+commit 87790bbd0d8dc2bd7fd86cb947e32886db9e9766
+Author: Matthew Wilcox <willy@linux.intel.com>
+Date: Tue Feb 2 16:57:52 2016 -0800
+
+ radix-tree: fix race in gang lookup
+
+ If the indirect_ptr bit is set on a slot, that indicates we need to redo
+ the lookup. Introduce a new function radix_tree_iter_retry() which
+ forces the loop to retry the lookup by setting 'slot' to NULL and
+ turning the iterator back to point at the problematic entry.
+
+ This is a pretty rare problem to hit at the moment; the lookup has to
+ race with a grow of the radix tree from a height of 0. The consequences
+ of hitting this race are that gang lookup could return a pointer to a
+ radix_tree_node instead of a pointer to whatever the user had inserted
+ in the tree.
+
+ Fixes: cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
+ Signed-off-by: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Konstantin Khlebnikov <khlebnikov@openvz.org>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/radix-tree.h | 16 ++++++++++++++++
+ lib/radix-tree.c | 12 ++++++++++--
+ 2 files changed, 26 insertions(+), 2 deletions(-)
+
+commit bf628043b4589c910919a0f221ae7f42aa8cea93
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Wed Feb 3 02:11:03 2016 +0100
+
+ unix: correctly track in-flight fds in sending process user_struct
+
+ The commit referenced in the Fixes tag incorrectly accounted the number
+ of in-flight fds over a unix domain socket to the original opener
+ of the file-descriptor. This allows another process to arbitrary
+ deplete the original file-openers resource limit for the maximum of
+ open files. Instead the sending processes and its struct cred should
+ be credited.
+
+ To do so, we add a reference counted struct user_struct pointer to the
+ scm_fp_list and use it to account for the number of inflight unix fds.
+
+ Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
+ Reported-by: David Herrmann <dh.herrmann@gmail.com>
+ Cc: David Herrmann <dh.herrmann@gmail.com>
+ Cc: Willy Tarreau <w@1wt.eu>
+ Cc: Linus Torvalds <torvalds@linux-foundation.org>
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/net/af_unix.h | 4 ++--
+ include/net/scm.h | 1 +
+ net/core/scm.c | 7 +++++++
+ net/unix/af_unix.c | 4 ++--
+ net/unix/garbage.c | 8 ++++----
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+commit e830db443ff78d70b7b63536e688d73907face0c
+Author: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Fri Jan 15 16:57:37 2016 -0800
+
+ fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
+
+ Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
+ argument end is of type pgoff_t. It was being converted to a vaddr
+ offset and passed to unmap_hugepage_range. However, end was also being
+ used as an argument to the vma_interval_tree_foreach controlling loop.
+ In addition, the conversion of end to vaddr offset was incorrect.
+
+ hugetlb_vmtruncate_list is called as part of a file truncate or
+ fallocate hole punch operation.
+
+ When truncating a hugetlbfs file, this bug could prevent some pages from
+ being unmapped. This is possible if there are multiple vmas mapping the
+ file, and there is a sufficiently sized hole between the mappings. The
+ size of the hole between two vmas (A,B) must be such that the starting
+ virtual address of B is greater than (ending virtual address of A <<
+ PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
+ pages are not properly unmapped during truncate, the following BUG is
+ hit:
+
+ kernel BUG at fs/hugetlbfs/inode.c:428!
+
+ In the fallocate hole punch case, this bug could prevent pages from
+ being unmapped as in the truncate case. However, for hole punch the
+ result is that unmapped pages will not be removed during the operation.
+ For hole punch, it is also possible that more pages than desired will be
+ unmapped. This unnecessary unmapping will cause page faults to
+ reestablish the mappings on subsequent page access.
+
+ Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
+ Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+ Cc: Davidlohr Bueso <dave@stgolabs.net>
+ Cc: Dave Hansen <dave.hansen@linux.intel.com>
+ Cc: <stable@vger.kernel.org> [4.3]
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ fs/hugetlbfs/inode.c | 19 +++++++++++--------
+ 1 files changed, 11 insertions(+), 8 deletions(-)
+
+commit cdb3ba4a9113b779347387f3b6c6ea72dd4db12f
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Feb 4 17:06:13 2016 +0100
+
+ ALSA: timer: Fix leftover link at closing
+
+ In ALSA timer core, the active timer instance is managed in
+ active_list linked list. Each element is added / removed dynamically
+ at timer start, stop and in timer interrupt. The problem is that
+ snd_timer_interrupt() has a thinko and leaves the element in
+ active_list when it's the last opened element. This eventually leads
+ to list corruption or use-after-free error.
