 1K-blocks Used Available Use% Mounted on
- /dev/root 322023 303843 1131 100% /
- Filesystem 1K-blocks Used Available Use% Mounted on
- /dev/root 322023 303843 1131 100% /
- Filesystem 1K-blocks Used Available Use% Mounted on
- /dev/root 322023 283282 21692 93% /
- - inode gets freed only when dentry is finally evicted (here we trigger
- than by remount; normally it would've happened in response to memory
- pressure hell knows when).
-
- Cc: stable@vger.kernel.org # v2.6.38+; earlier ones need s/kill_it/unhash_it/
- Acked-by: J. Bruce Fields <bfields@fieldses.org>
- Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-
- fs/dcache.c | 7 +++++--
- 1 files changed, 5 insertions(+), 2 deletions(-)
-
-commit 96e42524166fe104eb4ce2337ec83d827c5a1f9b
+commit 4ed030f65dcf3e6b0128032a49a7d75f947fa351
+Merge: de243c2 3adc55a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Jul 24 21:17:42 2015 -0400
-
- cred_subscribers has to do with the ->cred and ->real_cred fields, not our
- delayed_cred field, so don't count it towards it to avoid a BUG() with
- DEBUG_CREDENTIALS enabled
+Date: Tue Jan 5 18:10:10 2016 -0500
- kernel/cred.c | 1 -
- 1 files changed, 0 insertions(+), 1 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit 79a0711455de96f695e9eaf404a2e5e125ec918d
-Merge: 3aae0c0 b917aab
+commit 3adc55a5acfa429c2a7cc883aef08b960c0079b0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 5 18:08:53 2016 -0500
+
+ Update to pax-linux-4.3.3-test16.patch:
+ - small cleanup in entry_64.S on x86
+ - Emese fixed the initify plugin to recursively check variable initializers, reported by Rasmus Villemoes
+ - fixed an integer truncation of a partially uninitialized value bug in em_pop_sreg, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4354)
+ - fixed alternatives patching of call insns under KERNEXEC/i386, reported by fly_a320 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4305) and TTgrsec (https://forums.grsecurity.net/viewtopic.php?f=3&t=4353)
+ - fixed a size overflow false positive that triggered in tcp_parse_options on arm, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350&p=15917#p15916)
+ - fixed a boot crash on amd64 with KERNEXEC/OR and CONTEXT_TRACKING, reported by Klaus Kusche (https://bugs.gentoo.org/show_bug.cgi?id=570420)
+
+ arch/x86/entry/entry_64.S | 60 +++++-----
+ arch/x86/kernel/alternative.c | 2 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ tools/gcc/initify_plugin.c | 123 +++++++++----------
+ .../disable_size_overflow_hash.data | 4 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ 6 files changed, 93 insertions(+), 102 deletions(-)
+
+commit de243c26efd0e423ca92db825af2c3f8eb1ca043
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Jul 24 07:30:44 2015 -0400
+Date: Tue Dec 29 18:01:24 2015 -0500
- Merge branch 'pax-test' into grsec-test
+ It was noticed during an internal audit that the code under GRKERNSEC_PROC_MEMMAP
+ which aimed to enforce a 16MB minimum on RLIMIT_DATA for suid/sgid binaries only
+ did so if RLIMIT_DATA was set lower than PAGE_SIZE.
- Conflicts:
- drivers/net/ethernet/amd/xgbe/xgbe-dev.c
- drivers/tty/serial/8250/8250_core.c
- fs/proc/generic.c
+ This addition was only supplemental as GRKERNSEC_BRUTE is the main defense
+ against suid/sgid attacks and the flaw above would only eliminate the extra
+ entropy provided for the brk-managed heap, still leaving it with the minimum
+ of 16-bit entropy for mmap on x86 and 28 on x64.
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
-commit b917aabeb2d7b2f8621726a3741a312141eb823e
-Merge: bd9c3c8 c8bde72
+commit 8e264cfe47e5f08cdc9ed009a630277206cd2534
+Merge: 436201b 2584340
Author: Brad Spengler <spender@grsecurity.net>
-Date: Fri Jul 24 07:19:46 2015 -0400
+Date: Mon Dec 28 20:30:01 2015 -0500
- Update to pax-linux-4.1.3-test7.patch:
- - fixed another silly copy-paste error that would hang the kernel with i386 userland on an amd64 kernel, reported by spender
- - fixed silly copy-paste error that would cause early boot crashes on !PCID systems
- - disable the use of __int128 when the size overflow plugin is enabled
- - fixed plugin compile errors due to the previous update to gcc-common.h
- - Emese fixed a size overflow false positive, reported by gaima (https://forums.grsecurity.net/viewtopic.php?f=3&t=4232)
-
- Merge branch 'linux-4.1.y' into pax-test
-
- Conflicts:
- include/linux/kmemleak.h
+ Merge branch 'pax-test' into grsec-test
-commit 3aae0c06150f2d0edd5de7fdc451fcb9d92f6630
+commit 2584340eab494e64ec1bf9eb5b0d1ae31f926306
Author: Brad Spengler <spender@grsecurity.net>
-Date: Wed Jul 22 20:06:19 2015 -0400
-
- fix label typo in PCID alternatives, from pipacs
+Date: Mon Dec 28 20:29:28 2015 -0500
+
+ Update to pax-linux-4.3.3-test14.patch:
+ - fixed an integer sign conversion error in i2c_dw_pci_probe caught by the size overflow plugin, reported by Jean Lucas and ganymede (https://forums.grsecurity.net/viewtopic.php?f=3&t=4349)
+ - fixed shutdown crash with tboot and KERNEXEC, reported by perfinion
+ - fixed a few false positive and one real size overflow reports in hyperv, reported by hunger
+ - fixed compile regressions on armv5, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350)
+ - fixed an assert in the initify plugin that triggered in vic_register on arm
+
+ arch/arm/include/asm/atomic.h | 7 +++++--
+ arch/arm/include/asm/domain.h | 5 ++---
+ arch/x86/kernel/tboot.c | 14 +++++++++-----
+ drivers/hv/channel.c | 4 +---
+ drivers/i2c/busses/i2c-designware-pcidrv.c | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 3 +--
+ fs/exec.c | 4 ++--
+ include/linux/atomic.h | 15 ---------------
+ net/core/skbuff.c | 3 ++-
+ tools/gcc/initify_plugin.c | 4 +++-
+ 10 files changed, 26 insertions(+), 35 deletions(-)
+
+commit 436201b6626b488d173c8076447000077c27b84a
+Author: David Howells <dhowells@redhat.com>
+Date: Fri Dec 18 01:34:26 2015 +0000
+
+ KEYS: Fix race between read and revoke
+
+ This fixes CVE-2015-7550.
+
+ There's a race between keyctl_read() and keyctl_revoke(). If the revoke
+ happens between keyctl_read() checking the validity of a key and the key's
+ semaphore being taken, then the key type read method will see a revoked key.
+
+ This causes a problem for the user-defined key type because it assumes in
+ its read method that there will always be a payload in a non-revoked key
+ and doesn't check for a NULL pointer.
+
+ Fix this by making keyctl_read() check the validity of a key after taking
+ semaphore instead of before.
+
+ I think the bug was introduced with the original keyrings code.
+
+ This was discovered by a multithreaded test program generated by syzkaller
+ (http://github.com/google/syzkaller). Here's a cleaned up version:
+
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <pthread.h>
+ void *thr0(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ keyctl_revoke(key);
+ return 0;
+ }
+ void *thr1(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ char buffer[16];
+ keyctl_read(key, buffer, 16);
+ return 0;
+ }
+ int main()
+ {
+ key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+ pthread_t th[5];
+ pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+ pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+ pthread_join(th[0], 0);
+ pthread_join(th[1], 0);
+ pthread_join(th[2], 0);
+ pthread_join(th[3], 0);
+ return 0;
+ }
+
+ Build as:
+
+ cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
+
+ Run as:
+
+ while keyctl-race; do :; done
+
+ as it may need several iterations to crash the kernel. The crash can be
+ summarised as:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+ ...
+ Call Trace:
+ [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+ [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+ [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: James Morris <james.l.morris@oracle.com>
- arch/x86/kernel/entry_64.S | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
-commit 4e8c0f54ad0df5a9bd15a8a7d9dd80dd8f9abbca
+commit 195cea04477025da4a2078bd3e1fb7c4e11206c2
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 11:12:01 2015 -0400
+Date: Tue Dec 22 20:44:01 2015 -0500
- sm750 constify compile fix
+ Add new kernel command-line param: pax_size_overflow_report_only
+ If a user triggers a size_overflow violation that makes it difficult
+ to obtain the call trace without serial console/net console, they can
+ use this option to provide that information to us
- drivers/staging/sm750fb/sm750.c | 16 +++++++++++-----
- 1 files changed, 11 insertions(+), 5 deletions(-)
+ Documentation/kernel-parameters.txt | 5 +++++
+ fs/exec.c | 12 +++++++++---
+ init/main.c | 11 +++++++++++
+ 3 files changed, 25 insertions(+), 3 deletions(-)
-commit 7b41532287be8596b40ff8a89260a2e77535ab6f
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 10:33:11 2015 -0400
+commit 4254a8da5851df8c08cdca5c392916e8c105408d
+Author: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Mon Dec 21 10:55:45 2015 -0800
- Update size_overflow hash table
+ addrconf: always initialize sysctl table data
+
+ When sysctl performs restrict writes, it allows to write from
+ a middle position of a sysctl file, which requires us to initialize
+ the table data before calling proc_dostring() for the write case.
+
+ Fixes: 3d1bec99320d ("ipv6: introduce secret_stable to ipv6_devconf")
+ Reported-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Tested-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- .../size_overflow_plugin/size_overflow_hash.data | 713 +++++++++++++++-----
- 1 files changed, 555 insertions(+), 158 deletions(-)
+ net/ipv6/addrconf.c | 11 ++++-------
+ 1 files changed, 4 insertions(+), 7 deletions(-)
-commit 180d814a4601c8f53bb5147cfb902e79a1936e44
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 02:33:19 2015 -0400
+commit f8002863fb06c363180637046947a78a6ccb3d33
+Author: WANG Cong <xiyou.wangcong@gmail.com>
+Date: Wed Dec 16 23:39:04 2015 -0800
- serial constify compile fixes
+ net: check both type and procotol for tcp sockets
+
+ Dmitry reported the following out-of-bound access:
+
+ Call Trace:
+ [<ffffffff816cec2e>] __asan_report_load4_noabort+0x3e/0x40
+ mm/kasan/report.c:294
+ [<ffffffff84affb14>] sock_setsockopt+0x1284/0x13d0 net/core/sock.c:880
+ [< inline >] SYSC_setsockopt net/socket.c:1746
+ [<ffffffff84aed7ee>] SyS_setsockopt+0x1fe/0x240 net/socket.c:1729
+ [<ffffffff85c18c76>] entry_SYSCALL_64_fastpath+0x16/0x7a
+ arch/x86/entry/entry_64.S:185
+
+ This is because we mistake a raw socket as a tcp socket.
+ We should check both sk->sk_type and sk->sk_protocol to ensure
+ it is a tcp socket.
+
+ Willem points out __skb_complete_tx_timestamp() needs to fix as well.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+ Acked-by: Willem de Bruijn <willemb@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/tty/serial/8250/8250_core.c | 8 +++++---
- drivers/tty/serial/uartlite.c | 4 ++--
- 2 files changed, 7 insertions(+), 5 deletions(-)
+ net/core/skbuff.c | 3 ++-
+ net/core/sock.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
-commit 338a2a25ce91d3355a1534f889019f7769ca7ba2
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 02:05:44 2015 -0400
+commit bd6b3399804470a4ad8f34229469ca149dceba3d
+Author: Colin Ian King <colin.king@canonical.com>
+Date: Fri Dec 18 14:22:01 2015 -0800
- rtc constify compile fix
+ proc: fix -ESRCH error when writing to /proc/$pid/coredump_filter
+
+ Writing to /proc/$pid/coredump_filter always returns -ESRCH because commit
+ 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()") removed
+ the setting of ret after the get_proc_task call and incorrectly left it as
+ -ESRCH. Instead, return 0 when successful.
+
+ Example breakage:
+
+ echo 0 > /proc/self/coredump_filter
+ bash: echo: write error: No such process
+
+ Fixes: 774636e19ed51 ("proc: convert to kstrto*()/kstrto*_from_user()")
+ Signed-off-by: Colin Ian King <colin.king@canonical.com>
+ Acked-by: Kees Cook <keescook@chromium.org>
+ Cc: <stable@vger.kernel.org> [4.3+]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
- drivers/rtc/rtc-test.c | 6 ++++--
- 1 files changed, 4 insertions(+), 2 deletions(-)
+ fs/proc/base.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit 48cf6904def83d1dfd7131960f69c2088d96a8a8
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 01:45:49 2015 -0400
+commit b28aca2b99ed08546778355fb9402c503ff9b29e
+Author: Junichi Nomura <j-nomura@ce.jp.nec.com>
+Date: Tue Dec 22 10:23:44 2015 -0700
- more amd xgbe constify compile fixes
+ block: ensure to split after potentially bouncing a bio
+
+ blk_queue_bio() does split then bounce, which makes the segment
+ counting based on pages before bouncing and could go wrong. Move
+ the split to after bouncing, like we do for blk-mq, and the we
+ fix the issue of having the bio count for segments be wrong.
+
+ Fixes: 54efd50bfd87 ("block: make generic_make_request handle arbitrarily sized bios")
+ Cc: stable@vger.kernel.org
+ Tested-by: Artem S. Tashkinov <t.artem@lycos.com>
+ Signed-off-by: Jens Axboe <axboe@fb.com>
- drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 2 +-
- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 4 ++--
- drivers/net/ethernet/amd/xgbe/xgbe.h | 8 ++++----
- 3 files changed, 7 insertions(+), 7 deletions(-)
+ block/blk-core.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
-commit edb5beab2ed5cdc8b86cf2c00feded7b1ff7015a
+commit e62a25e917a9e5b35ddd5b4f1b5e5e30fbd2e84c
+Merge: f6f63ae ec72fa5
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 01:26:30 2015 -0400
-
- hid sensor constify compile fix
+Date: Tue Dec 22 19:46:26 2015 -0500
- drivers/hid/hid-sensor-custom.c | 4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit 6426185a4a34d7fcdaad8affcf163378bc2f44a0
+commit ec72fa5f8d9cb4e223bad1b8b5c2e1071c222f2a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 01:15:39 2015 -0400
+Date: Tue Dec 22 19:45:51 2015 -0500
- hid sensor constify fix
+ Update to pax-linux-4.3.3-test13.patch:
+ - Emese fixed a (probably) false positive integer truncation in xfs_da_grow_inode_int, reported by jdkbx (http://forums.grsecurity.net/viewtopic.php?f=3&t=4346)
+ - fixed a size overflow in btrfs/try_merge_map, reported by Alex W (https://bugs.archlinux.org/task/47173) and mathias and dwokfur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4344)
- drivers/hid/hid-sensor-custom.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ arch/arm/mm/fault.c | 2 +-
+ arch/x86/mm/fault.c | 2 +-
+ fs/btrfs/extent_map.c | 8 ++++++--
+ fs/xfs/libxfs/xfs_da_btree.c | 4 +++-
+ 4 files changed, 11 insertions(+), 5 deletions(-)
-commit d1a8ca75a5391570183688fc7a769a90ac09c49f
+commit f6f63ae154cd45028add1dc41957878060d77fbf
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 01:09:37 2015 -0400
+Date: Thu Dec 17 18:43:44 2015 -0500
- constify compile fix on dsa_netdevice_nb
+ ptrace_has_cap() checks whether the current process should be
+ treated as having a certain capability for ptrace checks
+ against another process. Until now, this was equivalent to
+ has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
+
+ However, if a root-owned process wants to enter a user
+ namespace for some reason without knowing who owns it and
+ therefore can't change to the namespace owner's uid and gid
+ before entering, as soon as it has entered the namespace,
+ the namespace owner can attach to it via ptrace and thereby
+ gain access to its uid and gid.
+
+ While it is possible for the entering process to switch to
+ the uid of a claimed namespace owner before entering,
+ causing the attempt to enter to fail if the claimed uid is
+ wrong, this doesn't solve the problem of determining an
+ appropriate gid.
+
+ With this change, the entering process can first enter the
+ namespace and then safely inspect the namespace's
+ properties, e.g. through /proc/self/{uid_map,gid_map},
+ assuming that the namespace owner doesn't have access to
+ uid 0.
+ Signed-off-by: Jann Horn <jann@thejh.net>
- net/dsa/dsa.c | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ kernel/ptrace.c | 30 +++++++++++++++++++++++++-----
+ 1 files changed, 25 insertions(+), 5 deletions(-)
-commit b649e0688cb346fa71b84ff77dc52791c6d418ed
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 00:57:38 2015 -0400
+commit e314f0fb63020f61543b401ff594e953c2c304e5
+Author: tadeusz.struk@intel.com <tadeusz.struk@intel.com>
+Date: Tue Dec 15 10:46:17 2015 -0800
- more amd xgbe compile fixes
+ net: fix uninitialized variable issue
+
+ msg_iocb needs to be initialized on the recv/recvfrom path.
