+commit 87790bbd0d8dc2bd7fd86cb947e32886db9e9766
+Author: Matthew Wilcox <willy@linux.intel.com>
+Date: Tue Feb 2 16:57:52 2016 -0800
+
+ radix-tree: fix race in gang lookup
+
+ If the indirect_ptr bit is set on a slot, that indicates we need to redo
+ the lookup. Introduce a new function radix_tree_iter_retry() which
+ forces the loop to retry the lookup by setting 'slot' to NULL and
+ turning the iterator back to point at the problematic entry.
+
+ This is a pretty rare problem to hit at the moment; the lookup has to
+ race with a grow of the radix tree from a height of 0. The consequences
+ of hitting this race are that gang lookup could return a pointer to a
+ radix_tree_node instead of a pointer to whatever the user had inserted
+ in the tree.
+
+ Fixes: cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
+ Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/radix-tree.h | 16 ++++++++++++++++
+ lib/radix-tree.c | 12 ++++++++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+commit bf628043b4589c910919a0f221ae7f42aa8cea93
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed Feb 3 02:11:03 2016 +0100
+
+ unix: correctly track in-flight fds in sending process user_struct
+
+ The commit referenced in the Fixes tag incorrectly accounted the number
+ of in-flight fds over a unix domain socket to the original opener
+ of the file-descriptor. This allows another process to arbitrary
+ deplete the original file-openers resource limit for the maximum of
+ open files. Instead the sending processes and its struct cred should
+ be credited.
+
+ To do so, we add a reference counted struct user_struct pointer to the
+ scm_fp_list and use it to account for the number of inflight unix fds.
+
+ Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
+ Reported-by: David Herrmann <dh.herrmann@gmail.com>
+ Cc: David Herrmann <dh.herrmann@gmail.com>
+ Cc: Willy Tarreau <w@1wt.eu>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/af_unix.h | 4 ++--
+ include/net/scm.h | 1 +
+ net/core/scm.c | 7 +++++++
+ net/unix/af_unix.c | 4 ++--
+ net/unix/garbage.c | 8 ++++----
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+commit e830db443ff78d70b7b63536e688d73907face0c
+Author: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri Jan 15 16:57:37 2016 -0800
+
+ fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
+
+ Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
+ argument end is of type pgoff_t. It was being converted to a vaddr
+ offset and passed to unmap_hugepage_range. However, end was also being
+ used as an argument to the vma_interval_tree_foreach controlling loop.
+ In addition, the conversion of end to vaddr offset was incorrect.
+
+ hugetlb_vmtruncate_list is called as part of a file truncate or
+ fallocate hole punch operation.
+
+ When truncating a hugetlbfs file, this bug could prevent some pages from
+ being unmapped. This is possible if there are multiple vmas mapping the
+ file, and there is a sufficiently sized hole between the mappings. The
+ size of the hole between two vmas (A,B) must be such that the starting
+ virtual address of B is greater than (ending virtual address of A <<
+ PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
+ pages are not properly unmapped during truncate, the following BUG is
+ hit:
+
+ kernel BUG at fs/hugetlbfs/inode.c:428!
+
+ In the fallocate hole punch case, this bug could prevent pages from
+ being unmapped as in the truncate case. However, for hole punch the
+ result is that unmapped pages will not be removed during the operation.
+ For hole punch, it is also possible that more pages than desired will be
+ unmapped. This unnecessary unmapping will cause page faults to
+ reestablish the mappings on subsequent page access.
+
+ Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
+ Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+ Cc: Davidlohr Bueso <dave@stgolabs.net>
+ Cc: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org> [4.3]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/hugetlbfs/inode.c | 19 +++++++++++--------
+ 1 files changed, 11 insertions(+), 8 deletions(-)
+
+commit cdb3ba4a9113b779347387f3b6c6ea72dd4db12f
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Feb 4 17:06:13 2016 +0100
+
+ ALSA: timer: Fix leftover link at closing
+
+ In ALSA timer core, the active timer instance is managed in
+ active_list linked list. Each element is added / removed dynamically
+ at timer start, stop and in timer interrupt. The problem is that
+ snd_timer_interrupt() has a thinko and leaves the element in
+ active_list when it's the last opened element. This eventually leads
+ to list corruption or use-after-free error.