+
+ This hasn't been revealed because we used to delete the list forcibly
+ in snd_timer_stop() in the past. However, the recent fix avoids the
+ double-stop behavior (in commit [f784beb75ce8: ALSA: timer: Fix link
+ corruption due to double start or stop]), and this leak hits reality.
+
+ This patch fixes the link management in snd_timer_interrupt(). Now it
+ simply unlinks no matter which stream is.
+
+ BugLink: http://lkml.kernel.org/r/CACT4Y+Yy2aukHP-EDp8-ziNqNNmb-NTf=jDWXMP7jB8HDa2vng@mail.gmail.com
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 47d9647902f6a2f46a2be1e0140ba0f6f8c06008
+Author: Konstantin Khlebnikov <koct9i@gmail.com>
+Date: Fri Feb 5 15:37:01 2016 -0800
+
+ radix-tree: fix oops after radix_tree_iter_retry
+
+ Helper radix_tree_iter_retry() resets next_index to the current index.
+ In following radix_tree_next_slot current chunk size becomes zero. This
+ isn't checked and it tries to dereference null pointer in slot.
+
+ Tagged iterator is fine because retry happens only at slot 0 where tag
+ bitmask in iter->tags is filled with single bit.
+
+ Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
+ Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
+ Cc: Matthew Wilcox <willy@linux.intel.com>
+ Cc: Hugh Dickins <hughd@google.com>
+ Cc: Ohad Ben-Cohen <ohad@wizery.com>
+ Cc: Jeremiah Mahler <jmmahler@gmail.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ include/linux/radix-tree.h | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+commit 95b5dcb3c01958502af00b0bc0da1d906aae11a2
+Merge: 438be0b 256aeaf
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:33 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 256aeaf87c22de8edf1f03682a572c590ae07771
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Feb 7 08:29:09 2016 -0500
+
+ Update to pax-linux-4.3.5-test28.patch:
+ - fixed an integer truncation bug in numa_clear_kernel_node_hotplug caught by the size overflow plugin, reported by x14sg1 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4374)
+ - spender fixed UDEREF on arm
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ arch/x86/mm/numa.c | 2 +-
+ security/Kconfig | 1 -
+ 10 files changed, 60 insertions(+), 70 deletions(-)
+
+commit 438be0bd112bd17942b2628c53054dc1007558a1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 19:50:31 2016 -0500
+
+ Fix a number of issues caused by the upstream merging of a UDEREF ripoff resulting in unbootable
+ ARM systems reported on the forums
+
+ arch/arm/Kconfig | 1 +
+ arch/arm/include/asm/domain.h | 21 ++++++++-
+ arch/arm/include/asm/futex.h | 9 ----
+ arch/arm/include/asm/thread_info.h | 3 +
+ arch/arm/include/asm/uaccess.h | 81 +++++++++++++++---------------------
+ arch/arm/kernel/entry-armv.S | 2 +-
+ arch/arm/kernel/process.c | 2 +-
+ arch/arm/mm/alignment.c | 8 ----
+ security/Kconfig | 1 -
+ 9 files changed, 59 insertions(+), 69 deletions(-)
+
+commit 4ffdd5ef1f87e611af1efb4f251ada92abe9f4c0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:21:53 2016 -0500
+
+ Fix another compiler warning
+
+ net/ipv4/tcp_input.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit 30b5b7bc0fd67d458bdd5ab35e4689769eabd2ed
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Feb 6 11:16:12 2016 -0500
+
+ Fix two compiler warnings
+
+ kernel/pid.c | 5 ++---
+ kernel/ptrace.c | 3 ++-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+commit dda4d2a21914c480750f10bd55c6e3203d415d8d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:22:40 2016 -0500