+ Otherwise afalg will wrongly interpret it as an async call.
+
+ Cc: stable@vger.kernel.org
+ Reported-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+ Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 2 +-
- drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
+ net/socket.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
-commit b4a813cf341440108d351bcd8114d7d6656184dd
+commit a3f56a43ad56b8fcaf04f6327636ed2f5970de3b
+Merge: dfa764c 142edcf
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 00:42:04 2015 -0400
+Date: Wed Dec 16 21:01:17 2015 -0500
- compile fixes for amd xgbe driver
-
- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 144 +++++++++++++++---------------
- 1 files changed, 72 insertions(+), 72 deletions(-)
+ Merge branch 'pax-test' into grsec-test
-commit d78936ae01718c4f9a3dfe76cdbf4345df050d81
+commit 142edcf1005a57fb8887823565cf0bafad2f313c
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 00:13:37 2015 -0400
+Date: Wed Dec 16 21:00:57 2015 -0500
- compile fix
+ Update to pax-linux-4.3.3-test12.patch:
+ - Emese fixed a size overflow false positive in reiserfs/leaf_paste_entries, reported by Christian Apeltauer (https://bugs.gentoo.org/show_bug.cgi?id=568046)
+ - fixed a bunch of int/size_t mismatches in the drivers/tty/n_tty.c code causing size overflow false positives, reported by Toralf Förster, mathias (https://forums.grsecurity.net/viewtopic.php?f=3&t=4342), N8Fear (https://forums.grsecurity.net/viewtopic.php?f=3&t=4341)
- grsecurity/gracl_fs.c | 3 ---
- 1 files changed, 0 insertions(+), 3 deletions(-)
+ drivers/tty/n_tty.c | 16 ++++++++--------
+ .../disable_size_overflow_hash.data | 2 ++
+ .../size_overflow_plugin/size_overflow_hash.data | 6 ++----
+ 3 files changed, 12 insertions(+), 12 deletions(-)
-commit b7255f77200fb7b508be06c7b2dd3d1e3c403a5b
-Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 00:07:19 2015 -0400
+commit dfa764cc549892a5bfc1083cac78b99032cae577
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Dec 15 22:59:12 2015 +0100
- compile fix and fix tracefs const modification
+ ipv6: automatically enable stable privacy mode if stable_secret set
+
+ Bjørn reported that while we switch all interfaces to privacy stable mode
+ when setting the secret, we don't set this mode for new interfaces. This
+ does not make sense, so change this behaviour.
+
+ Fixes: 622c81d57b392cc ("ipv6: generation of stable privacy addresses for link-local and autoconf")
+ Reported-by: Bjørn Mork <bjorn@mork.no>
+ Cc: Bjørn Mork <bjorn@mork.no>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
- fs/tracefs/inode.c | 6 ++++--
- grsecurity/gracl.c | 4 ++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
+ net/ipv6/addrconf.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
-commit 83873aba9c78a658e782ec826cbb5b0e671e4da9
+commit c2815a1fee03f222273e77c14e43f960da06f35a
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sun Jul 12 00:02:28 2015 -0400
+Date: Wed Dec 16 13:03:38 2015 -0500
- compile fix
+ Work around upstream limitation on the number of thread info flags causing a compilation error
+ Reported by fabled at http://forums.grsecurity.net/viewtopic.php?f=3&t=4339
- include/linux/capability.h | 8 ++++++++
- 1 files changed, 8 insertions(+), 0 deletions(-)
+ arch/arm/kernel/entry-common.S | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
-commit a24d90f1ab8314d612035d9fbf8d5de83a0818a8
+commit 8c9ae168e09ae49324d709d76d73d9fc4ca477e1
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 11 23:56:19 2015 -0400
+Date: Tue Dec 15 19:03:41 2015 -0500
- Initial import of grsecurity 3.1 for Linux 4.1
+ Initial import of grsecurity 3.1 for Linux 4.3.3
Documentation/dontdiff | 2 +
Documentation/kernel-parameters.txt | 7 +
+ Documentation/sysctl/kernel.txt | 15 +
Makefile | 18 +-
arch/alpha/include/asm/cache.h | 4 +-
arch/alpha/kernel/osf_sys.c | 12 +-
+ arch/arc/Kconfig | 1 +
arch/arm/Kconfig | 1 +
- arch/arm/include/asm/thread_info.h | 9 +-
+ arch/arm/Kconfig.debug | 1 +
+ arch/arm/include/asm/thread_info.h | 7 +-
arch/arm/kernel/process.c | 4 +-
arch/arm/kernel/ptrace.c | 9 +
arch/arm/kernel/traps.c | 7 +-
arch/arm/mm/Kconfig | 2 +-
arch/arm/mm/fault.c | 40 +-
arch/arm/mm/mmap.c | 8 +-
- arch/arm/net/bpf_jit_32.c | 4 +
+ arch/arm/net/bpf_jit_32.c | 51 +-
+ arch/arm64/Kconfig.debug | 1 +
arch/avr32/include/asm/cache.h | 4 +-
+ arch/blackfin/Kconfig.debug | 1 +
arch/blackfin/include/asm/cache.h | 3 +-
arch/cris/include/arch-v10/arch/cache.h | 3 +-
arch/cris/include/arch-v32/arch/cache.h | 3 +-
arch/parisc/include/asm/cache.h | 5 +-
arch/parisc/kernel/sys_parisc.c | 4 +
arch/powerpc/Kconfig | 1 +
- arch/powerpc/include/asm/cache.h | 3 +-
+ arch/powerpc/include/asm/cache.h | 4 +-
arch/powerpc/include/asm/thread_info.h | 5 +-
arch/powerpc/kernel/Makefile | 2 +
arch/powerpc/kernel/irq.c | 3 +
arch/powerpc/kernel/ptrace.c | 14 +
arch/powerpc/kernel/traps.c | 5 +
arch/powerpc/mm/slice.c | 2 +-
+ arch/s390/Kconfig.debug | 1 +
arch/s390/include/asm/cache.h | 4 +-
arch/score/include/asm/cache.h | 4 +-
arch/sh/include/asm/cache.h | 3 +-
arch/tile/mm/hugetlbpage.c | 2 +
arch/um/include/asm/cache.h | 3 +-
arch/unicore32/include/asm/cache.h | 6 +-
- arch/x86/Kconfig | 5 +
+ arch/x86/Kconfig | 21 +
+ arch/x86/Kconfig.debug | 2 +
+ arch/x86/entry/common.c | 14 +
+ arch/x86/entry/entry_32.S | 2 +-
+ arch/x86/entry/entry_64.S | 2 +-
arch/x86/ia32/ia32_aout.c | 2 +
arch/x86/include/asm/floppy.h | 20 +-
+ arch/x86/include/asm/fpu/types.h | 69 +-
arch/x86/include/asm/io.h | 2 +-
arch/x86/include/asm/page.h | 12 +-
arch/x86/include/asm/paravirt_types.h | 23 +-
- arch/x86/include/asm/processor.h | 2 +-
- arch/x86/include/asm/thread_info.h | 8 +-
+ arch/x86/include/asm/processor.h | 12 +-
+ arch/x86/include/asm/thread_info.h | 6 +-
+ arch/x86/include/asm/uaccess.h | 2 +-
arch/x86/kernel/dumpstack.c | 10 +-
arch/x86/kernel/dumpstack_32.c | 2 +-
arch/x86/kernel/dumpstack_64.c | 2 +-
- arch/x86/kernel/entry_32.S | 2 +-
- arch/x86/kernel/entry_64.S | 2 +-
- arch/x86/kernel/espfix_64.c | 2 +-
arch/x86/kernel/ioport.c | 13 +
arch/x86/kernel/irq_32.c | 3 +
arch/x86/kernel/irq_64.c | 4 +
+ arch/x86/kernel/ldt.c | 18 +
arch/x86/kernel/msr.c | 10 +
- arch/x86/kernel/ptrace.c | 28 +
+ arch/x86/kernel/ptrace.c | 14 +
arch/x86/kernel/signal.c | 9 +-
arch/x86/kernel/sys_i386_32.c | 9 +-
arch/x86/kernel/sys_x86_64.c | 8 +-
arch/x86/kernel/traps.c | 5 +
arch/x86/kernel/verify_cpu.S | 1 +
- arch/x86/kernel/vm86_32.c | 16 +
- arch/x86/kvm/lapic.h | 2 +-
- arch/x86/lib/usercopy.c | 2 +-
+ arch/x86/kernel/vm86_32.c | 15 +
+ arch/x86/kvm/svm.c | 14 +-
arch/x86/mm/fault.c | 12 +-
arch/x86/mm/hugetlbpage.c | 15 +-
arch/x86/mm/init.c | 66 +-
arch/x86/xen/Kconfig | 1 +
arch/xtensa/variants/dc232b/include/variant/core.h | 2 +-
arch/xtensa/variants/fsf/include/variant/core.h | 3 +-
+ crypto/ablkcipher.c | 2 +-
+ crypto/blkcipher.c | 2 +-
+ crypto/scatterwalk.c | 10 +-
drivers/acpi/acpica/hwxfsleep.c | 11 +-
drivers/acpi/custom_method.c | 4 +
drivers/block/cciss.h | 30 +-
drivers/cdrom/cdrom.c | 2 +-
drivers/char/Kconfig | 4 +-
drivers/char/genrtc.c | 1 +
+ drivers/char/ipmi/ipmi_si_intf.c | 8 +-
drivers/char/mem.c | 17 +
drivers/char/random.c | 5 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 2 -
+ drivers/crypto/nx/nx-aes-ccm.c | 2 +-
+ drivers/crypto/nx/nx-aes-gcm.c | 2 +-
+ drivers/crypto/talitos.c | 2 +-
drivers/firewire/ohci.c | 4 +
- drivers/gpu/drm/drm_context.c | 50 +-
- drivers/gpu/drm/drm_drv.c | 11 +-
- drivers/gpu/drm/drm_lock.c | 18 +-
- drivers/gpu/drm/i915/i915_dma.c | 2 +
- drivers/gpu/drm/nouveau/nouveau_drm.c | 3 +-
- drivers/gpu/drm/nouveau/nouveau_ttm.c | 30 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 70 +-
+ drivers/gpu/drm/nouveau/nouveau_ttm.c | 28 +-
drivers/gpu/drm/ttm/ttm_bo_manager.c | 10 +-
+ drivers/gpu/drm/virtio/virtgpu_ttm.c | 10 +-
drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c | 10 +-
drivers/hid/hid-wiimote-debug.c | 2 +-
drivers/infiniband/hw/nes/nes_cm.c | 22 +-
+ drivers/iommu/Kconfig | 1 +
drivers/iommu/amd_iommu.c | 14 +-
drivers/isdn/gigaset/bas-gigaset.c | 32 +-
drivers/isdn/gigaset/ser-gigaset.c | 32 +-
drivers/isdn/gigaset/usb-gigaset.c | 32 +-
+ drivers/isdn/hisax/config.c | 2 +-
+ drivers/isdn/hisax/hfc_pci.c | 2 +-
+ drivers/isdn/hisax/hfc_sx.c | 2 +-
+ drivers/isdn/hisax/q931.c | 6 +-
drivers/isdn/i4l/isdn_concap.c | 6 +-
drivers/isdn/i4l/isdn_x25iface.c | 16 +-
+ drivers/md/bcache/Kconfig | 1 +
drivers/md/raid5.c | 8 +
drivers/media/pci/solo6x10/solo6x10-g723.c | 2 +-
+ drivers/media/platform/sti/c8sectpfe/Kconfig | 1 +
+ drivers/media/platform/vivid/vivid-osd.c | 1 +
drivers/media/radio/radio-cadet.c | 5 +-
drivers/media/usb/dvb-usb/cinergyT2-core.c | 91 +-
drivers/media/usb/dvb-usb/cinergyT2-fe.c | 182 +-
drivers/message/fusion/mptbase.c | 9 +
drivers/misc/sgi-xp/xp_main.c | 12 +-
drivers/net/ethernet/brocade/bna/bna_enet.c | 8 +-
+ drivers/net/ppp/pppoe.c | 14 +-
+ drivers/net/ppp/pptp.c | 6 +
+ drivers/net/slip/slhc.c | 3 +
drivers/net/wan/lmc/lmc_media.c | 97 +-
+ drivers/net/wan/x25_asy.c | 6 +-
drivers/net/wan/z85230.c | 24 +-
+ drivers/net/wireless/ath/ath9k/Kconfig | 1 -
drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
- drivers/nfc/st21nfca/st21nfca.c | 11 +-
+ drivers/pci/pci-sysfs.c | 2 +-
drivers/pci/proc.c | 9 +
drivers/platform/x86/asus-wmi.c | 12 +
drivers/rtc/rtc-dev.c | 3 +
drivers/scsi/bfa/bfa_fcs_lport.c | 29 +-
drivers/scsi/bfa/bfa_modules.h | 12 +-
drivers/scsi/hpsa.h | 40 +-
+ drivers/staging/dgnc/dgnc_mgmt.c | 1 +
drivers/staging/lustre/lustre/ldlm/ldlm_flock.c | 2 +-
drivers/staging/lustre/lustre/libcfs/module.c | 10 +-
+ drivers/target/target_core_sbc.c | 17 +-
+ drivers/target/target_core_transport.c | 14 +-
+ drivers/tty/serial/uartlite.c | 4 +-
drivers/tty/sysrq.c | 2 +-
drivers/tty/vt/keyboard.c | 22 +-
drivers/uio/uio.c | 6 +-
drivers/usb/core/hub.c | 5 +
- drivers/usb/gadget/configfs.c | 2 +-
drivers/usb/gadget/function/f_uac1.c | 1 +
drivers/usb/gadget/function/u_uac1.c | 1 +
drivers/usb/host/hwa-hc.c | 9 +-
+ drivers/usb/usbip/vhci_sysfs.c | 2 +-
drivers/video/fbdev/arcfb.c | 2 +-
drivers/video/fbdev/matrox/matroxfb_DAC1064.c | 10 +-
drivers/video/fbdev/matrox/matroxfb_Ti3026.c | 5 +-
drivers/video/fbdev/sh_mobile_lcdcfb.c | 6 +-
drivers/video/logo/logo_linux_clut224.ppm | 2720 ++++-----
drivers/xen/xenfs/xenstored.c | 5 +
- firmware/Makefile | 1 +
- firmware/WHENCE | 19 +-
+ firmware/Makefile | 2 +
+ firmware/WHENCE | 20 +-
+ firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex | 5804 +++++++++++++++++
firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex | 6496 ++++++++++++++++++++
+ fs/9p/vfs_inode.c | 4 +-
fs/attr.c | 1 +
fs/autofs4/waitq.c | 9 +
fs/binfmt_aout.c | 7 +
- fs/binfmt_elf.c | 40 +-
+ fs/binfmt_elf.c | 50 +-
fs/compat.c | 20 +-
- fs/configfs/item.c | 4 +-
fs/coredump.c | 17 +-
fs/dcache.c | 3 +
fs/debugfs/inode.c | 11 +-
- fs/exec.c | 218 +-
+ fs/exec.c | 219 +-
fs/ext2/balloc.c | 4 +-
fs/ext2/super.c | 8 +-
- fs/ext3/balloc.c | 4 +-
- fs/ext3/super.c | 8 +-
fs/ext4/balloc.c | 4 +-
fs/fcntl.c | 4 +
fs/fhandle.c | 3 +-
fs/filesystems.c | 4 +
fs/fs_struct.c | 20 +-
fs/hugetlbfs/inode.c | 5 +-
- fs/inode.c | 6 +-
+ fs/inode.c | 8 +-
fs/kernfs/dir.c | 6 +
fs/mount.h | 4 +-
- fs/namei.c | 240 +-
+ fs/namei.c | 286 +-
fs/namespace.c | 24 +
fs/nfsd/nfscache.c | 2 +-
fs/open.c | 38 +
+ fs/overlayfs/inode.c | 11 +-
fs/overlayfs/super.c | 6 +-