+
+ This hasn't been revealed because we used to delete the list forcibly
+ in snd_timer_stop() in the past. However, the recent fix avoids the
+ double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link
+ corruption due to double start or stop]), and this leak hits reality.
+
+ This patch fixes the link management in snd_timer_interrupt(). Now it
+ simply unlinks no matter which stream is.
+
+ BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 47d9647902f6a2f46a2be1e0140ba0f6f8c06008
+Author: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Fri Feb 5 15:37:01 2016 -0800
+
+ radix-tree: fix oops after radix_tree_iter_retry
+
+ Helper radix_tree_iter_retry() resets next_index to the current index.
+ In following radix_tree_next_slot current chunk size becomes zero. This
+ isn't checked and it tries to dereference null pointer in slot.
+
+ Tagged iterator is fine because retry happens only at slot 0 where tag
+ bitmask in iter->tags is filled with single bit.
+
+ Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
+ Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+ Cc: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Jeremiah Mahler <jmmahler@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/radix-tree.h | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 95b5dcb3c01958502af00b0bc0da1d906aae11a2
+Merge: 438be0b 256aeaf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:33 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 256aeaf87c22de8edf1f03682a572c590ae07771
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:09 2016 -0500
+
+ Update to pax-linux-4.3.5-test28.patch:
+ - fixed an integer truncation bug in numa_clear_kernel_node_hotplug caught by the size overflow plugin, reported by x14sg1 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4374)
+ - spender fixed UDEREF on arm
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ arch/x86/mm/numa.c | 2 +-
+ security/Kconfig | 1 -
+ 10 files changed, 60 insertions(+), 70 deletions(-)
+
+commit 438be0bd112bd17942b2628c53054dc1007558a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 19:50:31 2016 -0500
+
+ Fix a number of issues caused by the upstream merging of a UDEREF ripoff resulting in unbootable
+ ARM systems reported on the forums
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ security/Kconfig | 1 -
+ 9 files changed, 59 insertions(+), 69 deletions(-)
+
+commit 4ffdd5ef1f87e611af1efb4f251ada92abe9f4c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:21:53 2016 -0500
+
+ Fix another compiler warning
+
+ net/ipv4/tcp_input.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 30b5b7bc0fd67d458bdd5ab35e4689769eabd2ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:16:12 2016 -0500
+
+ Fix two compiler warnings
+
+ kernel/pid.c | 5 ++---
+ kernel/ptrace.c | 3 ++-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+commit dda4d2a21914c480750f10bd55c6e3203d415d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:22:40 2016 -0500
+
+ Apply fix for integer truncation in NUMA init code, reported by
+ x14sg1 on the forums:
+ https://forums.grsecurity.net/viewtopic.php?f=3&t=4374
+
+ arch/x86/mm/numa.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 477505f7c893cb6a2c3e22f83eefd9c985d7b3ca
+Merge: a781740 016d0d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:58 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 016d0d81a8dd4be1304c82a68e0ccf425868f467