+
+ Apply fix for integer truncation in NUMA init code, reported by
+ x14sg1 on the forums:
+ https://forums.grsecurity.net/viewtopic.php?f=3&t=4374
+
+ arch/x86/mm/numa.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 477505f7c893cb6a2c3e22f83eefd9c985d7b3ca
+Merge: a781740 016d0d8
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:58 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 016d0d81a8dd4be1304c82a68e0ccf425868f467
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Feb 3 21:20:10 2016 -0500
+
+ Update to pax-linux-4.3.5-test27.patch:
+ - fixed a bunch of potential REFCOUNT false positives, reported by Emese
+ - restored padding in fpregs_state for storing AVX-512 state in the future
+ - constified netlink_dump_control
+ - added const version of debug_gimple_stmt for gcc plugins, by Emese
+ - Emese fixed a bug in initify that could have initified too much
+ - Emese fixed a false positive intentional integer overflow in xfrm4_extract_header, reported by corsac
+
+ arch/x86/include/asm/fpu/types.h | 1 +
+ arch/x86/include/asm/mmu_context.h | 2 +-
+ block/blk-cgroup.c | 18 ++--
+ block/cfq-iosched.c | 4 +-
+ crypto/crypto_user.c | 8 ++-
+ drivers/acpi/apei/ghes.c | 6 +-
+ drivers/char/ipmi/ipmi_ssif.c | 12 ++--
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.c | 2 +-
+ drivers/gpu/drm/amd/scheduler/gpu_scheduler.h | 2 +-
+ drivers/gpu/drm/amd/scheduler/sched_fence.c | 2 +-
+ drivers/infiniband/core/netlink.c | 5 +-
+ drivers/infiniband/hw/cxgb4/device.c | 6 +-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 2 +-
+ drivers/md/bcache/alloc.c | 2 +-
+ drivers/md/bcache/bcache.h | 10 +-
+ drivers/md/bcache/btree.c | 2 +-
+ drivers/md/bcache/io.c | 10 +-
+ drivers/md/bcache/journal.c | 2 +-
+ drivers/md/bcache/stats.c | 26 +++---
+ drivers/md/bcache/stats.h | 16 ++--
+ drivers/md/bcache/super.c | 2 +-
+ drivers/md/bcache/sysfs.c | 20 +++---
+ drivers/md/dm-cache-target.c | 98 ++++++++++++------------
+ drivers/md/dm-raid.c | 2 +-
+ drivers/md/md.c | 6 +-
+ drivers/md/md.h | 2 +-
+ drivers/md/raid1.c | 2 +-
+ drivers/md/raid10.c | 2 +-
+ drivers/md/raid5.c | 4 +-
+ drivers/media/pci/zoran/zoran.h | 1 -
+ drivers/media/pci/zoran/zoran_driver.c | 3 -
+ drivers/net/ethernet/sfc/selftest.c | 20 +++---
+ drivers/net/irda/vlsi_ir.c | 18 ++--
+ drivers/net/irda/vlsi_ir.h | 14 ++--
+ drivers/net/wireless/ath/carl9170/carl9170.h | 6 +-
+ drivers/net/wireless/ath/carl9170/debug.c | 6 +-
+ drivers/net/wireless/ath/carl9170/main.c | 10 +-
+ drivers/net/wireless/ath/carl9170/tx.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/d3.c | 4 +-
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 2 +-
+ drivers/scsi/hptiop.c | 2 -
+ drivers/scsi/hptiop.h | 1 -
+ drivers/scsi/ipr.c | 6 +-
+ drivers/scsi/ipr.h | 2 +-
+ drivers/scsi/qla2xxx/qla_target.c | 10 +-
+ drivers/scsi/qla2xxx/qla_target.h | 2 +-
+ fs/btrfs/ctree.c | 2 +-
+ fs/btrfs/ctree.h | 4 +-
+ fs/btrfs/delayed-ref.c | 4 +-
+ fs/btrfs/disk-io.c | 4 +-
+ fs/btrfs/file.c | 4 +-
+ fs/btrfs/raid56.c | 32 ++++----
+ fs/btrfs/tests/btrfs-tests.c | 2 +-
+ fs/btrfs/transaction.c | 2 +-
+ fs/btrfs/tree-log.c | 8 +-
+ fs/btrfs/volumes.c | 14 ++--
+ fs/btrfs/volumes.h | 22 +++---
+ fs/jbd2/commit.c | 2 +-
+ fs/jbd2/transaction.c | 4 +-
+ fs/ocfs2/dlm/dlmcommon.h | 4 +-
+ fs/ocfs2/dlm/dlmdebug.c | 10 +-
+ fs/ocfs2/dlm/dlmdomain.c | 4 +-
+ fs/ocfs2/dlm/dlmmaster.c | 4 +-