fs/pipe.c | 2 +-
fs/posix_acl.c | 15 +-
fs/proc/Kconfig | 10 +-
- fs/proc/array.c | 66 +-
- fs/proc/base.c | 163 +-
+ fs/proc/array.c | 69 +-
+ fs/proc/base.c | 186 +-
fs/proc/cmdline.c | 4 +
fs/proc/devices.c | 4 +
fs/proc/fd.c | 17 +-
fs/proc/internal.h | 11 +-
fs/proc/interrupts.c | 4 +
fs/proc/kcore.c | 3 +
+ fs/proc/meminfo.c | 7 +-
+ fs/proc/namespaces.c | 4 +-
fs/proc/proc_net.c | 31 +
fs/proc/proc_sysctl.c | 52 +-
fs/proc/root.c | 8 +
fs/reiserfs/item_ops.c | 24 +-
fs/reiserfs/super.c | 4 +
fs/select.c | 2 +
- fs/seq_file.c | 37 +-
+ fs/seq_file.c | 30 +-
+ fs/splice.c | 8 +
fs/stat.c | 20 +-
fs/sysfs/dir.c | 30 +-
+ fs/sysv/inode.c | 11 +-
fs/utimes.c | 7 +
fs/xattr.c | 26 +-
grsecurity/Kconfig | 1182 ++++
grsecurity/gracl_alloc.c | 105 +
grsecurity/gracl_cap.c | 127 +
grsecurity/gracl_compat.c | 269 +
- grsecurity/gracl_fs.c | 451 ++
+ grsecurity/gracl_fs.c | 448 ++
grsecurity/gracl_ip.c | 386 ++
grsecurity/gracl_learn.c | 207 +
grsecurity/gracl_policy.c | 1786 ++++++
grsecurity/grsec_fork.c | 23 +
grsecurity/grsec_init.c | 290 +
grsecurity/grsec_ipc.c | 48 +
- grsecurity/grsec_link.c | 59 +
- grsecurity/grsec_log.c | 341 +
+ grsecurity/grsec_link.c | 65 +
+ grsecurity/grsec_log.c | 340 +
grsecurity/grsec_mem.c | 48 +
grsecurity/grsec_mount.c | 65 +
- grsecurity/grsec_pax.c | 45 +
+ grsecurity/grsec_pax.c | 47 +
grsecurity/grsec_proc.c | 20 +
grsecurity/grsec_ptrace.c | 30 +
grsecurity/grsec_sig.c | 236 +
grsecurity/grsec_tpe.c | 78 +
grsecurity/grsec_usb.c | 15 +
grsecurity/grsum.c | 64 +
- include/drm/drmP.h | 23 +-
include/linux/binfmts.h | 5 +-
- include/linux/capability.h | 5 +
- include/linux/compiler-gcc4.h | 5 +
- include/linux/compiler-gcc5.h | 5 +
+ include/linux/bitops.h | 2 +-
+ include/linux/capability.h | 13 +
+ include/linux/compiler-gcc.h | 5 +
include/linux/compiler.h | 8 +
- include/linux/configfs.h | 2 +-
include/linux/cred.h | 8 +-
include/linux/dcache.h | 5 +-
include/linux/fs.h | 24 +-
include/linux/grdefs.h | 140 +
include/linux/grinternal.h | 230 +
include/linux/grmsg.h | 118 +
- include/linux/grsecurity.h | 247 +
+ include/linux/grsecurity.h | 255 +
include/linux/grsock.h | 19 +
+ include/linux/ipc.h | 2 +-
include/linux/ipc_namespace.h | 2 +-
include/linux/kallsyms.h | 18 +-
include/linux/kmod.h | 5 +
include/linux/kobject.h | 2 +-
+ include/linux/lsm_hooks.h | 4 +-
include/linux/mm.h | 12 +
include/linux/mm_types.h | 4 +-
- include/linux/module.h | 4 +-
+ include/linux/module.h | 5 +-
include/linux/mount.h | 2 +-
+ include/linux/msg.h | 2 +-
include/linux/netfilter/xt_gradm.h | 9 +
include/linux/path.h | 4 +-
include/linux/perf_event.h | 13 +-
include/linux/printk.h | 2 +-
include/linux/proc_fs.h | 22 +-
include/linux/proc_ns.h | 2 +-
+ include/linux/ptrace.h | 24 +-
include/linux/random.h | 2 +-
include/linux/rbtree_augmented.h | 4 +-
include/linux/scatterlist.h | 12 +-
- include/linux/sched.h | 104 +-
- include/linux/security.h | 3 +-
+ include/linux/sched.h | 114 +-
+ include/linux/security.h | 1 +
+ include/linux/sem.h | 2 +-
include/linux/seq_file.h | 5 +
- include/linux/shm.h | 4 +
+ include/linux/shm.h | 6 +-
include/linux/skbuff.h | 3 +
include/linux/slab.h | 9 -
- include/linux/sysctl.h | 4 +-
+ include/linux/sysctl.h | 8 +-
include/linux/thread_info.h | 6 +-
include/linux/tty.h | 2 +-
include/linux/tty_driver.h | 4 +-
include/linux/user_namespace.h | 2 +-
include/linux/utsname.h | 2 +-
include/linux/vermagic.h | 16 +-
- include/linux/vmalloc.h | 4 +
+ include/linux/vmalloc.h | 20 +-
include/net/af_unix.h | 2 +-
+ include/net/dst.h | 33 +
include/net/ip.h | 2 +-
include/net/neighbour.h | 2 +-
include/net/net_namespace.h | 2 +-
- include/net/sock.h | 2 +-
+ include/net/sock.h | 4 +-
+ include/target/target_core_base.h | 2 +-
include/trace/events/fs.h | 53 +
- include/uapi/drm/i915_drm.h | 1 +
include/uapi/linux/personality.h | 1 +
- init/Kconfig | 3 +-
+ init/Kconfig | 4 +-
init/main.c | 35 +-
ipc/mqueue.c | 1 +
- ipc/shm.c | 23 +
+ ipc/msg.c | 3 +-
+ ipc/sem.c | 3 +-
+ ipc/shm.c | 26 +-
ipc/util.c | 6 +
kernel/auditsc.c | 2 +-
kernel/bpf/syscall.c | 8 +-
kernel/cgroup.c | 5 +-
kernel/compat.c | 1 +
kernel/configs.c | 11 +
- kernel/cred.c | 113 +-
- kernel/events/core.c | 14 +-
+ kernel/cred.c | 112 +-
+ kernel/events/core.c | 16 +-
kernel/exit.c | 10 +-
kernel/fork.c | 86 +-
- kernel/futex.c | 4 +-
+ kernel/futex.c | 6 +-
+ kernel/futex_compat.c | 2 +-
kernel/kallsyms.c | 9 +
- kernel/kcmp.c | 4 +
+ kernel/kcmp.c | 8 +-
+ kernel/kexec_core.c | 2 +-
kernel/kmod.c | 95 +-
kernel/kprobes.c | 7 +-
kernel/ksysfs.c | 2 +
kernel/locking/lockdep_proc.c | 10 +-
- kernel/module.c | 106 +-
+ kernel/module.c | 108 +-
kernel/panic.c | 4 +-
- kernel/pid.c | 19 +-
+ kernel/pid.c | 23 +-
kernel/power/Kconfig | 2 +
- kernel/printk/printk.c | 5 +
- kernel/ptrace.c | 20 +-
+ kernel/printk/printk.c | 20 +-
+ kernel/ptrace.c | 56 +-
kernel/resource.c | 10 +
kernel/sched/core.c | 11 +-
kernel/signal.c | 37 +-
kernel/sys.c | 64 +-
- kernel/sysctl.c | 71 +-
+ kernel/sysctl.c | 172 +-
kernel/taskstats.c | 6 +
kernel/time/posix-timers.c | 8 +
kernel/time/time.c | 5 +
kernel/time/timekeeping.c | 3 +
- kernel/time/timer_list.c | 12 +
+ kernel/time/timer_list.c | 13 +-
kernel/time/timer_stats.c | 10 +-
- kernel/trace/trace_events_filter.c | 6 +
+ kernel/trace/Kconfig | 2 +
kernel/trace/trace_syscalls.c | 8 +
kernel/user_namespace.c | 15 +
- lib/Kconfig.debug | 7 +-
+ lib/Kconfig.debug | 13 +-
+ lib/Kconfig.kasan | 2 +-
lib/is_single_threaded.c | 3 +
lib/list_debug.c | 65 +-
lib/nlattr.c | 2 +
lib/rbtree.c | 4 +-
- lib/vsprintf.c | 37 +-
+ lib/vsprintf.c | 39 +-
localversion-grsec | 1 +
- mm/Kconfig | 5 +-
+ mm/Kconfig | 8 +-
mm/Kconfig.debug | 1 +
mm/filemap.c | 1 +
mm/kmemleak.c | 4 +-
mm/mlock.c | 6 +-
mm/mmap.c | 93 +-
mm/mprotect.c | 8 +
+ mm/oom_kill.c | 28 +-
mm/page_alloc.c | 2 +-
- mm/process_vm_access.c | 6 +
- mm/shmem.c | 2 +-
- mm/slab.c | 2 +-
+ mm/process_vm_access.c | 8 +-
+ mm/shmem.c | 36 +-
+ mm/slab.c | 14 +-
mm/slab_common.c | 2 +-
- mm/slub.c | 22 +-
+ mm/slob.c | 12 +
+ mm/slub.c | 33 +-
mm/util.c | 3 +
- mm/vmalloc.c | 72 +-
+ mm/vmalloc.c | 129 +-
mm/vmstat.c | 29 +-
net/appletalk/atalk_proc.c | 2 +-
net/atm/lec.c | 6 +-
net/atm/mpoa_caches.c | 42 +-
- net/bridge/br_mdb.c | 2 +
+ net/bluetooth/sco.c | 3 +
net/can/bcm.c | 2 +-
net/can/proc.c | 2 +-
net/core/dev_ioctl.c | 7 +-
net/core/sysctl_net_core.c | 2 +-
net/decnet/dn_dev.c | 2 +-
net/ipv4/devinet.c | 6 +-
- net/ipv4/inet_hashtables.c | 5 +
+ net/ipv4/inet_hashtables.c | 4 +
net/ipv4/ip_input.c | 7 +
net/ipv4/ip_sockglue.c | 3 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
+ net/ipv4/netfilter/nf_nat_pptp.c | 2 +-
net/ipv4/route.c | 6 +-
net/ipv4/tcp_input.c | 4 +-
- net/ipv4/tcp_ipv4.c | 24 +-
+ net/ipv4/tcp_ipv4.c | 29 +-
net/ipv4/tcp_minisocks.c | 9 +-
net/ipv4/tcp_timer.c | 11 +
net/ipv4/udp.c | 24 +
net/ipv6/addrconf.c | 13 +-
net/ipv6/proc.c | 2 +-
- net/ipv6/tcp_ipv6.c | 23 +-
+ net/ipv6/tcp_ipv6.c | 26 +-
net/ipv6/udp.c | 7 +
net/ipx/ipx_proc.c | 2 +-
net/irda/irproc.c | 2 +-
net/netfilter/xt_gradm.c | 51 +
net/netfilter/xt_hashlimit.c | 4 +-
net/netfilter/xt_recent.c | 2 +-
- net/socket.c | 71 +-
+ net/sched/sch_api.c | 2 +-
+ net/sctp/socket.c | 4 +-
+ net/socket.c | 75 +-
+ net/sunrpc/Kconfig | 1 +
net/sunrpc/cache.c | 2 +-
net/sunrpc/stats.c | 2 +-
net/sysctl_net.c | 2 +-
- net/tipc/socket.c | 1 +
net/unix/af_unix.c | 52 +-
net/vmw_vsock/vmci_transport_notify.c | 30 +-
net/vmw_vsock/vmci_transport_notify_qstate.c | 30 +-
net/x25/sysctl_net_x25.c | 2 +-
net/x25/x25_proc.c | 2 +-
scripts/package/Makefile | 2 +-
- scripts/package/mkspec | 38 +-
+ scripts/package/mkspec | 41 +-
security/Kconfig | 369 +-
security/apparmor/file.c | 4 +-
security/apparmor/lsm.c | 8 +-
- security/commoncap.c | 29 +
+ security/commoncap.c | 36 +-
security/min_addr.c | 2 +
- security/selinux/hooks.c | 3 +-
+ security/smack/smack_lsm.c | 8 +-
security/tomoyo/file.c | 12 +-
security/tomoyo/mount.c | 4 +
security/tomoyo/tomoyo.c | 20 +-
security/yama/Kconfig | 2 +-
+ security/yama/yama_lsm.c | 4 +-
sound/synth/emux/emux_seq.c | 14 +-
sound/usb/line6/driver.c | 40 +-
sound/usb/line6/toneport.c | 12 +-
tools/gcc/.gitignore | 1 +
tools/gcc/Makefile | 12 +
- tools/gcc/constify_plugin.c | 4 +
tools/gcc/gen-random-seed.sh | 8 +
- tools/gcc/randomize_layout_plugin.c | 922 +++
- tools/gcc/size_overflow_plugin/.gitignore | 2 +
- .../size_overflow_plugin/size_overflow_hash.data | 690 ++-
- 463 files changed, 26450 insertions(+), 2932 deletions(-)
+ tools/gcc/randomize_layout_plugin.c | 930 +++
+ tools/gcc/size_overflow_plugin/.gitignore | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 459 ++-
+ 511 files changed, 32631 insertions(+), 3196 deletions(-)
-commit bd9c3c87dd1c7919cde1008efd963724d9a3752b
+commit a76adb92ce39aee8eec5a025c828030ad6135c6d
Author: Brad Spengler <spender@grsecurity.net>
-Date: Sat Jul 11 19:14:11 2015 -0400
+Date: Tue Dec 15 14:31:49 2015 -0500
+
+ Update to pax-linux-4.3.3-test11.patch:
+ - fixed a few compile regressions with the recent plugin changes, reported by spender
+ - updated the size overflow hash table
- Initial import of pax-linux-4.1.2-test2.patch
+ tools/gcc/latent_entropy_plugin.c | 2 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 66 +++++++++++++++++---
+ tools/gcc/stackleak_plugin.c | 2 +-
+ tools/gcc/structleak_plugin.c | 6 +--
+ 4 files changed, 60 insertions(+), 16 deletions(-)
+
+commit f7284b1fc06628fcb2d35d2beecdea5454d46af9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 15 11:50:24 2015 -0500
+
+ Apply structleak ICE fix for gcc < 4.9
+
+ tools/gcc/structleak_plugin.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+commit 92fe3eb9fd10ec7f7334decab1526989669b0287
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 15 07:57:06 2015 -0500
+
+ Update to pax-linux-4.3.1-test10.patch:
+ - Emese fixed INDIRECT_REF and TARGET_MEM_REF handling in the initify plugin
+ - Emese regenerated the size overflow hash tables for 4.3
+ - fixed some compat syscall exit paths to restore r12 under KERNEXEC/or
+ - the latent entropy, stackleak and structleak plugins no longer split the entry block unnecessarily
+
+ arch/x86/entry/entry_64.S | 2 +-
+ arch/x86/entry/entry_64_compat.S | 15 +-
+ scripts/package/builddeb | 2 +-
+ tools/gcc/initify_plugin.c | 11 +-
+ tools/gcc/latent_entropy_plugin.c | 20 +-
+ .../disable_size_overflow_hash.data | 4 +
+ .../size_overflow_plugin/size_overflow_hash.data | 5345 +++++++++++---------
+ tools/gcc/stackleak_plugin.c | 26 +-
+ tools/gcc/structleak_plugin.c | 21 +-
+ 9 files changed, 3079 insertions(+), 2367 deletions(-)
+
+commit 5bd245cb687319079c2f1c0d6a1170791ed1ed2c
+Merge: b5847e6 3548341
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 15 07:47:56 2015 -0500
+
+ Merge branch 'linux-4.3.y' into pax-4_3
+
+ Conflicts:
+ net/unix/af_unix.c
+
+commit b5847e6a896c5d99191135ca4d7c3b6be8f116ff
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 9 23:11:36 2015 -0500
+
+ Update to pax-linux-4.3.1-test9.patch:
+ - fixed __get_user on x86 to lie less about the size of the load, reported by peetaur (https://forums.grsecurity.net/viewtopic.php?f=3&t=4332)
+ - Emese fixed an intentional overflow caused by gcc, reported by saironiq (https://forums.grsecurity.net/viewtopic.php?f=3&t=4333)
+ - Emese fixed a false positive overflow report in the forcedeth driver, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?t=4334)