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:10 2016 -0500
+
+ Update to pax-linux-4.3.5-test27.patch:
+ - fixed a bunch of potential REFCOUNT false positives, reported by Emese
+ - restored padding in fpregs_state for storing AVX-512 state in the future
+ - constified netlink_dump_control
+ - added const version of debug_gimple_stmt for gcc plugins, by Emese
+ - Emese fixed a bug in initify that could have initified too much
+ - Emese fixed a false positive intentional integer overflow in xfrm4_extract_header, reported by corsac
+
+ arch/x86/include/asm/fpu/types.h | 1 +
+ arch/x86/include/asm/mmu_context.h | 2 +-
+ block/blk-cgroup.c | 18 ++--
+ block/cfq-iosched.c | 4 +-
+ crypto/crypto_user.c | 8 ++-
+ drivers/acpi/apei/ghes.c | 6 +-
+ drivers/char/ipmi/ipmi_ssif.c | 12 ++--
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.c | 2 +-
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.h | 2 +-
+ drivers/gpu/drm/amd/scheduler/sched_fence.c | 2 +-
+ drivers/infiniband/core/netlink.c | 5 +-
+ drivers/infiniband/hw/cxgb4/device.c | 6 +-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +-
+ drivers/md/bcache/alloc.c | 2 +-
+ drivers/md/bcache/bcache.h | 10 +-
+ drivers/md/bcache/btree.c | 2 +-
+ drivers/md/bcache/io.c | 10 +-
+ drivers/md/bcache/journal.c | 2 +-
+ drivers/md/bcache/stats.c | 26 +++---
+ drivers/md/bcache/stats.h | 16 ++--
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bcache/sysfs.c | 20 +++---
+ drivers/md/dm-cache-target.c | 98 ++++++++++++------------
+ drivers/md/dm-raid.c | 2 +-
+ drivers/md/md.c | 6 +-
+ drivers/md/md.h | 2 +-
+ drivers/md/raid1.c | 2 +-
+ drivers/md/raid10.c | 2 +-
+ drivers/md/raid5.c | 4 +-
+ drivers/media/pci/zoran/zoran.h | 1 -
+ drivers/media/pci/zoran/zoran_driver.c | 3 -
+ drivers/net/ethernet/sfc/selftest.c | 20 +++---
+ drivers/net/irda/vlsi_ir.c | 18 ++--
+ drivers/net/irda/vlsi_ir.h | 14 ++--
+ drivers/net/wireless/ath/carl9170/carl9170.h | 6 +-
+ drivers/net/wireless/ath/carl9170/debug.c | 6 +-
+ drivers/net/wireless/ath/carl9170/main.c | 10 +-
+ drivers/net/wireless/ath/carl9170/tx.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/d3.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 2 +-
+ drivers/scsi/hptiop.c | 2 -
+ drivers/scsi/hptiop.h | 1 -
+ drivers/scsi/ipr.c | 6 +-
+ drivers/scsi/ipr.h | 2 +-
+ drivers/scsi/qla2xxx/qla_target.c | 10 +-
+ drivers/scsi/qla2xxx/qla_target.h | 2 +-
+ fs/btrfs/ctree.c | 2 +-
+ fs/btrfs/ctree.h | 4 +-
+ fs/btrfs/delayed-ref.c | 4 +-
+ fs/btrfs/disk-io.c | 4 +-
+ fs/btrfs/file.c | 4 +-
+ fs/btrfs/raid56.c | 32 ++++----
+ fs/btrfs/tests/btrfs-tests.c | 2 +-
+ fs/btrfs/transaction.c | 2 +-
+ fs/btrfs/tree-log.c | 8 +-
+ fs/btrfs/volumes.c | 14 ++--
+ fs/btrfs/volumes.h | 22 +++---
+ fs/jbd2/commit.c | 2 +-
+ fs/jbd2/transaction.c | 4 +-
+ fs/ocfs2/dlm/dlmcommon.h | 4 +-
+ fs/ocfs2/dlm/dlmdebug.c | 10 +-
+ fs/ocfs2/dlm/dlmdomain.c | 4 +-
+ fs/ocfs2/dlm/dlmmaster.c | 4 +-
+ include/acpi/ghes.h | 2 +-
+ include/linux/blk-cgroup.h | 24 +++---
+ include/linux/jbd2.h | 2 +-
+ include/linux/netlink.h | 12 ++--
+ include/net/cfg802154.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ kernel/rcu/tree_plugin.h | 4 +-
+ net/batman-adv/routing.c | 4 +-
+ net/batman-adv/soft-interface.c | 2 +-
+ net/batman-adv/translation-table.c | 14 ++--
+ net/batman-adv/types.h | 2 +-
+ net/core/neighbour.c | 14 ++--
+ net/core/rtnetlink.c | 2 +-