+ include/acpi/ghes.h | 2 +-
+ include/linux/blk-cgroup.h | 24 +++---
+ include/linux/jbd2.h | 2 +-
+ include/linux/netlink.h | 12 ++--
+ include/net/cfg802154.h | 2 +-
+ include/net/mac80211.h | 2 +-
+ include/net/neighbour.h | 2 +-
+ kernel/rcu/tree_plugin.h | 4 +-
+ net/batman-adv/routing.c | 4 +-
+ net/batman-adv/soft-interface.c | 2 +-
+ net/batman-adv/translation-table.c | 14 ++--
+ net/batman-adv/types.h | 2 +-
+ net/core/neighbour.c | 14 ++--
+ net/core/rtnetlink.c | 2 +-
+ net/ipv4/arp.c | 2 +-
+ net/ipv4/inet_diag.c | 4 +-
+ net/ipv4/xfrm4_state.c | 4 +-
+ net/ipv6/ndisc.c | 2 +-
+ net/mac80211/cfg.c | 2 +-
+ net/mac80211/debugfs_key.c | 2 +-
+ net/mac80211/key.c | 4 +-
+ net/mac80211/tx.c | 2 +-
+ net/mac80211/wpa.c | 10 +-
+ net/mac802154/iface.c | 4 +-
+ net/netfilter/ipset/ip_set_core.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 22 +++---
+ net/netfilter/nf_tables_api.c | 13 ++--
+ net/netfilter/nfnetlink_acct.c | 7 +-
+ net/netfilter/nfnetlink_cthelper.c | 2 +-
+ net/netfilter/nfnetlink_cttimeout.c | 2 +-
+ net/netlink/af_netlink.c | 10 ++-
+ net/netlink/diag.c | 2 +-
+ net/netlink/genetlink.c | 14 ++--
+ net/packet/af_packet.c | 18 ++--
+ net/packet/diag.c | 2 +-
+ net/packet/internal.h | 6 +-
+ net/unix/diag.c | 2 +-
+ net/xfrm/xfrm_user.c | 2 +-
+ security/apparmor/include/policy.h | 2 +-
+ security/apparmor/policy.c | 4 +-
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ sound/core/seq/seq_fifo.c | 6 +-
+ sound/core/seq/seq_fifo.h | 2 +-
+ tools/gcc/gcc-common.h | 24 ++++--
+ tools/gcc/initify_plugin.c | 7 +-
+ tools/lib/api/Makefile | 2 +-
+ 109 files changed, 399 insertions(+), 391 deletions(-)
+
+commit a7817402ac837b1aee07fac42537a02097055098
+Author: Matt Fleming <matt@codeblueprint.co.uk>
+Date: Fri Jan 29 11:36:10 2016 +0000
+
+ x86/mm/pat: Avoid truncation when converting cpa->numpages to address
+
+ There are a couple of nasty truncation bugs lurking in the pageattr
+ code that can be triggered when mapping EFI regions, e.g. when we pass
+ a cpa->pgd pointer. Because cpa->numpages is a 32-bit value, shifting
+ left by PAGE_SHIFT will truncate the resultant address to 32-bits.
+
+ Viorel-Cătălin managed to trigger this bug on his Dell machine that
+ provides a ~5GB EFI region which requires 1236992 pages to be mapped.
+ When calling populate_pud() the end of the region gets calculated
+ incorrectly in the following buggy expression,
+
+ end = start + (cpa->numpages << PAGE_SHIFT);
+
+ And only 188416 pages are mapped. Next, populate_pud() gets invoked
+ for a second time because of the loop in __change_page_attr_set_clr(),
+ only this time no pages get mapped because shifting the remaining
+ number of pages (1048576) by PAGE_SHIFT is zero. At which point the
+ loop in __change_page_attr_set_clr() spins forever because we fail to
+ map progress.
+
+ Hitting this bug depends very much on the virtual address we pick to
+ map the large region at and how many pages we map on the initial run
+ through the loop. This explains why this issue was only recently hit
+ with the introduction of commit
+
+ a5caa209ba9c ("x86/efi: Fix boot crash by mapping EFI memmap
+ entries bottom-up at runtime, instead of top-down")
+
+ It's interesting to note that safe uses of cpa->numpages do exist in
+ the pageattr code. If instead of shifting ->numpages we multiply by
+ PAGE_SIZE, no truncation occurs because PAGE_SIZE is a UL value, and
+ so the result is unsigned long.