+ - Emese fixed a false positive overflow report in KVM's emulator, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4336)
+ - Emese fixed the initify plugin to detect some captured use of __func__, reported by Rasmus Villemoes <linux@rasmusvillemoes.dk>
+ - constrained shmmax and shmall to avoid triggering size overflow checks, reported by Mathias Krause <minipli@ld-linux.so>
+ - the checker plugin can partially handle sparse's locking context annotations, it's context insensitive and thus not exactly useful for now, also see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59856
+
+ Makefile | 6 +
+ arch/x86/include/asm/compat.h | 4 +
+ arch/x86/include/asm/dma.h | 2 +
+ arch/x86/include/asm/pmem.h | 2 +-
+ arch/x86/include/asm/uaccess.h | 20 +-
+ arch/x86/kernel/apic/vector.c | 6 +-
+ arch/x86/kernel/cpu/mtrr/generic.c | 6 +-
+ arch/x86/kernel/cpu/perf_event_intel.c | 28 +-
+ arch/x86/kernel/head_64.S | 1 -
+ arch/x86/kvm/i8259.c | 10 +-
+ arch/x86/kvm/ioapic.c | 2 +
+ arch/x86/kvm/x86.c | 2 +
+ arch/x86/lib/usercopy_64.c | 2 +-
+ arch/x86/mm/mpx.c | 4 +-
+ arch/x86/mm/pageattr.c | 7 +
+ drivers/base/devres.c | 4 +-
+ drivers/base/power/runtime.c | 6 +-
+ drivers/base/regmap/regmap.c | 4 +-
+ drivers/block/drbd/drbd_receiver.c | 4 +-
+ drivers/block/drbd/drbd_worker.c | 6 +-
+ drivers/char/virtio_console.c | 6 +-
+ drivers/md/dm.c | 12 +-
+ drivers/net/ethernet/nvidia/forcedeth.c | 4 +-
+ drivers/net/macvtap.c | 4 +-
+ drivers/video/fbdev/core/fbmem.c | 10 +-
+ fs/compat.c | 3 +-
+ fs/coredump.c | 2 +-
+ fs/dcache.c | 13 +-
+ fs/fhandle.c | 2 +-
+ fs/file.c | 14 +-
+ fs/fs-writeback.c | 11 +-
+ fs/overlayfs/copy_up.c | 2 +-
+ fs/readdir.c | 3 +-
+ fs/super.c | 3 +-
+ include/linux/compiler.h | 36 ++-
+ include/linux/rcupdate.h | 8 +
+ include/linux/sched.h | 4 +-
+ include/linux/seqlock.h | 10 +
+ include/linux/spinlock.h | 17 +-
+ include/linux/srcu.h | 5 +-
+ include/linux/syscalls.h | 2 +-
+ include/linux/writeback.h | 3 +-
+ include/uapi/linux/swab.h | 6 +-
+ ipc/ipc_sysctl.c | 6 +
+ kernel/exit.c | 25 +-
+ kernel/resource.c | 4 +-
+ kernel/signal.c | 12 +-
+ kernel/user.c | 2 +-
+ kernel/workqueue.c | 6 +-
+ lib/rhashtable.c | 4 +-
+ net/compat.c | 2 +-
+ net/ipv4/xfrm4_mode_transport.c | 2 +-
+ security/keys/internal.h | 8 +-
+ security/keys/keyring.c | 4 -
+ sound/core/seq/seq_clientmgr.c | 8 +-
+ sound/core/seq/seq_compat.c | 2 +-
+ sound/core/seq/seq_memory.c | 6 +-
+ tools/gcc/checker_plugin.c | 415 +++++++++++++++++++-
+ tools/gcc/gcc-common.h | 1 +
+ tools/gcc/initify_plugin.c | 33 ++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 1 -
+ 62 files changed, 708 insertions(+), 140 deletions(-)
+
+commit f2634c2f6995f4231616f24ed016f890c701f939
+Merge: 1241bff 5f8b236
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Dec 9 21:50:47 2015 -0500
+
+ Merge branch 'linux-4.3.y' into pax-4_3
+
+ Conflicts:
+ arch/x86/kernel/fpu/xstate.c
+ arch/x86/kernel/head_64.S
+
+commit 1241bff82e3d7dadb05de0a60b8d2822afc6547c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Dec 6 08:44:56 2015 -0500
+
+ Update to pax-linux-4.3-test8.patch:
+ - fixed integer truncation check in md introduced by upstream commits 284ae7cab0f7335c9e0aa8992b28415ef1a54c7c and 58c0fed400603a802968b23ddf78f029c5a84e41, reported by BeiKed9o (https://forums.grsecurity.net/viewtopic.php?f=3&t=4328)
+ - gcc plugin compilation problems will now also produce the output of the checking script to make diagnosis easier, reported by hunger
+ - Emese fixed a false positive size overflow report in __vhost_add_used_n, reported by quasar366 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4329)
+ - fixed a potential integer truncation error in the raid1 code caught by the size overflow plugin, reported by d1b (https://forums.grsecurity.net/viewtopic.php?f=3&t=4331)
+
+ Makefile | 5 +++
+ drivers/md/md.c | 5 ++-
+ drivers/md/raid1.c | 2 +-
+ fs/proc/task_mmu.c | 3 ++
+ .../disable_size_overflow_hash.data | 4 ++-
+ .../size_overflow_plugin/intentional_overflow.c | 32 ++++++++++++++++---
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ .../size_overflow_plugin/size_overflow_plugin.c | 2 +-
+ 8 files changed, 43 insertions(+), 12 deletions(-)
+
+commit cce6a9f9bdd27096632ca1c0246dcc07f2eb1a18
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Dec 4 14:24:12 2015 -0500
+
+ Initial import of pax-linux-4.3-test7.patch
Documentation/dontdiff | 47 +-
Documentation/kbuild/makefiles.txt | 39 +-
arch/alpha/kernel/osf_sys.c | 8 +-
arch/alpha/mm/fault.c | 141 +-
arch/arm/Kconfig | 2 +-
- arch/arm/include/asm/atomic.h | 319 +-
- arch/arm/include/asm/barrier.h | 2 +-
+ arch/arm/include/asm/atomic.h | 320 +-
arch/arm/include/asm/cache.h | 5 +-
arch/arm/include/asm/cacheflush.h | 2 +-
arch/arm/include/asm/checksum.h | 14 +-
- arch/arm/include/asm/cmpxchg.h | 2 +
- arch/arm/include/asm/domain.h | 33 +-
+ arch/arm/include/asm/cmpxchg.h | 4 +
+ arch/arm/include/asm/cpuidle.h | 2 +-
+ arch/arm/include/asm/domain.h | 22 +-
arch/arm/include/asm/elf.h | 9 +-
arch/arm/include/asm/fncpy.h | 2 +
arch/arm/include/asm/futex.h | 10 +
arch/arm/include/asm/pgtable-2level.h | 3 +
arch/arm/include/asm/pgtable-3level.h | 3 +
arch/arm/include/asm/pgtable.h | 54 +-
- arch/arm/include/asm/psci.h | 2 +-
arch/arm/include/asm/smp.h | 2 +-
- arch/arm/include/asm/thread_info.h | 6 +-
arch/arm/include/asm/tls.h | 3 +
- arch/arm/include/asm/uaccess.h | 96 +-
+ arch/arm/include/asm/uaccess.h | 79 +-
arch/arm/include/uapi/asm/ptrace.h | 2 +-
- arch/arm/kernel/armksyms.c | 8 +-
- arch/arm/kernel/entry-armv.S | 110 +-
+ arch/arm/kernel/armksyms.c | 2 +-
+ arch/arm/kernel/cpuidle.c | 2 +-
+ arch/arm/kernel/entry-armv.S | 109 +-
arch/arm/kernel/entry-common.S | 40 +-
- arch/arm/kernel/entry-header.S | 60 +
+ arch/arm/kernel/entry-header.S | 55 +
arch/arm/kernel/fiq.c | 3 +
- arch/arm/kernel/head.S | 2 +-
- arch/arm/kernel/module.c | 31 +-
+ arch/arm/kernel/module-plts.c | 7 +-
+ arch/arm/kernel/module.c | 38 +-
arch/arm/kernel/patch.c | 2 +
arch/arm/kernel/process.c | 90 +-
- arch/arm/kernel/psci.c | 2 +-
arch/arm/kernel/reboot.c | 1 +
arch/arm/kernel/setup.c | 20 +-
arch/arm/kernel/signal.c | 35 +-
arch/arm/kernel/smp.c | 2 +-
arch/arm/kernel/tcm.c | 4 +-
- arch/arm/kernel/traps.c | 6 +-
arch/arm/kernel/vmlinux.lds.S | 6 +-
- arch/arm/kvm/arm.c | 10 +-
- arch/arm/lib/clear_user.S | 6 +-
- arch/arm/lib/copy_from_user.S | 6 +-
+ arch/arm/kvm/arm.c | 8 +-
arch/arm/lib/copy_page.S | 1 +
- arch/arm/lib/copy_to_user.S | 6 +-
arch/arm/lib/csumpartialcopyuser.S | 4 +-
arch/arm/lib/delay.c | 2 +-
arch/arm/lib/uaccess_with_memcpy.c | 4 +-
arch/arm/mach-exynos/suspend.c | 6 +-
- arch/arm/mach-keystone/keystone.c | 2 +-
arch/arm/mach-mvebu/coherency.c | 4 +-
arch/arm/mach-omap2/board-n8x0.c | 2 +-
arch/arm/mach-omap2/omap-mpuss-lowpower.c | 4 +-
arch/arm/mach-omap2/omap_hwmod.c | 4 +-
arch/arm/mach-omap2/powerdomains43xx_data.c | 5 +-
arch/arm/mach-omap2/wd_timer.c | 6 +-
+ arch/arm/mach-shmobile/platsmp-apmu.c | 5 +-
arch/arm/mach-tegra/cpuidle-tegra20.c | 2 +-
arch/arm/mach-tegra/irq.c | 1 +
arch/arm/mach-ux500/pm.c | 1 +
- arch/arm/mach-ux500/setup.h | 7 -
arch/arm/mach-zynq/platsmp.c | 1 +
arch/arm/mm/Kconfig | 6 +-
arch/arm/mm/alignment.c | 8 +
arch/arm/mm/init.c | 39 +
arch/arm/mm/ioremap.c | 4 +-
arch/arm/mm/mmap.c | 30 +-
- arch/arm/mm/mmu.c | 182 +-
+ arch/arm/mm/mmu.c | 162 +-
arch/arm/net/bpf_jit_32.c | 3 +
arch/arm/plat-iop/setup.c | 2 +-
arch/arm/plat-omap/sram.c | 2 +
arch/arm64/include/asm/atomic.h | 10 +
- arch/arm64/include/asm/barrier.h | 2 +-
arch/arm64/include/asm/percpu.h | 8 +-
arch/arm64/include/asm/pgalloc.h | 5 +
arch/arm64/include/asm/uaccess.h | 1 +
arch/frv/mm/elf-fdpic.c | 3 +-
arch/ia64/Makefile | 1 +
arch/ia64/include/asm/atomic.h | 10 +
- arch/ia64/include/asm/barrier.h | 2 +-
arch/ia64/include/asm/elf.h | 7 +
arch/ia64/include/asm/pgalloc.h | 12 +
arch/ia64/include/asm/pgtable.h | 13 +-
arch/ia64/mm/fault.c | 32 +-
arch/ia64/mm/init.c | 15 +-
arch/m32r/lib/usercopy.c | 6 +
- arch/metag/include/asm/barrier.h | 2 +-
arch/mips/cavium-octeon/dma-octeon.c | 2 +-
- arch/mips/include/asm/atomic.h | 355 +-
- arch/mips/include/asm/barrier.h | 2 +-
+ arch/mips/include/asm/atomic.h | 368 +-
arch/mips/include/asm/elf.h | 7 +
arch/mips/include/asm/exec.h | 2 +-
arch/mips/include/asm/hw_irq.h | 2 +-
arch/mips/include/asm/uaccess.h | 1 +
arch/mips/kernel/binfmt_elfn32.c | 7 +
arch/mips/kernel/binfmt_elfo32.c | 7 +
- arch/mips/kernel/i8259.c | 2 +-
arch/mips/kernel/irq-gt641xx.c | 2 +-
arch/mips/kernel/irq.c | 6 +-
arch/mips/kernel/pm-cps.c | 2 +-
arch/mips/kernel/process.c | 12 -
arch/mips/kernel/sync-r4k.c | 24 +-
arch/mips/kernel/traps.c | 13 +-
- arch/mips/kvm/mips.c | 2 +-
arch/mips/mm/fault.c | 25 +
arch/mips/mm/mmap.c | 51 +-
arch/mips/sgi-ip27/ip27-nmi.c | 6 +-
arch/parisc/kernel/traps.c | 4 +-
arch/parisc/mm/fault.c | 140 +-
arch/powerpc/include/asm/atomic.h | 329 +-
- arch/powerpc/include/asm/barrier.h | 2 +-
arch/powerpc/include/asm/elf.h | 12 +
arch/powerpc/include/asm/exec.h | 2 +-
arch/powerpc/include/asm/kmap_types.h | 2 +-
arch/powerpc/kernel/signal_64.c | 2 +-
arch/powerpc/kernel/traps.c | 21 +
arch/powerpc/kernel/vdso.c | 5 +-
- arch/powerpc/kvm/powerpc.c | 2 +-
arch/powerpc/lib/usercopy_64.c | 18 -
arch/powerpc/mm/fault.c | 56 +-
arch/powerpc/mm/mmap.c | 16 +
arch/powerpc/mm/slice.c | 13 +-
arch/powerpc/platforms/cell/spufs/file.c | 4 +-
arch/s390/include/asm/atomic.h | 10 +
- arch/s390/include/asm/barrier.h | 2 +-
arch/s390/include/asm/elf.h | 7 +
arch/s390/include/asm/exec.h | 2 +-
arch/s390/include/asm/uaccess.h | 13 +-
arch/score/kernel/process.c | 5 -
arch/sh/mm/mmap.c | 22 +-
arch/sparc/include/asm/atomic_64.h | 110 +-
- arch/sparc/include/asm/barrier_64.h | 2 +-
arch/sparc/include/asm/cache.h | 2 +-
arch/sparc/include/asm/elf_32.h | 7 +
arch/sparc/include/asm/elf_64.h | 7 +
arch/um/include/asm/page.h | 3 +
arch/um/include/asm/pgtable-3level.h | 1 +
arch/um/kernel/process.c | 16 -
- arch/x86/Kconfig | 11 +-
+ arch/x86/Kconfig | 15 +-
arch/x86/Kconfig.cpu | 6 +-
arch/x86/Kconfig.debug | 4 +-
arch/x86/Makefile | 13 +-
arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 25 +-
arch/x86/crypto/twofish-x86_64-asm_64-3way.S | 4 +
arch/x86/crypto/twofish-x86_64-asm_64.S | 3 +
+ arch/x86/entry/calling.h | 86 +-
+ arch/x86/entry/common.c | 13 +-
+ arch/x86/entry/entry_32.S | 351 +-
+ arch/x86/entry/entry_64.S | 619 +-
+ arch/x86/entry/entry_64_compat.S | 159 +-
+ arch/x86/entry/thunk_64.S | 2 +
+ arch/x86/entry/vdso/Makefile | 2 +-
+ arch/x86/entry/vdso/vdso2c.h | 8 +-
+ arch/x86/entry/vdso/vma.c | 41 +-
+ arch/x86/entry/vsyscall/vsyscall_64.c | 16 +-
+ arch/x86/entry/vsyscall/vsyscall_emu_64.S | 2 +-
arch/x86/ia32/ia32_signal.c | 23 +-
- arch/x86/ia32/ia32entry.S | 164 +-
- arch/x86/ia32/sys_ia32.c | 4 +-
+ arch/x86/ia32/sys_ia32.c | 42 +-
arch/x86/include/asm/alternative-asm.h | 43 +-
arch/x86/include/asm/alternative.h | 4 +-
arch/x86/include/asm/apic.h | 2 +-
arch/x86/include/asm/apm.h | 4 +-
- arch/x86/include/asm/atomic.h | 269 +-
+ arch/x86/include/asm/atomic.h | 230 +-
arch/x86/include/asm/atomic64_32.h | 100 +
arch/x86/include/asm/atomic64_64.h | 164 +-
- arch/x86/include/asm/barrier.h | 4 +-
arch/x86/include/asm/bitops.h | 18 +-
- arch/x86/include/asm/boot.h | 7 +-
+ arch/x86/include/asm/boot.h | 2 +-
arch/x86/include/asm/cache.h | 5 +-
- arch/x86/include/asm/calling.h | 92 +-
arch/x86/include/asm/checksum_32.h | 12 +-