+ net/ipv4/arp.c | 2 +-
+ net/ipv4/inet_diag.c | 4 +-
+ net/ipv4/xfrm4_state.c | 4 +-
+ net/ipv6/ndisc.c | 2 +-
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/debugfs_key.c | 2 +-
+ net/mac80211/key.c | 4 +-
+ net/mac80211/tx.c | 2 +-
+ net/mac80211/wpa.c | 10 +-
+ net/mac802154/iface.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 22 +++---
+ net/netfilter/nf_tables_api.c | 13 ++--
+ net/netfilter/nfnetlink_acct.c | 7 +-
+ net/netfilter/nfnetlink_cthelper.c | 2 +-
+ net/netfilter/nfnetlink_cttimeout.c | 2 +-
+ net/netlink/af_netlink.c | 10 ++-
+ net/netlink/diag.c | 2 +-
+ net/netlink/genetlink.c | 14 ++--
+ net/packet/af_packet.c | 18 ++--
+ net/packet/diag.c | 2 +-
+ net/packet/internal.h | 6 +-
+ net/unix/diag.c | 2 +-
+ net/xfrm/xfrm_user.c | 2 +-
+ security/apparmor/include/policy.h | 2 +-
+ security/apparmor/policy.c | 4 +-
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ sound/core/seq/seq_fifo.c | 6 +-
+ sound/core/seq/seq_fifo.h | 2 +-
+ tools/gcc/gcc-common.h | 24 ++++--
+ tools/gcc/initify_plugin.c | 7 +-
+ tools/lib/api/Makefile | 2 +-
+ 109 files changed, 399 insertions(+), 391 deletions(-)
+
+commit a7817402ac837b1aee07fac42537a02097055098
+Author: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Fri Jan 29 11:36:10 2016 +0000
+
+ x86/mm/pat: Avoid truncation when converting cpa->numpages to address
+
+ There are a couple of nasty truncation bugs lurking in the pageattr
+ code that can be triggered when mapping EFI regions, e.g. when we pass
+ a cpa->pgd pointer. Because cpa->numpages is a 32-bit value, shifting
+ left by PAGE_SHIFT will truncate the resultant address to 32-bits.
+
+ Viorel-Cătălin managed to trigger this bug on his Dell machine that
+ provides a ~5GB EFI region which requires 1236992 pages to be mapped.
+ When calling populate_pud() the end of the region gets calculated
+ incorrectly in the following buggy expression,
+
+ end = start + (cpa->numpages << PAGE_SHIFT);
+
+ And only 188416 pages are mapped. Next, populate_pud() gets invoked
+ for a second time because of the loop in __change_page_attr_set_clr(),
+ only this time no pages get mapped because shifting the remaining
+ number of pages (1048576) by PAGE_SHIFT is zero. At which point the
+ loop in __change_page_attr_set_clr() spins forever because we fail to
+ map progress.
+
+ Hitting this bug depends very much on the virtual address we pick to
+ map the large region at and how many pages we map on the initial run
+ through the loop. This explains why this issue was only recently hit
+ with the introduction of commit
+
+ a5caa209ba9c ("x86/efi: Fix boot crash by mapping EFI memmap
+ entries bottom-up at runtime, instead of top-down")
+
+ It's interesting to note that safe uses of cpa->numpages do exist in
+ the pageattr code. If instead of shifting ->numpages we multiply by
+ PAGE_SIZE, no truncation occurs because PAGE_SIZE is a UL value, and
+ so the result is unsigned long.
+
+ To avoid surprises when users try to convert very large cpa->numpages
+ values to addresses, change the data type from 'int' to 'unsigned
+ long', thereby making it suitable for shifting by PAGE_SHIFT without
+ any type casting.
+
+ The alternative would be to make liberal use of casting, but that is
+ far more likely to cause problems in the future when someone adds more
+ code and fails to cast properly; this bug was difficult enough to
+ track down in the first place.