+
+ To avoid surprises when users try to convert very large cpa->numpages
+ values to addresses, change the data type from 'int' to 'unsigned
+ long', thereby making it suitable for shifting by PAGE_SHIFT without
+ any type casting.
+
+ The alternative would be to make liberal use of casting, but that is
+ far more likely to cause problems in the future when someone adds more
+ code and fails to cast properly; this bug was difficult enough to
+ track down in the first place.
+
+ Reported-and-tested-by: Viorel-Cătălin Răpițeanu <rapiteanu.catalin@gmail.com>
+ Acked-by: Borislav Petkov <bp@alien8.de>
+ Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=110131
+ Link: http://lkml.kernel.org/r/1454067370-10374-1-git-send-email-matt@codeblueprint.co.uk
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/mm/pageattr.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit 64dd9d7a67a742fda257cdd16510c29e695c34b5
+Author: Jan Beulich <JBeulich@suse.com>
+Date: Tue Jan 26 04:15:18 2016 -0700
+
+ x86/mm: Fix types used in pgprot cacheability flags translations
+
+ For PAE kernels "unsigned long" is not suitable to hold page protection
+ flags, since _PAGE_NX doesn't fit there. This is the reason for quite a
+ few W+X pages getting reported as insecure during boot (observed namely
+ for the entire initrd range).
+
+ Fixes: 281d4078be ("x86: Make page cache mode a real type")
+ Signed-off-by: Jan Beulich <jbeulich@suse.com>
+ Reviewed-by: Juergen Gross <JGross@suse.com>
+ Cc: stable@vger.kernel.org
+ Link: http://lkml.kernel.org/r/56A7635602000078000CAFF1@prv-mh.provo.novell.com
+ Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+
+ arch/x86/include/asm/pgtable_types.h | 6 ++----
+ 1 files changed, 2 insertions(+), 4 deletions(-)
+
+commit bb9a3a9df0d8dfc96d521676e64c42b37ba22aea
+Merge: 682d661 f74425b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:06:25 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/net/slip/slhc.c
+ include/linux/sched.h
+ net/unix/af_unix.c
+ sound/core/timer.c
+
+commit f74425b5705bfe52aff9e97659ef10c4a14176c3
+Merge: d14af1f 849a2d3
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 31 15:02:55 2016 -0500
+
+ Merge branch 'linux-4.3.y' into pax-test
+
+ Conflicts:
+ arch/x86/include/asm/mmu_context.h
+
+commit 682d6611d75542e351c973c8dd74a99d3966c073
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 30 13:05:03 2016 -0500
+
+ Based on a report from Mathias Krause, fix up a number of additional instances
+ of ulong overflow when passing in values to gr_learn_resource by saturating
+ to ULONG_MAX
+
+ mm/mlock.c | 11 ++++++++---
+ mm/mmap.c | 16 +++++++++++++---
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+commit adb52e95fb9ad4ac9c56cd5d47bd668f47c33096
+Author: Jann Horn <jann@thejh.net>
+Date: Sat Dec 26 06:00:48 2015 +0100
+
+ seccomp: always propagate NO_NEW_PRIVS on tsync
+
+ Before this patch, a process with some permissive seccomp filter
+ that was applied by root without NO_NEW_PRIVS was able to add
+ more filters to itself without setting NO_NEW_PRIVS by setting
+ the new filter from a throwaway thread with NO_NEW_PRIVS.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: Kees Cook <keescook@chromium.org>
+
+ kernel/seccomp.c | 22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
+
+commit b85450498a3bbf269441c8963d7574bb3079c838
+Merge: 59c216f d14af1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:54:13 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit d14af1f1dd66511f3f0674deee2b572972012b39
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Fri Jan 29 20:53:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test26.patch:
+ - Emese fixed a few intentional overflows introduced by gcc, reported by StalkR (https://forums.grsecurity.net/viewtopic.php?f=3&t=4370)
+
+ fs/cifs/file.c | 2 +-
+ fs/gfs2/file.c | 2 +-
+ .../size_overflow_plugin/intentional_overflow.c | 96 ++++++++++++++++++--
+ tools/gcc/size_overflow_plugin/size_overflow.h | 2 +
+ .../size_overflow_plugin/size_overflow_plugin.c | 4 +-
+ .../size_overflow_plugin/size_overflow_transform.c | 6 +-
+ .../size_overflow_transform_core.c | 5 +
+ 7 files changed, 102 insertions(+), 15 deletions(-)
+
+commit 59c216f13587eacdd692386b7a403ae78ed84fb6
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 27 17:57:21 2016 -0500
+
+ Fix a size_overflow report reported by Mathias Krause in our
+ truncation of an loff_t to an unsigned long when being passed
+ to gr_learn_resource() (as all resource checks are against unsigned long
+ values)
+
+ fs/attr.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 70636c6ad60fc1db3af764ecc789b827b7497a97
+Author: Yuchung Cheng <ycheng@google.com>
+Date: Wed Jan 6 12:42:38 2016 -0800
+
+ tcp: fix zero cwnd in tcp_cwnd_reduction
+
+ Patch 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode
+ conditionally") introduced a bug that cwnd may become 0 when both
+ inflight and sndcnt are 0 (cwnd = inflight + sndcnt). This may lead
+ to a div-by-zero if the connection starts another cwnd reduction
+ phase by setting tp->prior_cwnd to the current cwnd (0) in
+ tcp_init_cwnd_reduction().