arch/x86/include/asm/cmpxchg.h | 39 +
arch/x86/include/asm/compat.h | 2 +-
- arch/x86/include/asm/cpufeature.h | 16 +-
+ arch/x86/include/asm/cpufeature.h | 17 +-
arch/x86/include/asm/desc.h | 78 +-
arch/x86/include/asm/desc_defs.h | 6 +
arch/x86/include/asm/div64.h | 2 +-
arch/x86/include/asm/elf.h | 33 +-
arch/x86/include/asm/emergency-restart.h | 2 +-
- arch/x86/include/asm/fpu-internal.h | 8 +-
+ arch/x86/include/asm/fpu/internal.h | 42 +-
+ arch/x86/include/asm/fpu/types.h | 6 +-
arch/x86/include/asm/futex.h | 14 +-
arch/x86/include/asm/hw_irq.h | 4 +-
arch/x86/include/asm/i8259.h | 2 +-
- arch/x86/include/asm/io.h | 21 +-
+ arch/x86/include/asm/io.h | 22 +-
arch/x86/include/asm/irqflags.h | 5 +
arch/x86/include/asm/kprobes.h | 9 +-
arch/x86/include/asm/local.h | 106 +-
arch/x86/include/asm/mman.h | 15 +
- arch/x86/include/asm/mmu.h | 16 +-
- arch/x86/include/asm/mmu_context.h | 136 +-
+ arch/x86/include/asm/mmu.h | 14 +-
+ arch/x86/include/asm/mmu_context.h | 114 +-
arch/x86/include/asm/module.h | 17 +-
arch/x86/include/asm/nmi.h | 19 +-
arch/x86/include/asm/page.h | 1 +
- arch/x86/include/asm/page_64.h | 8 +-
+ arch/x86/include/asm/page_32.h | 12 +-
+ arch/x86/include/asm/page_64.h | 14 +-
arch/x86/include/asm/paravirt.h | 46 +-
arch/x86/include/asm/paravirt_types.h | 15 +-
arch/x86/include/asm/pgalloc.h | 23 +
arch/x86/include/asm/pgtable-2level.h | 2 +
- arch/x86/include/asm/pgtable-3level.h | 4 +
+ arch/x86/include/asm/pgtable-3level.h | 7 +
arch/x86/include/asm/pgtable.h | 128 +-
arch/x86/include/asm/pgtable_32.h | 14 +-
- arch/x86/include/asm/pgtable_32_types.h | 15 +-
- arch/x86/include/asm/pgtable_64.h | 22 +-
+ arch/x86/include/asm/pgtable_32_types.h | 24 +-
+ arch/x86/include/asm/pgtable_64.h | 23 +-
arch/x86/include/asm/pgtable_64_types.h | 5 +
arch/x86/include/asm/pgtable_types.h | 26 +-
arch/x86/include/asm/preempt.h | 2 +-
- arch/x86/include/asm/processor.h | 49 +-
+ arch/x86/include/asm/processor.h | 57 +-
arch/x86/include/asm/ptrace.h | 13 +-
- arch/x86/include/asm/qrwlock.h | 4 +-
arch/x86/include/asm/realmode.h | 4 +-
arch/x86/include/asm/reboot.h | 10 +-
arch/x86/include/asm/rmwcc.h | 84 +-
arch/x86/include/asm/stackprotector.h | 4 +-
arch/x86/include/asm/stacktrace.h | 32 +-
arch/x86/include/asm/switch_to.h | 4 +-
- arch/x86/include/asm/thread_info.h | 23 +-
- arch/x86/include/asm/tlbflush.h | 75 +-
+ arch/x86/include/asm/sys_ia32.h | 6 +-
+ arch/x86/include/asm/thread_info.h | 27 +-
+ arch/x86/include/asm/tlbflush.h | 77 +-
arch/x86/include/asm/uaccess.h | 192 +-
arch/x86/include/asm/uaccess_32.h | 28 +-
arch/x86/include/asm/uaccess_64.h | 169 +-
arch/x86/include/asm/word-at-a-time.h | 2 +-
arch/x86/include/asm/x86_init.h | 10 +-
arch/x86/include/asm/xen/page.h | 2 +-
- arch/x86/include/asm/xsave.h | 14 +-
arch/x86/include/uapi/asm/e820.h | 2 +-
arch/x86/kernel/Makefile | 2 +-
arch/x86/kernel/acpi/boot.c | 4 +-
arch/x86/kernel/acpi/sleep.c | 4 +
arch/x86/kernel/acpi/wakeup_32.S | 6 +-
- arch/x86/kernel/alternative.c | 88 +-
+ arch/x86/kernel/alternative.c | 124 +-
arch/x86/kernel/apic/apic.c | 4 +-
- arch/x86/kernel/apic/apic_flat_64.c | 4 +-
+ arch/x86/kernel/apic/apic_flat_64.c | 6 +-
arch/x86/kernel/apic/apic_noop.c | 2 +-
arch/x86/kernel/apic/bigsmp_32.c | 2 +-
arch/x86/kernel/apic/io_apic.c | 8 +-
- arch/x86/kernel/apic/probe_32.c | 2 +-
+ arch/x86/kernel/apic/msi.c | 2 +-
+ arch/x86/kernel/apic/probe_32.c | 4 +-
arch/x86/kernel/apic/vector.c | 4 +-
- arch/x86/kernel/apic/x2apic_cluster.c | 4 +-
+ arch/x86/kernel/apic/x2apic_cluster.c | 2 +-
arch/x86/kernel/apic/x2apic_phys.c | 2 +-
arch/x86/kernel/apic/x2apic_uv_x.c | 2 +-
arch/x86/kernel/apm_32.c | 21 +-
arch/x86/kernel/asm-offsets_64.c | 1 +
arch/x86/kernel/cpu/Makefile | 4 -
arch/x86/kernel/cpu/amd.c | 2 +-
- arch/x86/kernel/cpu/common.c | 140 +-
+ arch/x86/kernel/cpu/bugs_64.c | 2 +
+ arch/x86/kernel/cpu/common.c | 202 +-
arch/x86/kernel/cpu/intel_cacheinfo.c | 14 +-
- arch/x86/kernel/cpu/mcheck/mce.c | 31 +-
+ arch/x86/kernel/cpu/mcheck/mce.c | 34 +-
arch/x86/kernel/cpu/mcheck/p5.c | 3 +
arch/x86/kernel/cpu/mcheck/winchip.c | 3 +
- arch/x86/kernel/cpu/microcode/core.c | 2 +-
arch/x86/kernel/cpu/microcode/intel.c | 4 +-
arch/x86/kernel/cpu/mtrr/main.c | 2 +-
arch/x86/kernel/cpu/mtrr/mtrr.h | 2 +-
- arch/x86/kernel/cpu/perf_event.c | 8 +-
+ arch/x86/kernel/cpu/perf_event.c | 10 +-
arch/x86/kernel/cpu/perf_event_amd_iommu.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel.c | 6 +-
arch/x86/kernel/cpu/perf_event_intel_bts.c | 6 +-
arch/x86/kernel/cpu/perf_event_intel_rapl.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +-
arch/x86/kernel/cpu/perf_event_intel_uncore.h | 2 +-
- arch/x86/kernel/cpuid.c | 2 +-
arch/x86/kernel/crash_dump_64.c | 2 +-
arch/x86/kernel/doublefault.c | 8 +-
arch/x86/kernel/dumpstack.c | 24 +-
arch/x86/kernel/dumpstack_64.c | 62 +-
arch/x86/kernel/e820.c | 4 +-
arch/x86/kernel/early_printk.c | 1 +
- arch/x86/kernel/entry_32.S | 360 +-
- arch/x86/kernel/entry_64.S | 651 +-
- arch/x86/kernel/espfix_64.c | 13 +-
+ arch/x86/kernel/espfix_64.c | 44 +-
+ arch/x86/kernel/fpu/core.c | 24 +-
+ arch/x86/kernel/fpu/init.c | 40 +-
+ arch/x86/kernel/fpu/regset.c | 22 +-
+ arch/x86/kernel/fpu/signal.c | 20 +-
+ arch/x86/kernel/fpu/xstate.c | 8 +-
arch/x86/kernel/ftrace.c | 18 +-
- arch/x86/kernel/head64.c | 13 +-
- arch/x86/kernel/head_32.S | 228 +-
- arch/x86/kernel/head_64.S | 149 +-
+ arch/x86/kernel/head64.c | 14 +-
+ arch/x86/kernel/head_32.S | 235 +-
+ arch/x86/kernel/head_64.S | 173 +-
arch/x86/kernel/i386_ksyms_32.c | 12 +
arch/x86/kernel/i8259.c | 10 +-
arch/x86/kernel/io_delay.c | 2 +-
arch/x86/kernel/ioport.c | 2 +-
arch/x86/kernel/irq.c | 8 +-
arch/x86/kernel/irq_32.c | 45 +-
- arch/x86/kernel/jump_label.c | 8 +-
+ arch/x86/kernel/jump_label.c | 10 +-
arch/x86/kernel/kgdb.c | 21 +-
arch/x86/kernel/kprobes/core.c | 28 +-
arch/x86/kernel/kprobes/opt.c | 16 +-
arch/x86/kernel/ksysfs.c | 2 +-
- arch/x86/kernel/ldt.c | 31 +-
+ arch/x86/kernel/kvmclock.c | 20 +-
+ arch/x86/kernel/ldt.c | 25 +
arch/x86/kernel/livepatch.c | 12 +-
arch/x86/kernel/machine_kexec_32.c | 6 +-
arch/x86/kernel/mcount_64.S | 19 +-
arch/x86/kernel/pci-calgary_64.c | 2 +-
arch/x86/kernel/pci-iommu_table.c | 2 +-
arch/x86/kernel/pci-swiotlb.c | 2 +-
- arch/x86/kernel/process.c | 56 +-
- arch/x86/kernel/process_32.c | 34 +-
- arch/x86/kernel/process_64.c | 20 +-
+ arch/x86/kernel/process.c | 80 +-
+ arch/x86/kernel/process_32.c | 29 +-
+ arch/x86/kernel/process_64.c | 14 +-
arch/x86/kernel/ptrace.c | 20 +-
arch/x86/kernel/pvclock.c | 8 +-
arch/x86/kernel/reboot.c | 44 +-
arch/x86/kernel/reboot_fixups_32.c | 2 +-
arch/x86/kernel/relocate_kernel_64.S | 3 +-
- arch/x86/kernel/setup.c | 27 +-
+ arch/x86/kernel/setup.c | 29 +-
arch/x86/kernel/setup_percpu.c | 29 +-
arch/x86/kernel/signal.c | 17 +-
arch/x86/kernel/smp.c | 2 +-
- arch/x86/kernel/smpboot.c | 31 +-
- arch/x86/kernel/step.c | 10 +-
+ arch/x86/kernel/smpboot.c | 29 +-
+ arch/x86/kernel/step.c | 6 +-
arch/x86/kernel/sys_i386_32.c | 184 +
arch/x86/kernel/sys_x86_64.c | 22 +-
arch/x86/kernel/tboot.c | 14 +-
arch/x86/kernel/tsc.c | 2 +-
arch/x86/kernel/uprobes.c | 2 +-
arch/x86/kernel/vm86_32.c | 6 +-
- arch/x86/kernel/vmlinux.lds.S | 147 +-
- arch/x86/kernel/vsyscall_64.c | 16 +-
+ arch/x86/kernel/vmlinux.lds.S | 153 +-
arch/x86/kernel/x8664_ksyms_64.c | 6 +-
arch/x86/kernel/x86_init.c | 6 +-
- arch/x86/kernel/xsave.c | 10 +-
arch/x86/kvm/cpuid.c | 21 +-
arch/x86/kvm/emulate.c | 2 +-
arch/x86/kvm/lapic.c | 2 +-
arch/x86/kvm/paging_tmpl.h | 2 +-
- arch/x86/kvm/svm.c | 8 +
- arch/x86/kvm/vmx.c | 82 +-
- arch/x86/kvm/x86.c | 8 +-
+ arch/x86/kvm/svm.c | 10 +-
+ arch/x86/kvm/vmx.c | 62 +-
+ arch/x86/kvm/x86.c | 42 +-
arch/x86/lguest/boot.c | 3 +-
arch/x86/lib/atomic64_386_32.S | 164 +
- arch/x86/lib/atomic64_cx8_32.S | 104 +-
- arch/x86/lib/checksum_32.S | 100 +-
+ arch/x86/lib/atomic64_cx8_32.S | 98 +-
+ arch/x86/lib/checksum_32.S | 99 +-
arch/x86/lib/clear_page_64.S | 3 +
arch/x86/lib/cmpxchg16b_emu.S | 3 +
- arch/x86/lib/copy_page_64.S | 18 +-
- arch/x86/lib/copy_user_64.S | 60 +-
- arch/x86/lib/copy_user_nocache_64.S | 14 +
- arch/x86/lib/csum-copy_64.S | 18 +-
+ arch/x86/lib/copy_page_64.S | 14 +-
+ arch/x86/lib/copy_user_64.S | 66 +-
+ arch/x86/lib/csum-copy_64.S | 14 +-
arch/x86/lib/csum-wrappers_64.c | 8 +-
arch/x86/lib/getuser.S | 74 +-
arch/x86/lib/insn.c | 8 +-
arch/x86/lib/memset_64.S | 3 +
arch/x86/lib/mmx_32.c | 243 +-
arch/x86/lib/msr-reg.S | 2 +
- arch/x86/lib/putuser.S | 90 +-
+ arch/x86/lib/putuser.S | 87 +-
arch/x86/lib/rwsem.S | 6 +-
- arch/x86/lib/thunk_64.S | 2 +
- arch/x86/lib/usercopy_32.c | 357 +-
+ arch/x86/lib/usercopy_32.c | 359 +-
arch/x86/lib/usercopy_64.c | 20 +-
+ arch/x86/math-emu/fpu_aux.c | 2 +-
+ arch/x86/math-emu/fpu_entry.c | 4 +-
+ arch/x86/math-emu/fpu_system.h | 2 +-
arch/x86/mm/Makefile | 4 +
- arch/x86/mm/extable.c | 25 +-
+ arch/x86/mm/extable.c | 26 +-
arch/x86/mm/fault.c | 570 +-
arch/x86/mm/gup.c | 6 +-
- arch/x86/mm/highmem_32.c | 4 +
+ arch/x86/mm/highmem_32.c | 6 +
arch/x86/mm/hugetlbpage.c | 24 +-
- arch/x86/mm/init.c | 101 +-
+ arch/x86/mm/init.c | 111 +-
arch/x86/mm/init_32.c | 111 +-
arch/x86/mm/init_64.c | 46 +-
arch/x86/mm/iomap_32.c | 4 +
- arch/x86/mm/ioremap.c | 45 +-
+ arch/x86/mm/ioremap.c | 52 +-
arch/x86/mm/kmemcheck/kmemcheck.c | 4 +-
arch/x86/mm/mmap.c | 40 +-
arch/x86/mm/mmio-mod.c | 10 +-
arch/x86/mm/numa.c | 2 +-
- arch/x86/mm/pageattr.c | 33 +-
- arch/x86/mm/pat.c | 20 +-
+ arch/x86/mm/pageattr.c | 38 +-
+ arch/x86/mm/pat.c | 12 +-
arch/x86/mm/pat_rbtree.c | 2 +-
arch/x86/mm/pf_in.c | 10 +-
- arch/x86/mm/pgtable.c | 162 +-
+ arch/x86/mm/pgtable.c | 214 +-
arch/x86/mm/pgtable_32.c | 3 +
- arch/x86/mm/physaddr.c | 4 +-
arch/x86/mm/setup_nx.c | 7 +
arch/x86/mm/tlb.c | 4 +
arch/x86/mm/uderef_64.c | 37 +
arch/x86/realmode/rm/trampoline_64.S | 3 +-
arch/x86/realmode/rm/wakeup_asm.S | 5 +-
arch/x86/tools/Makefile | 2 +-
- arch/x86/tools/relocs.c | 94 +-
+ arch/x86/tools/relocs.c | 96 +-
arch/x86/um/mem_32.c | 2 +-
arch/x86/um/tls_32.c | 2 +-
- arch/x86/vdso/Makefile | 2 +-
- arch/x86/vdso/vdso2c.h | 2 +-
- arch/x86/vdso/vdso32-setup.c | 1 +
- arch/x86/vdso/vma.c | 41 +-
arch/x86/xen/enlighten.c | 50 +-
- arch/x86/xen/mmu.c | 17 +-
+ arch/x86/xen/mmu.c | 19 +-
arch/x86/xen/smp.c | 16 +-
arch/x86/xen/xen-asm_32.S | 2 +-
arch/x86/xen/xen-head.S | 11 +
block/scsi_ioctl.c | 29 +-
crypto/cryptd.c | 4 +-
crypto/pcrypt.c | 2 +-
- crypto/zlib.c | 4 +-
+ crypto/zlib.c | 12 +-
+ drivers/acpi/acpi_video.c | 2 +-
drivers/acpi/apei/apei-internal.h | 2 +-
drivers/acpi/apei/ghes.c | 4 +-
drivers/acpi/bgrt.c | 6 +-
drivers/acpi/device_pm.c | 4 +-
drivers/acpi/ec.c | 2 +-
drivers/acpi/pci_slot.c | 2 +-
- drivers/acpi/processor_driver.c | 2 +-
drivers/acpi/processor_idle.c | 2 +-
drivers/acpi/processor_pdc.c | 2 +-
drivers/acpi/sleep.c | 2 +-
drivers/acpi/sysfs.c | 4 +-
drivers/acpi/thermal.c | 2 +-
- drivers/acpi/video.c | 2 +-
- drivers/ata/libahci.c | 2 +-
+ drivers/acpi/video_detect.c | 7 +-
drivers/ata/libata-core.c | 12 +-
drivers/ata/libata-scsi.c | 2 +-
drivers/ata/libata.h | 2 +-
drivers/base/bus.c | 4 +-
drivers/base/devtmpfs.c | 8 +-
drivers/base/node.c | 2 +-
+ drivers/base/platform-msi.c | 20 +-
drivers/base/power/domain.c | 11 +-
drivers/base/power/sysfs.c | 2 +-
drivers/base/power/wakeup.c | 8 +-
+ drivers/base/regmap/regmap-debugfs.c | 11 +-
drivers/base/syscore.c | 4 +-
drivers/block/cciss.c | 28 +-
drivers/block/cciss.h | 2 +-