+
+ Reported-and-tested-by: Viorel-Cătălin Răpițeanu <rapiteanu.catalin@gmail.com>
+ Acked-by: Borislav Petkov <bp@alien8.de>
+ Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=110131
+ Link: http://lkml.kernel.org/r/1454067370-10374-1-git-send-email-matt@codeblueprint.co.uk
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/mm/pageattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 64dd9d7a67a742fda257cdd16510c29e695c34b5
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Tue Jan 26 04:15:18 2016 -0700
+
+ x86/mm: Fix types used in pgprot cacheability flags translations
+
+ For PAE kernels "unsigned long" is not suitable to hold page protection
+ flags, since _PAGE_NX doesn't fit there. This is the reason for quite a
+ few W+X pages getting reported as insecure during boot (observed namely
+ for the entire initrd range).
+
+ Fixes: 281d4078be ("x86: Make page cache mode a real type")
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Reviewed-by: Juergen Gross <JGross@suse.com>
+ Cc: stable@vger.kernel.org
+ Link: http://lkml.kernel.org/r/56A7635602000078000CAFF1@prv-mh.provo.novell.com
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/include/asm/pgtable_types.h | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
+
+commit bb9a3a9df0d8dfc96d521676e64c42b37ba22aea
+Merge: 682d661 f74425b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:06:25 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/slip/slhc.c
+ include/linux/sched.h
+ net/unix/af_unix.c
+ sound/core/timer.c
+
+commit f74425b5705bfe52aff9e97659ef10c4a14176c3
+Merge: d14af1f 849a2d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:02:55 2016 -0500
+
+ Merge branch 'linux-4.3.y' into pax-test
+
+ Conflicts:
+ arch/x86/include/asm/mmu_context.h
+
+commit 682d6611d75542e351c973c8dd74a99d3966c073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 30 13:05:03 2016 -0500
+
+ Based on a report from Mathias Krause, fix up a number of additional instances
+ of ulong overflow when passing in values to gr_learn_resource by saturating
+ to ULONG_MAX
+
+ mm/mlock.c | 11 ++++++++---
+ mm/mmap.c | 16 +++++++++++++---
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+commit adb52e95fb9ad4ac9c56cd5d47bd668f47c33096
+Author: Jann Horn <jann@thejh.net>
+Date: Sat Dec 26 06:00:48 2015 +0100
+
+ seccomp: always propagate NO_NEW_PRIVS on tsync
+
+ Before this patch, a process with some permissive seccomp filter
+ that was applied by root without NO_NEW_PRIVS was able to add
+ more filters to itself without setting NO_NEW_PRIVS by setting
+ the new filter from a throwaway thread with NO_NEW_PRIVS.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+
+ kernel/seccomp.c | 22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
+
+commit b85450498a3bbf269441c8963d7574bb3079c838
+Merge: 59c216f d14af1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:54:13 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d14af1f1dd66511f3f0674deee2b572972012b39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:53:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test26.patch:
+ - Emese fixed a few intentional overflows introduced by gcc, reported by StalkR (https://forums.grsecurity.net/viewtopic.php?f=3&t=4370)
+
+ fs/cifs/file.c | 2 +-
+ fs/gfs2/file.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 96 ++++++++++++++++++--
+ tools/gcc/size_overflow_plugin/size_overflow.h | 2 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 6 +-
+ .../size_overflow_transform_core.c | 5 +
+ 7 files changed, 102 insertions(+), 15 deletions(-)
+
+commit 59c216f13587eacdd692386b7a403ae78ed84fb6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 27 17:57:21 2016 -0500
+
+ Fix a size_overflow report reported by Mathias Krause in our
+ truncation of an loff_t to an unsigned long when being passed
+ to gr_learn_resource() (as all resource checks are against unsigned long
+ values)
+
+ fs/attr.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
commit 70636c6ad60fc1db3af764ecc789b827b7497a97
Author: Yuchung Cheng <ycheng@google.com>
Date: Wed Jan 6 12:42:38 2016 -0800