drivers/block/pktcdvd.c | 4 +-
drivers/block/rbd.c | 2 +-
drivers/bluetooth/btwilink.c | 2 +-
+ drivers/bus/arm-cci.c | 12 +-
drivers/cdrom/cdrom.c | 11 +-
drivers/cdrom/gdrom.c | 1 -
drivers/char/agp/compat_ioctl.c | 2 +-
drivers/char/agp/frontend.c | 4 +-
+ drivers/char/agp/intel-gtt.c | 4 +-
drivers/char/hpet.c | 2 +-
- drivers/char/i8k.c | 2 +-
drivers/char/ipmi/ipmi_msghandler.c | 8 +-
drivers/char/ipmi/ipmi_si_intf.c | 8 +-
drivers/char/mem.c | 47 +-
drivers/char/random.c | 12 +-
drivers/char/sonypi.c | 11 +-
drivers/char/tpm/tpm_acpi.c | 3 +-
- drivers/char/tpm/tpm_eventlog.c | 7 +-
+ drivers/char/tpm/tpm_eventlog.c | 4 +-
drivers/char/virtio_console.c | 4 +-
drivers/clk/clk-composite.c | 2 +-
drivers/clk/samsung/clk.h | 2 +-
drivers/clk/socfpga/clk-gate.c | 9 +-
drivers/clk/socfpga/clk-pll.c | 9 +-
+ drivers/clk/ti/clk.c | 8 +-
drivers/cpufreq/acpi-cpufreq.c | 17 +-
drivers/cpufreq/cpufreq-dt.c | 4 +-
- drivers/cpufreq/cpufreq.c | 26 +-
- drivers/cpufreq/cpufreq_governor.c | 6 +-
+ drivers/cpufreq/cpufreq.c | 30 +-
+ drivers/cpufreq/cpufreq_governor.c | 2 +-
drivers/cpufreq/cpufreq_governor.h | 4 +-
drivers/cpufreq/cpufreq_ondemand.c | 10 +-
drivers/cpufreq/intel_pstate.c | 33 +-
drivers/cpufreq/sparc-us3-cpufreq.c | 67 +-
drivers/cpufreq/speedstep-centrino.c | 7 +-
drivers/cpuidle/driver.c | 2 +-
+ drivers/cpuidle/dt_idle_states.c | 2 +-
drivers/cpuidle/governor.c | 2 +-
drivers/cpuidle/sysfs.c | 2 +-
drivers/crypto/hifn_795x.c | 4 +-
drivers/firewire/core-transaction.c | 1 +
drivers/firewire/core.h | 1 +
drivers/firmware/dmi-id.c | 2 +-
+ drivers/firmware/dmi_scan.c | 12 +-
drivers/firmware/efi/cper.c | 8 +-
drivers/firmware/efi/efi.c | 12 +-
drivers/firmware/efi/efivars.c | 2 +-
drivers/firmware/google/gsmi.c | 2 +-
drivers/firmware/google/memconsole.c | 7 +-
drivers/firmware/memmap.c | 2 +-
+ drivers/firmware/psci.c | 2 +-
+ drivers/gpio/gpio-davinci.c | 6 +-
drivers/gpio/gpio-em.c | 2 +-
drivers/gpio/gpio-ich.c | 2 +-
- drivers/gpio/gpio-omap.c | 2 +-
+ drivers/gpio/gpio-omap.c | 4 +-
drivers/gpio/gpio-rcar.c | 2 +-
drivers/gpio/gpio-vr41xx.c | 2 +-
- drivers/gpio/gpiolib.c | 13 +-
- .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.h | 2 +-
+ drivers/gpio/gpiolib.c | 12 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 6 +-
+ .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 90 +-
+ .../gpu/drm/amd/amdkfd/kfd_device_queue_manager.h | 8 +-
+ .../drm/amd/amdkfd/kfd_device_queue_manager_cik.c | 14 +-
+ .../drm/amd/amdkfd/kfd_device_queue_manager_vi.c | 14 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c | 4 +-
+ drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h | 2 +-
+ .../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 16 +-
drivers/gpu/drm/drm_crtc.c | 2 +-
drivers/gpu/drm/drm_drv.c | 2 +-
drivers/gpu/drm/drm_fops.c | 12 +-
drivers/gpu/drm/i810/i810_drv.h | 4 +-
drivers/gpu/drm/i915/i915_dma.c | 2 +-
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 4 +-
- drivers/gpu/drm/i915/i915_ioc32.c | 16 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.c | 16 +-
+ drivers/gpu/drm/i915/i915_gem_gtt.h | 6 +-
+ drivers/gpu/drm/i915/i915_ioc32.c | 10 +-
drivers/gpu/drm/i915/intel_display.c | 26 +-
drivers/gpu/drm/imx/imx-drm-core.c | 2 +-
drivers/gpu/drm/mga/mga_drv.h | 4 +-
drivers/gpu/drm/nouveau/nouveau_drm.h | 1 -
drivers/gpu/drm/nouveau/nouveau_ioc32.c | 2 +-
drivers/gpu/drm/nouveau/nouveau_vga.c | 2 +-
+ drivers/gpu/drm/omapdrm/Makefile | 2 +-
drivers/gpu/drm/qxl/qxl_cmd.c | 12 +-
drivers/gpu/drm/qxl/qxl_debugfs.c | 8 +-
drivers/gpu/drm/qxl/qxl_drv.h | 8 +-
drivers/gpu/drm/tegra/dc.c | 2 +-
drivers/gpu/drm/tegra/dsi.c | 2 +-
drivers/gpu/drm/tegra/hdmi.c | 2 +-
+ drivers/gpu/drm/tegra/sor.c | 7 +-
+ drivers/gpu/drm/tilcdc/Makefile | 6 +-
drivers/gpu/drm/ttm/ttm_memory.c | 4 +-
drivers/gpu/drm/ttm/ttm_page_alloc.c | 18 +-
drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 18 +-
drivers/gpu/drm/via/via_irq.c | 18 +-
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 8 +-
- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_marker.c | 2 +-
drivers/gpu/vga/vga_switcheroo.c | 4 +-
drivers/hid/hid-core.c | 4 +-
+ drivers/hid/hid-sensor-custom.c | 2 +-
drivers/hv/channel.c | 2 +-
drivers/hv/hv.c | 4 +-
drivers/hv/hv_balloon.c | 18 +-
drivers/hwmon/applesmc.c | 2 +-
drivers/hwmon/asus_atk0110.c | 10 +-
drivers/hwmon/coretemp.c | 2 +-
+ drivers/hwmon/dell-smm-hwmon.c | 2 +-
drivers/hwmon/ibmaem.c | 2 +-
drivers/hwmon/iio_hwmon.c | 2 +-
drivers/hwmon/nct6683.c | 6 +-
drivers/hwmon/sht15.c | 12 +-
drivers/hwmon/via-cputemp.c | 2 +-
drivers/i2c/busses/i2c-amd756-s4882.c | 2 +-
- drivers/i2c/busses/i2c-diolan-u2c.c | 2 +-
drivers/i2c/busses/i2c-nforce2-s4985.c | 2 +-
drivers/i2c/i2c-dev.c | 2 +-
drivers/ide/ide-cd.c | 2 +-
+ drivers/ide/ide-disk.c | 2 +-
drivers/iio/industrialio-core.c | 2 +-
+ drivers/iio/magnetometer/ak8975.c | 2 +-
drivers/infiniband/core/cm.c | 32 +-
drivers/infiniband/core/fmr_pool.c | 20 +-
drivers/infiniband/core/uverbs_cmd.c | 3 +
drivers/infiniband/hw/cxgb4/mem.c | 4 +-
- drivers/infiniband/hw/ipath/ipath_rc.c | 6 +-
- drivers/infiniband/hw/ipath/ipath_ruc.c | 6 +-
drivers/infiniband/hw/mlx4/mad.c | 2 +-
drivers/infiniband/hw/mlx4/mcg.c | 2 +-
drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +-
drivers/input/serio/serio.c | 4 +-
drivers/input/serio/serio_raw.c | 4 +-
drivers/input/touchscreen/htcpen.c | 2 +-
+ drivers/iommu/arm-smmu-v3.c | 2 +-
drivers/iommu/arm-smmu.c | 43 +-
drivers/iommu/io-pgtable-arm.c | 101 +-
drivers/iommu/io-pgtable.c | 11 +-
drivers/iommu/io-pgtable.h | 19 +-
drivers/iommu/iommu.c | 2 +-
drivers/iommu/ipmmu-vmsa.c | 13 +-
- drivers/iommu/irq_remapping.c | 12 +-
+ drivers/iommu/irq_remapping.c | 2 +-
drivers/irqchip/irq-gic.c | 2 +-
+ drivers/irqchip/irq-i8259.c | 2 +-
drivers/irqchip/irq-renesas-intc-irqpin.c | 2 +-
drivers/irqchip/irq-renesas-irqc.c | 2 +-
drivers/isdn/capi/capi.c | 10 +-
drivers/md/bcache/closure.h | 2 +-
drivers/md/bitmap.c | 2 +-
drivers/md/dm-ioctl.c | 2 +-
- drivers/md/dm-raid1.c | 16 +-
+ drivers/md/dm-raid1.c | 18 +-
drivers/md/dm-stats.c | 6 +-
drivers/md/dm-stripe.c | 10 +-
drivers/md/dm-table.c | 2 +-
drivers/md/persistent-data/dm-space-map-metadata.c | 4 +-
drivers/md/persistent-data/dm-space-map.h | 1 +
drivers/md/raid1.c | 4 +-
- drivers/md/raid10.c | 16 +-
+ drivers/md/raid10.c | 18 +-
drivers/md/raid5.c | 22 +-
drivers/media/dvb-core/dvbdev.c | 2 +-
drivers/media/dvb-frontends/af9033.h | 2 +-
drivers/mfd/max8925-i2c.c | 2 +-
drivers/mfd/tps65910.c | 2 +-
drivers/mfd/twl4030-irq.c | 9 +-
+ drivers/mfd/wm5110-tables.c | 2 +-
+ drivers/mfd/wm8998-tables.c | 2 +-
drivers/misc/c2port/core.c | 4 +-
- drivers/misc/eeprom/sunxi_sid.c | 4 +-
drivers/misc/kgdbts.c | 4 +-
drivers/misc/lis3lv02d/lis3lv02d.c | 8 +-
drivers/misc/lis3lv02d/lis3lv02d.h | 2 +-
+ drivers/misc/mic/scif/scif_rb.c | 8 +-
drivers/misc/sgi-gru/gruhandles.c | 4 +-
drivers/misc/sgi-gru/gruprocfs.c | 8 +-
drivers/misc/sgi-gru/grutables.h | 154 +-
drivers/net/ethernet/amd/xgbe/xgbe-common.h | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-dcb.c | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 27 +-
- drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 141 +-
- drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 58 +-
- drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 6 +-
- drivers/net/ethernet/amd/xgbe/xgbe-main.c | 11 +-
- drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 143 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 64 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 10 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-main.c | 15 +-
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 27 +-
drivers/net/ethernet/amd/xgbe/xgbe-ptp.c | 4 +-
- drivers/net/ethernet/amd/xgbe/xgbe.h | 7 +-
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 10 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c | 11 +-
drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h | 3 +-
drivers/net/ethernet/broadcom/tg3.h | 1 +
+ drivers/net/ethernet/cavium/liquidio/lio_ethtool.c | 6 +-
+ drivers/net/ethernet/cavium/liquidio/lio_main.c | 11 +-
drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
drivers/net/ethernet/dec/tulip/de4x5.c | 4 +-
drivers/net/ethernet/emulex/benet/be_main.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_ptp.c | 2 +-
drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_tx.c | 4 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +-
drivers/net/ethernet/neterion/vxge/vxge-config.c | 7 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 4 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c | 12 +-
drivers/net/ethernet/sfc/ptp.c | 2 +-
drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 +-
drivers/net/ethernet/via/via-rhine.c | 2 +-
+ drivers/net/geneve.c | 2 +-
drivers/net/hyperv/hyperv_net.h | 2 +-
drivers/net/hyperv/rndis_filter.c | 4 +-
drivers/net/ifb.c | 2 +-
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
drivers/net/macvlan.c | 20 +-
drivers/net/macvtap.c | 6 +-
drivers/net/nlmon.c | 2 +-
drivers/net/usb/r8152.c | 2 +-
drivers/net/usb/sierra_net.c | 4 +-
drivers/net/virtio_net.c | 2 +-
+ drivers/net/vrf.c | 2 +-
drivers/net/vxlan.c | 4 +-
drivers/net/wimax/i2400m/rx.c | 2 +-
drivers/net/wireless/airo.c | 2 +-
drivers/net/wireless/at76c50x-usb.c | 2 +-
+ drivers/net/wireless/ath/ath10k/ce.c | 6 +-
drivers/net/wireless/ath/ath10k/htc.c | 7 +-
drivers/net/wireless/ath/ath10k/htc.h | 4 +-
drivers/net/wireless/ath/ath9k/ar9002_mac.c | 36 +-
drivers/net/wireless/ath/ath9k/ar9003_mac.c | 64 +-
drivers/net/wireless/ath/ath9k/hw.h | 4 +-
drivers/net/wireless/ath/ath9k/main.c | 22 +-
+ drivers/net/wireless/ath/wil6210/wil_platform.h | 2 +-
drivers/net/wireless/b43/phy_lp.c | 2 +-
drivers/net/wireless/iwlegacy/3945-mac.c | 4 +-
drivers/net/wireless/iwlwifi/dvm/debugfs.c | 34 +-
drivers/oprofile/buffer_sync.c | 8 +-
drivers/oprofile/event_buffer.c | 2 +-
drivers/oprofile/oprof.c | 2 +-
- drivers/oprofile/oprofile_files.c | 2 +-
drivers/oprofile/oprofile_stats.c | 10 +-
drivers/oprofile/oprofile_stats.h | 10 +-
drivers/oprofile/oprofilefs.c | 6 +-
drivers/pci/hotplug/cpqphp_nvram.c | 2 +
drivers/pci/hotplug/pci_hotplug_core.c | 6 +-
drivers/pci/hotplug/pciehp_core.c | 2 +-
- drivers/pci/msi.c | 6 +-
+ drivers/pci/msi.c | 22 +-
drivers/pci/pci-sysfs.c | 6 +-
drivers/pci/pci.h | 2 +-
drivers/pci/pcie/aspm.c | 6 +-
drivers/pci/pcie/portdrv_pci.c | 2 +-
drivers/pci/probe.c | 2 +-
+ drivers/pinctrl/nomadik/pinctrl-nomadik.c | 2 +-
+ drivers/pinctrl/pinctrl-at91.c | 5 +-
drivers/platform/chrome/chromeos_pstore.c | 2 +-
drivers/platform/x86/alienware-wmi.c | 4 +-
drivers/platform/x86/compal-laptop.c | 2 +-
drivers/power/power_supply.h | 4 +-
drivers/power/power_supply_core.c | 7 +-
drivers/power/power_supply_sysfs.c | 6 +-
+ drivers/power/reset/at91-reset.c | 9 +-
drivers/powercap/powercap_sys.c | 136 +-
drivers/ptp/ptp_private.h | 2 +-
drivers/ptp/ptp_sysfs.c | 2 +-
drivers/regulator/core.c | 4 +-
drivers/regulator/max8660.c | 6 +-
- drivers/regulator/max8973-regulator.c | 8 +-
+ drivers/regulator/max8973-regulator.c | 16 +-
drivers/regulator/mc13892-regulator.c | 8 +-
+ drivers/rtc/rtc-armada38x.c | 7 +-
drivers/rtc/rtc-cmos.c | 4 +-
drivers/rtc/rtc-ds1307.c | 2 +-
drivers/rtc/rtc-m48t59.c | 4 +-
+ drivers/rtc/rtc-test.c | 6 +-
+ drivers/scsi/be2iscsi/be_main.c | 2 +-
drivers/scsi/bfa/bfa_fcpim.h | 2 +-
drivers/scsi/bfa/bfa_ioc.h | 4 +-
drivers/scsi/fcoe/fcoe_sysfs.c | 12 +-
drivers/scsi/hosts.c | 4 +-
- drivers/scsi/hpsa.c | 36 +-
+ drivers/scsi/hpsa.c | 38 +-
drivers/scsi/hpsa.h | 2 +-
drivers/scsi/libfc/fc_exch.c | 50 +-
drivers/scsi/libsas/sas_ata.c | 2 +-
drivers/scsi/lpfc/lpfc_debugfs.c | 18 +-
drivers/scsi/lpfc/lpfc_init.c | 6 +-
drivers/scsi/lpfc/lpfc_scsi.c | 10 +-
+ drivers/scsi/megaraid/megaraid_sas.h | 2 +-
drivers/scsi/mpt2sas/mpt2sas_scsih.c | 8 +-
drivers/scsi/pmcraid.c | 20 +-
drivers/scsi/pmcraid.h | 8 +-
drivers/scsi/scsi_transport_srp.c | 6 +-
drivers/scsi/sd.c | 6 +-
drivers/scsi/sg.c | 2 +-
- drivers/scsi/sr.c | 8 +-
+ drivers/scsi/sr.c | 21 +-
drivers/soc/tegra/fuse/fuse-tegra.c | 2 +-
drivers/spi/spi.c | 2 +-
drivers/staging/android/timed_output.c | 6 +-
drivers/staging/fbtft/fbtft-core.c | 2 +-
drivers/staging/fbtft/fbtft.h | 2 +-
drivers/staging/gdm724x/gdm_tty.c | 2 +-
- drivers/staging/i2o/i2o.h | 2 +-
- drivers/staging/i2o/i2o_proc.c | 67 +-
- drivers/staging/i2o/iop.c | 8 +-
+ drivers/staging/iio/accel/lis3l02dq_ring.c | 2 +-
+ drivers/staging/iio/adc/ad7280a.c | 4 +-
drivers/staging/lustre/lnet/selftest/brw_test.c | 12 +-
drivers/staging/lustre/lnet/selftest/framework.c | 4 -
drivers/staging/lustre/lnet/selftest/ping_test.c | 14 +-
drivers/staging/lustre/lustre/include/lustre_dlm.h | 2 +-
drivers/staging/lustre/lustre/include/obd.h | 2 +-
- drivers/staging/lustre/lustre/libcfs/module.c | 6 +-
- drivers/staging/octeon/ethernet-rx.c | 12 +-
+ drivers/staging/octeon/ethernet-rx.c | 20 +-
drivers/staging/octeon/ethernet.c | 8 +-
+ drivers/staging/rdma/ipath/ipath_rc.c | 6 +-
+ drivers/staging/rdma/ipath/ipath_ruc.c | 6 +-
drivers/staging/rtl8188eu/include/hal_intf.h | 2 +-
drivers/staging/rtl8712/rtl871x_io.h | 2 +-
- drivers/staging/unisys/visorchipset/visorchipset.h | 4 +-
+ drivers/staging/sm750fb/sm750.c | 14 +-
+ drivers/staging/unisys/visorbus/visorbus_private.h | 4 +-
drivers/target/sbp/sbp_target.c | 4 +-
- drivers/target/target_core_device.c | 2 +-
- drivers/target/target_core_transport.c | 2 +-
+ drivers/thermal/cpu_cooling.c | 9 +-
drivers/thermal/int340x_thermal/int3400_thermal.c | 6 +-
drivers/thermal/of-thermal.c | 17 +-
drivers/thermal/x86_pkg_temp_thermal.c | 2 +-
drivers/tty/ipwireless/tty.c | 27 +-
drivers/tty/moxa.c | 2 +-
drivers/tty/n_gsm.c | 4 +-
- drivers/tty/n_tty.c | 5 +-
+ drivers/tty/n_tty.c | 3 +-
drivers/tty/pty.c | 4 +-
drivers/tty/rocket.c | 6 +-
- drivers/tty/serial/8250/8250_core.c | 4 +-
+ drivers/tty/serial/8250/8250_core.c | 10 +-
+ drivers/tty/serial/ifx6x60.c | 2 +-
drivers/tty/serial/ioc4_serial.c | 6 +-
drivers/tty/serial/kgdb_nmi.c | 4 +-
drivers/tty/serial/kgdboc.c | 32 +-
drivers/uio/uio.c | 13 +-
drivers/usb/atm/cxacru.c | 2 +-
drivers/usb/atm/usbatm.c | 24 +-
+ drivers/usb/class/cdc-acm.h | 2 +-
drivers/usb/core/devices.c | 6 +-
- drivers/usb/core/devio.c | 10 +-
+ drivers/usb/core/devio.c | 12 +-
drivers/usb/core/hcd.c | 4 +-
- drivers/usb/core/message.c | 6 +-
drivers/usb/core/sysfs.c | 2 +-
drivers/usb/core/usb.c | 2 +-
drivers/usb/early/ehci-dbgp.c | 16 +-
drivers/usb/gadget/function/u_serial.c | 22 +-
+ drivers/usb/gadget/udc/dummy_hcd.c | 2 +-
+ drivers/usb/host/ehci-hcd.c | 2 +-
drivers/usb/host/ehci-hub.c | 4 +-
+ drivers/usb/host/ehci-q.c | 4 +-
+ drivers/usb/host/fotg210-hcd.c | 2 +-
+ drivers/usb/host/fusbh200-hcd.c | 2 +-
+ drivers/usb/host/hwa-hc.c | 2 +-
+ drivers/usb/host/ohci-hcd.c | 2 +-
+ drivers/usb/host/r8a66597.h | 2 +-
+ drivers/usb/host/uhci-hcd.c | 2 +-
+ drivers/usb/host/xhci-pci.c | 2 +-
+ drivers/usb/host/xhci.c | 2 +-
drivers/usb/misc/appledisplay.c | 4 +-
drivers/usb/serial/console.c | 8 +-
+ drivers/usb/storage/transport.c | 2 +-
+ drivers/usb/storage/usb.c | 2 +-
drivers/usb/storage/usb.h | 2 +-
drivers/usb/usbip/vhci.h | 2 +-
drivers/usb/usbip/vhci_hcd.c | 6 +-
drivers/vfio/vfio.c | 2 +-
drivers/vhost/vringh.c | 20 +-
drivers/video/backlight/kb3886_bl.c | 2 +-
+ drivers/video/console/fbcon.c | 2 +-
drivers/video/fbdev/aty/aty128fb.c | 2 +-
drivers/video/fbdev/aty/atyfb_base.c | 8 +-
drivers/video/fbdev/aty/mach64_cursor.c | 5 +-
drivers/video/fbdev/core/fbmem.c | 2 +-
drivers/video/fbdev/hyperv_fb.c | 4 +-
drivers/video/fbdev/i810/i810_accel.c | 1 +
+ drivers/video/fbdev/matrox/matroxfb_base.c | 2 +-
drivers/video/fbdev/mb862xx/mb862xxfb_accel.c | 16 +-
drivers/video/fbdev/nvidia/nvidia.c | 27 +-
drivers/video/fbdev/omap2/dss/display.c | 8 +-
drivers/video/fbdev/vesafb.c | 58 +-
drivers/video/fbdev/via/via_clock.h | 2 +-
drivers/xen/events/events_base.c | 6 +-
- fs/9p/vfs_inode.c | 2 +-
+ drivers/xen/evtchn.c | 4 +-
fs/Kconfig.binfmt | 2 +-
fs/afs/inode.c | 4 +-
fs/aio.c | 2 +-
fs/befs/endian.h | 6 +-
fs/binfmt_aout.c | 23 +-
fs/binfmt_elf.c | 670 +-
+ fs/binfmt_elf_fdpic.c | 4 +-
fs/block_dev.c | 2 +-
fs/btrfs/ctree.c | 9 +-
- fs/btrfs/delayed-inode.c | 6 +-
- fs/btrfs/delayed-inode.h | 4 +-
+ fs/btrfs/delayed-inode.c | 9 +-
+ fs/btrfs/delayed-inode.h | 6 +-
+ fs/btrfs/file.c | 10 +-
+ fs/btrfs/inode.c | 14 +-
fs/btrfs/super.c | 2 +-
fs/btrfs/sysfs.c | 2 +-
fs/btrfs/tests/free-space-tests.c | 8 +-
fs/cachefiles/internal.h | 12 +-
fs/cachefiles/namei.c | 2 +-
fs/cachefiles/proc.c | 12 +-
- fs/ceph/dir.c | 11 +-
+ fs/ceph/dir.c | 12 +-
fs/ceph/super.c | 4 +-
fs/cifs/cifs_debug.c | 12 +-
fs/cifs/cifsfs.c | 8 +-
fs/ecryptfs/miscdev.c | 2 +-
fs/exec.c | 362 +-
fs/ext2/xattr.c | 5 +-
- fs/ext3/xattr.c | 5 +-
fs/ext4/ext4.h | 20 +-
fs/ext4/mballoc.c | 44 +-
- fs/ext4/mmp.c | 2 +-
fs/ext4/resize.c | 16 +-
fs/ext4/super.c | 4 +-
fs/ext4/xattr.c | 5 +-
fs/file.c | 4 +-
fs/fs_struct.c | 8 +-
fs/fscache/cookie.c | 40 +-
- fs/fscache/internal.h | 200 +-
+ fs/fscache/internal.h | 202 +-
fs/fscache/object.c | 26 +-
- fs/fscache/operation.c | 30 +-
+ fs/fscache/operation.c | 38 +-
fs/fscache/page.c | 110 +-
- fs/fscache/stats.c | 344 +-
+ fs/fscache/stats.c | 348 +-
fs/fuse/cuse.c | 10 +-
fs/fuse/dev.c | 4 +-
- fs/fuse/dir.c | 2 +-
fs/gfs2/glock.c | 22 +-
fs/gfs2/glops.c | 4 +-
fs/gfs2/quota.c | 6 +-
- fs/hostfs/hostfs_kern.c | 2 +-
fs/hugetlbfs/inode.c | 13 +-
fs/inode.c | 4 +-
fs/jffs2/erase.c | 3 +-
fs/jfs/super.c | 2 +-
fs/kernfs/dir.c | 2 +-
fs/kernfs/file.c | 20 +-
- fs/kernfs/symlink.c | 2 +-
- fs/libfs.c | 12 +-
+ fs/libfs.c | 10 +-
fs/lockd/clntproc.c | 4 +-
- fs/namei.c | 24 +-
+ fs/namei.c | 16 +-
fs/namespace.c | 16 +-
fs/nfs/callback_xdr.c | 2 +-
fs/nfs/inode.c | 6 +-
fs/proc/kcore.c | 34 +-
fs/proc/meminfo.c | 2 +-
fs/proc/nommu.c | 2 +-
- fs/proc/proc_sysctl.c | 18 +-
+ fs/proc/proc_sysctl.c | 26 +-
fs/proc/task_mmu.c | 39 +-
fs/proc/task_nommu.c | 4 +-
fs/proc/vmcore.c | 16 +-
fs/splice.c | 43 +-
fs/squashfs/xattr.c | 12 +-
fs/sysv/sysv.h | 2 +-
- fs/ubifs/io.c | 2 +-
+ fs/tracefs/inode.c | 8 +-
fs/udf/misc.c | 2 +-
fs/ufs/swab.h | 4 +-
+ fs/userfaultfd.c | 2 +-
fs/xattr.c | 21 +
fs/xfs/libxfs/xfs_bmap.c | 2 +-
fs/xfs/xfs_dir2_readdir.c | 7 +-
fs/xfs/xfs_ioctl.c | 2 +-
fs/xfs/xfs_linux.h | 4 +-
include/asm-generic/4level-fixup.h | 2 +
- include/asm-generic/atomic-long.h | 214 +-
+ include/asm-generic/atomic-long.h | 156 +-
include/asm-generic/atomic64.h | 12 +
- include/asm-generic/barrier.h | 2 +-
include/asm-generic/bitops/__fls.h | 2 +-
include/asm-generic/bitops/fls.h | 2 +-
include/asm-generic/bitops/fls64.h | 4 +-
include/asm-generic/pgtable-nopmd.h | 18 +-
include/asm-generic/pgtable-nopud.h | 15 +-
include/asm-generic/pgtable.h | 16 +
+ include/asm-generic/sections.h | 1 +
include/asm-generic/uaccess.h | 16 +
- include/asm-generic/vmlinux.lds.h | 13 +-
+ include/asm-generic/vmlinux.lds.h | 15 +-
include/crypto/algapi.h | 2 +-
include/drm/drmP.h | 16 +-
include/drm/drm_crtc_helper.h | 2 +-
+ include/drm/drm_mm.h | 2 +-
include/drm/i915_pciids.h | 2 +-
+ include/drm/intel-gtt.h | 4 +-
include/drm/ttm/ttm_memory.h | 2 +-
include/drm/ttm/ttm_page_alloc.h | 1 +
include/keys/asymmetric-subtype.h | 2 +-
include/linux/atmdev.h | 4 +-
- include/linux/atomic.h | 2 +-
+ include/linux/atomic.h | 17 +-
include/linux/audit.h | 2 +-
+ include/linux/average.h | 2 +-
include/linux/binfmts.h | 3 +-
include/linux/bitmap.h | 2 +-
- include/linux/bitops.h | 6 +-
+ include/linux/bitops.h | 8 +-
include/linux/blkdev.h | 2 +-
include/linux/blktrace_api.h | 2 +-
include/linux/cache.h | 8 +
include/linux/cleancache.h | 2 +-
include/linux/clk-provider.h | 1 +
include/linux/compat.h | 6 +-
- include/linux/compiler-gcc.h | 4 +-
- include/linux/compiler-gcc4.h | 24 +
- include/linux/compiler-gcc5.h | 23 +
- include/linux/compiler.h | 93 +-
- include/linux/completion.h | 12 +-
+ include/linux/compiler-gcc.h | 28 +-
+ include/linux/compiler.h | 157 +-
include/linux/configfs.h | 2 +-
include/linux/cpufreq.h | 3 +-
include/linux/cpuidle.h | 5 +-
include/linux/cpumask.h | 14 +-
- include/linux/crypto.h | 6 +-
+ include/linux/crypto.h | 4 +-
include/linux/ctype.h | 2 +-
include/linux/dcache.h | 4 +-
include/linux/decompress/mm.h | 2 +-
include/linux/extcon.h | 2 +-
include/linux/fb.h | 3 +-
include/linux/fdtable.h | 2 +-
- include/linux/frontswap.h | 2 +-
include/linux/fs.h | 5 +-
include/linux/fs_struct.h | 2 +-
- include/linux/fscache-cache.h | 4 +-
+ include/linux/fscache-cache.h | 2 +-
include/linux/fscache.h | 2 +-
include/linux/fsnotify.h | 2 +-
include/linux/genhd.h | 4 +-
include/linux/interrupt.h | 6 +-
include/linux/iommu.h | 2 +-
include/linux/ioport.h | 2 +-
- include/linux/irq.h | 3 +-
+ include/linux/ipc.h | 2 +-
+ include/linux/irq.h | 5 +-
include/linux/irqdesc.h | 2 +-
- include/linux/irqdomain.h | 1 +
- include/linux/jiffies.h | 14 +-
- include/linux/kernel.h | 2 +-
+ include/linux/irqdomain.h | 3 +
+ include/linux/jiffies.h | 16 +-
include/linux/key-type.h | 2 +-
include/linux/kgdb.h | 6 +-
include/linux/kmemleak.h | 4 +-
include/linux/kobject.h | 3 +-
include/linux/kobject_ns.h | 2 +-
include/linux/kref.h | 2 +-
- include/linux/kvm_host.h | 4 +-
include/linux/libata.h | 2 +-
include/linux/linkage.h | 1 +
include/linux/list.h | 15 +
include/linux/lockref.h | 26 +-
include/linux/math64.h | 10 +-
include/linux/mempolicy.h | 7 +
- include/linux/mm.h | 104 +-
+ include/linux/mm.h | 102 +-
include/linux/mm_types.h | 20 +
include/linux/mmiotrace.h | 4 +-
include/linux/mmzone.h | 2 +-
include/linux/mod_devicetable.h | 4 +-
- include/linux/module.h | 60 +-
+ include/linux/module.h | 69 +-
include/linux/moduleloader.h | 16 +
include/linux/moduleparam.h | 4 +-
- include/linux/namei.h | 4 +-
include/linux/net.h | 2 +-
include/linux/netdevice.h | 7 +-
include/linux/netfilter.h | 2 +-
include/linux/ppp-comp.h | 2 +-
include/linux/preempt.h | 21 +
include/linux/proc_ns.h | 2 +-
+ include/linux/psci.h | 2 +-
include/linux/quota.h | 2 +-
- include/linux/random.h | 23 +-
- include/linux/rculist.h | 20 +-
- include/linux/rcupdate.h | 2 +-
+ include/linux/random.h | 19 +-
+ include/linux/rculist.h | 16 +
include/linux/reboot.h | 14 +-
include/linux/regset.h | 3 +-
include/linux/relay.h | 2 +-
include/linux/rio.h | 2 +-
include/linux/rmap.h | 4 +-
- include/linux/sched.h | 70 +-
+ include/linux/sched.h | 72 +-
include/linux/sched/sysctl.h | 1 +
- include/linux/security.h | 2 -
include/linux/semaphore.h | 2 +-
include/linux/seq_file.h | 1 +
include/linux/signal.h | 2 +-
- include/linux/skbuff.h | 10 +-
+ include/linux/skbuff.h | 12 +-
include/linux/slab.h | 47 +-
include/linux/slab_def.h | 14 +-
include/linux/slub_def.h | 2 +-
include/linux/sunrpc/svc.h | 2 +-
include/linux/sunrpc/svc_rdma.h | 18 +-
include/linux/sunrpc/svcauth.h | 2 +-
+ include/linux/swapops.h | 10 +-
include/linux/swiotlb.h | 3 +-
include/linux/syscalls.h | 21 +-
include/linux/syscore_ops.h | 2 +-
include/linux/sysctl.h | 3 +-
include/linux/sysfs.h | 9 +-
include/linux/sysrq.h | 3 +-
+ include/linux/tcp.h | 14 +-
include/linux/thread_info.h | 7 +
include/linux/tty.h | 4 +-
include/linux/tty_driver.h | 2 +-
include/linux/uaccess.h | 6 +-
include/linux/uio_driver.h | 2 +-
include/linux/unaligned/access_ok.h | 24 +-
- include/linux/usb.h | 4 +-
+ include/linux/usb.h | 12 +-
+ include/linux/usb/hcd.h | 1 +
include/linux/usb/renesas_usbhs.h | 2 +-
include/linux/vermagic.h | 21 +-
include/linux/vga_switcheroo.h | 8 +-
include/net/genetlink.h | 2 +-
include/net/gro_cells.h | 2 +-
include/net/inet_connection_sock.h | 2 +-
+ include/net/inet_sock.h | 2 +-
include/net/inetpeer.h | 2 +-
include/net/ip_fib.h | 2 +-
include/net/ip_vs.h | 8 +-
+ include/net/ipv6.h | 2 +-
include/net/irda/ircomm_tty.h | 1 +
include/net/iucv/af_iucv.h | 2 +-
include/net/llc_c_ac.h | 2 +-
include/net/llc_c_st.h | 2 +-
include/net/llc_s_ac.h | 2 +-
include/net/llc_s_st.h | 2 +-
- include/net/mac80211.h | 2 +-
+ include/net/mac80211.h | 4 +-
include/net/neighbour.h | 2 +-
- include/net/net_namespace.h | 16 +-
+ include/net/net_namespace.h | 18 +-
include/net/netlink.h | 2 +-
include/net/netns/conntrack.h | 6 +-
include/net/netns/ipv4.h | 4 +-
include/net/sctp/checksum.h | 4 +-
include/net/sctp/sm.h | 4 +-
include/net/sctp/structs.h | 2 +-
- include/net/sock.h | 10 +-
+ include/net/sock.h | 12 +-
include/net/tcp.h | 8 +-
include/net/xfrm.h | 13 +-
include/rdma/iw_cm.h | 2 +-
include/scsi/scsi_device.h | 6 +-
include/scsi/scsi_driver.h | 2 +-
include/scsi/scsi_transport_fc.h | 3 +-
+ include/scsi/sg.h | 2 +-
include/sound/compress_driver.h | 2 +-
include/sound/soc.h | 4 +-
- include/target/target_core_base.h | 2 +-
include/trace/events/irq.h | 4 +-
include/uapi/linux/a.out.h | 8 +
include/uapi/linux/bcache.h | 5 +-
include/uapi/linux/byteorder/little_endian.h | 28 +-
+ include/uapi/linux/connector.h | 2 +-
include/uapi/linux/elf.h | 28 +
include/uapi/linux/screen_info.h | 3 +-
include/uapi/linux/swab.h | 6 +-
init/do_mounts_md.c | 6 +-
init/init_task.c | 4 +
init/initramfs.c | 38 +-
- init/main.c | 78 +-
+ init/main.c | 30 +-
ipc/compat.c | 4 +-
ipc/ipc_sysctl.c | 8 +-
ipc/mq_sysctl.c | 4 +-
kernel/events/internal.h | 10 +-
kernel/events/uprobes.c | 2 +-
kernel/exit.c | 2 +-
- kernel/fork.c | 163 +-
+ kernel/fork.c | 167 +-
kernel/futex.c | 11 +-
kernel/futex_compat.c | 2 +-
kernel/gcov/base.c | 7 +-
kernel/irq/manage.c | 2 +-
+ kernel/irq/msi.c | 19 +-
kernel/irq/spurious.c | 2 +-
kernel/jump_label.c | 5 +
kernel/kallsyms.c | 37 +-
kernel/locking/mutex-debug.c | 12 +-
kernel/locking/mutex-debug.h | 4 +-
kernel/locking/mutex.c | 6 +-
- kernel/locking/rtmutex-tester.c | 24 +-
- kernel/module.c | 357 +-
+ kernel/module.c | 422 +-
kernel/notifier.c | 17 +-
kernel/padata.c | 4 +-
kernel/panic.c | 5 +-
kernel/ptrace.c | 8 +-
kernel/rcu/rcutorture.c | 60 +-
kernel/rcu/tiny.c | 4 +-
- kernel/rcu/tiny_plugin.h | 6 +-
- kernel/rcu/tree.c | 128 +-
- kernel/rcu/tree.h | 26 +-
- kernel/rcu/tree_plugin.h | 42 +-
- kernel/rcu/tree_trace.c | 22 +-
- kernel/rcu/update.c | 10 +-
+ kernel/rcu/tree.c | 44 +-
+ kernel/rcu/tree.h | 14 +-
+ kernel/rcu/tree_plugin.h | 14 +-
+ kernel/rcu/tree_trace.c | 12 +-
kernel/sched/auto_group.c | 4 +-
- kernel/sched/completion.c | 6 +-
kernel/sched/core.c | 45 +-
- kernel/sched/fair.c | 4 +-
+ kernel/sched/fair.c | 2 +-
kernel/sched/sched.h | 2 +-
kernel/signal.c | 12 +-
kernel/smpboot.c | 4 +-
kernel/sys.c | 10 +-
kernel/sysctl.c | 34 +-
kernel/time/alarmtimer.c | 2 +-
- kernel/time/hrtimer.c | 2 +-
kernel/time/posix-cpu-timers.c | 4 +-
kernel/time/posix-timers.c | 24 +-
- kernel/time/timer.c | 4 +-
+ kernel/time/timer.c | 2 +-
kernel/time/timer_stats.c | 10 +-
- kernel/torture.c | 10 +-
kernel/trace/blktrace.c | 6 +-
kernel/trace/ftrace.c | 15 +-
kernel/trace/ring_buffer.c | 96 +-
kernel/workqueue.c | 2 +-
lib/Kconfig.debug | 8 +-
lib/Makefile | 2 +-
- lib/average.c | 2 +-
- lib/bitmap.c | 10 +-
+ lib/bitmap.c | 8 +-
lib/bug.c | 2 +
lib/debugobjects.c | 2 +-
lib/decompress_bunzip2.c | 3 +-
lib/strncpy_from_user.c | 2 +-
lib/strnlen_user.c | 2 +-
lib/swiotlb.c | 2 +-
- lib/test-hexdump.c | 6 +-
lib/usercopy.c | 6 +
lib/vsprintf.c | 12 +-
mm/Kconfig | 6 +-
mm/backing-dev.c | 4 +-
+ mm/debug.c | 3 +
mm/filemap.c | 2 +-
mm/gup.c | 13 +-
- mm/highmem.c | 7 +-
+ mm/highmem.c | 6 +-
mm/hugetlb.c | 70 +-
- mm/internal.h | 3 +-
+ mm/internal.h | 1 +
mm/maccess.c | 4 +-
mm/madvise.c | 37 +
- mm/memory-failure.c | 30 +-
- mm/memory.c | 410 +-
+ mm/memory-failure.c | 6 +-
+ mm/memory.c | 424 +-
mm/mempolicy.c | 25 +
mm/mlock.c | 15 +-
mm/mm_init.c | 2 +-
mm/mmap.c | 582 +-
mm/mprotect.c | 137 +-
- mm/mremap.c | 44 +-
+ mm/mremap.c | 39 +-
mm/nommu.c | 21 +-
mm/page-writeback.c | 2 +-
- mm/page_alloc.c | 48 +-
+ mm/page_alloc.c | 49 +-
mm/percpu.c | 2 +-
mm/process_vm_access.c | 14 +-
mm/rmap.c | 45 +-
mm/slab.h | 22 +-
mm/slab_common.c | 86 +-
mm/slob.c | 218 +-
- mm/slub.c | 101 +-
+ mm/slub.c | 102 +-
mm/sparse-vmemmap.c | 4 +-
mm/sparse.c | 2 +-
mm/swap.c | 2 +
mm/swapfile.c | 12 +-
mm/util.c | 6 +
- mm/vmalloc.c | 112 +-
+ mm/vmalloc.c | 114 +-
mm/vmstat.c | 12 +-
net/8021q/vlan.c | 5 +-
net/8021q/vlan_netlink.c | 2 +-
net/core/net_namespace.c | 8 +-
net/core/netpoll.c | 4 +-
net/core/rtnetlink.c | 15 +-
- net/core/scm.c | 8 +-
+ net/core/scm.c | 14 +-
net/core/skbuff.c | 8 +-
- net/core/sock.c | 26 +-
- net/core/sock_diag.c | 9 +-
+ net/core/sock.c | 28 +-
+ net/core/sock_diag.c | 15 +-
net/core/sysctl_net_core.c | 22 +-
net/decnet/af_decnet.c | 1 +
net/decnet/sysctl_net_decnet.c | 4 +-
+ net/dsa/dsa.c | 2 +-
net/hsr/hsr_netlink.c | 2 +-
net/ieee802154/6lowpan/core.c | 2 +-
net/ieee802154/6lowpan/reassembly.c | 14 +-
net/ipv4/devinet.c | 18 +-
net/ipv4/fib_frontend.c | 6 +-
net/ipv4/fib_semantics.c | 2 +-
+ net/ipv4/inet_connection_sock.c | 4 +-
+ net/ipv4/inet_timewait_sock.c | 2 +-
net/ipv4/inetpeer.c | 2 +-
net/ipv4/ip_fragment.c | 15 +-
net/ipv4/ip_gre.c | 6 +-
net/ipv4/raw.c | 14 +-
net/ipv4/route.c | 32 +-
net/ipv4/sysctl_net_ipv4.c | 22 +-
- net/ipv4/tcp_input.c | 4 +-
+ net/ipv4/tcp_input.c | 6 +-
net/ipv4/tcp_probe.c | 2 +-
net/ipv4/udp.c | 10 +-
net/ipv4/xfrm4_policy.c | 18 +-
- net/ipv6/addrconf.c | 16 +-
+ net/ipv6/addrconf.c | 18 +-
net/ipv6/af_inet6.c | 2 +-
net/ipv6/datagram.c | 2 +-
net/ipv6/icmp.c | 2 +-
net/l2tp/l2tp_ip6.c | 2 +-
net/mac80211/cfg.c | 8 +-
net/mac80211/ieee80211_i.h | 3 +-
- net/mac80211/iface.c | 16 +-
+ net/mac80211/iface.c | 20 +-
net/mac80211/main.c | 2 +-
net/mac80211/pm.c | 4 +-
net/mac80211/rate.c | 2 +-
net/netfilter/xt_statistic.c | 8 +-
net/netlink/af_netlink.c | 4 +-
net/openvswitch/vport-internal_dev.c | 2 +-
- net/openvswitch/vport.c | 16 +-
- net/openvswitch/vport.h | 8 +-
net/packet/af_packet.c | 8 +-
net/phonet/pep.c | 6 +-
net/phonet/socket.c | 2 +-
net/sunrpc/clnt.c | 4 +-
net/sunrpc/sched.c | 4 +-
net/sunrpc/svc.c | 4 +-
- net/sunrpc/svcauth_unix.c | 4 +-
+ net/sunrpc/svcauth_unix.c | 2 +-
net/sunrpc/xprtrdma/svc_rdma.c | 38 +-
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 8 +-
net/sunrpc/xprtrdma/svc_rdma_sendto.c | 2 +-
scripts/Kbuild.include | 2 +-
scripts/Makefile.build | 2 +-
scripts/Makefile.clean | 3 +-
- scripts/Makefile.host | 63 +-
+ scripts/Makefile.host | 69 +-
scripts/basic/fixdep.c | 12 +-
+ scripts/dtc/checks.c | 14 +-
+ scripts/dtc/data.c | 6 +-
+ scripts/dtc/flattree.c | 8 +-
+ scripts/dtc/livetree.c | 4 +-
scripts/gcc-plugin.sh | 51 +
scripts/headers_install.sh | 1 +
+ scripts/kallsyms.c | 4 +-
+ scripts/kconfig/lkc.h | 5 +-
+ scripts/kconfig/menu.c | 2 +-
+ scripts/kconfig/symbol.c | 6 +-
scripts/link-vmlinux.sh | 2 +-
scripts/mod/file2alias.c | 14 +-
scripts/mod/modpost.c | 25 +-
scripts/sortextable.h | 6 +-
scripts/tags.sh | 2 +-
security/Kconfig | 692 +-
- security/apparmor/lsm.c | 2 +-
security/integrity/ima/ima.h | 4 +-
security/integrity/ima/ima_api.c | 2 +-
security/integrity/ima/ima_fs.c | 4 +-
security/integrity/ima/ima_queue.c | 2 +-
security/keys/key.c | 18 +-
- security/security.c | 9 +-
security/selinux/avc.c | 6 +-
- security/selinux/hooks.c | 10 +-
security/selinux/include/xfrm.h | 2 +-
- security/smack/smack_lsm.c | 2 +-
- security/tomoyo/tomoyo.c | 2 +-
- security/yama/yama_lsm.c | 4 +-
+ security/yama/yama_lsm.c | 2 +-
sound/aoa/codecs/onyx.c | 7 +-
sound/aoa/codecs/onyx.h | 1 +
sound/core/oss/pcm_oss.c | 18 +-
sound/pci/hda/hda_codec.c | 2 +-
sound/pci/ymfpci/ymfpci.h | 2 +-
sound/pci/ymfpci/ymfpci_main.c | 12 +-
+ sound/soc/codecs/sti-sas.c | 10 +-
sound/soc/soc-ac97.c | 6 +-
sound/soc/xtensa/xtfpga-i2s.c | 2 +-
tools/gcc/Makefile | 42 +
tools/gcc/checker_plugin.c | 150 +
tools/gcc/colorize_plugin.c | 215 +
- tools/gcc/constify_plugin.c | 564 +
- tools/gcc/gcc-common.h | 689 +
- tools/gcc/initify_plugin.c | 450 +
+ tools/gcc/constify_plugin.c | 571 +
+ tools/gcc/gcc-common.h | 812 +
+ tools/gcc/initify_plugin.c | 552 +
tools/gcc/kallocstat_plugin.c | 188 +
- tools/gcc/kernexec_plugin.c | 547 +
- tools/gcc/latent_entropy_plugin.c | 474 +
- tools/gcc/size_overflow_plugin/.gitignore | 1 +
- tools/gcc/size_overflow_plugin/Makefile | 20 +
- .../generate_size_overflow_hash.sh | 102 +
- .../insert_size_overflow_asm.c | 409 +
- .../size_overflow_plugin/intentional_overflow.c | 958 +
- tools/gcc/size_overflow_plugin/misc.c | 441 +
+ tools/gcc/kernexec_plugin.c | 549 +
+ tools/gcc/latent_entropy_plugin.c | 470 +
+ tools/gcc/size_overflow_plugin/.gitignore | 2 +
+ tools/gcc/size_overflow_plugin/Makefile | 28 +
+ .../disable_size_overflow_hash.data |12422 ++++++++++++
+ .../generate_size_overflow_hash.sh | 103 +
+ .../insert_size_overflow_asm.c | 416 +
+ .../size_overflow_plugin/intentional_overflow.c | 1010 +
.../size_overflow_plugin/remove_unnecessary_dup.c | 137 +
- tools/gcc/size_overflow_plugin/size_overflow.h | 281 +
- .../gcc/size_overflow_plugin/size_overflow_debug.c | 164 +
- .../size_overflow_plugin/size_overflow_hash.data |27576 ++++++++++++++++++++
+ tools/gcc/size_overflow_plugin/size_overflow.h | 323 +
+ .../gcc/size_overflow_plugin/size_overflow_debug.c | 194 +
+ .../size_overflow_plugin/size_overflow_hash.data |20735 ++++++++++++++++++++
.../size_overflow_hash_aux.data | 92 +
- tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 913 +
- .../size_overflow_plugin/size_overflow_plugin.c | 256 +
- .../size_overflow_plugin_hash.c | 345 +
- .../size_overflow_plugin/size_overflow_transform.c | 433 +
- .../size_overflow_transform_core.c | 962 +
- tools/gcc/stackleak_plugin.c | 432 +
+ tools/gcc/size_overflow_plugin/size_overflow_ipa.c | 1226 ++
+ .../gcc/size_overflow_plugin/size_overflow_misc.c | 505 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 318 +
+ .../size_overflow_plugin_hash.c | 352 +
+ .../size_overflow_plugin/size_overflow_transform.c | 749 +
+ .../size_overflow_transform_core.c | 1010 +
+ tools/gcc/stackleak_plugin.c | 436 +
tools/gcc/structleak_plugin.c | 287 +
tools/include/linux/compiler.h | 8 +
tools/lib/api/Makefile | 2 +-
tools/perf/util/include/asm/alternative-asm.h | 3 +
tools/virtio/linux/uaccess.h | 2 +-
- virt/kvm/kvm_main.c | 44 +-
- 1898 files changed, 59774 insertions(+), 8683 deletions(-)
+ virt/kvm/kvm_main.c | 42 +-
+ 1944 files changed, 66925 insertions(+), 8949 deletions(-)
projects / thirdparty / grsecurity-scrape.git / blobdiff