+
+ To prevent this we skip PRR operation when nothing is acked or
+ sacked. Then cwnd must be positive in all cases as long as ssthresh
+ is positive:
+
+ 1) The proportional reduction mode
+ inflight > ssthresh > 0
+
+ 2) The reduction bound mode
+ a) inflight == ssthresh > 0
+
+ b) inflight < ssthresh
+ sndcnt > 0 since newly_acked_sacked > 0 and inflight < ssthresh
+
+ Therefore in all cases inflight and sndcnt can not both be 0.
+ We check invalid tp->prior_cwnd to avoid potential div0 bugs.
+
+ In reality this bug is triggered only with a sequence of less common
+ events. For example, the connection is terminating an ECN-triggered
+ cwnd reduction with an inflight 0, then it receives reordered/old
+ ACKs or DSACKs from prior transmission (which acks nothing). Or the
+ connection is in fast recovery stage that marks everything lost,
+ but fails to retransmit due to local issues, then receives data
+ packets from other end which acks nothing.
+
+ Fixes: 3759824da87b ("tcp: PRR uses CRB mode by default and SS mode conditionally")
+ Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+ Signed-off-by: Yuchung Cheng <ycheng@google.com>
+ Signed-off-by: Neal Cardwell <ncardwell@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/tcp_input.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit dac1da2bedbb43195d371c7a192cfeeb45683df0
+Author: Eric Dumazet <edumazet@google.com>
+Date: Sun Jan 24 13:53:50 2016 -0800
+
+ af_unix: fix struct pid memory leak
+
+ Dmitry reported a struct pid leak detected by a syzkaller program.
+
+ Bug happens in unix_stream_recvmsg() when we break the loop when a
+ signal is pending, without properly releasing scm.
+
+ Fixes: b3ca9b02b007 ("net: fix multithreaded signal handling in unix recv routines")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/unix/af_unix.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 15cc47f127520d1ac0c1fe76d993c2c27f0f2571
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Fri Jan 22 01:39:43 2016 +0100
+
+ pptp: fix illegal memory access caused by multiple bind()s
+
+ Several times already this has been reported as kasan reports caused by
+ syzkaller and trinity and people always looked at RCU races, but it is
+ much more simple. :)
+
+ In case we bind a pptp socket multiple times, we simply add it to
+ the callid_sock list but don't remove the old binding. Thus the old
+ socket stays in the bucket with unused call_id indexes and doesn't get
+ cleaned up. This causes various forms of kasan reports which were hard
+ to pinpoint.
+
+ Simply don't allow multiple binds and correct error handling in
+ pptp_bind. Also keep sk_state bits in place in pptp_connect.
+
+ Fixes: 00959ade36acad ("PPTP: PPP over IPv4 (Point-to-Point Tunneling Protocol)")
+ Cc: Dmitry Kozlov <xeb@mail.ru>
+ Cc: Sasha Levin <sasha.levin@oracle.com>
+ Cc: Dmitry Vyukov <dvyukov@google.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: Dave Jones <davej@codemonkey.org.uk>
+ Reported-by: Dave Jones <davej@codemonkey.org.uk>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/ppp/pptp.c | 34 ++++++++++++++++++++++++----------
+ 1 files changed, 24 insertions(+), 10 deletions(-)
+
+commit e2b7b8c66851c85188fa6dab2d2b2a6c85bc7332
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:17:10 2016 -0500
+
+ Add info about cpupower/powertop to GRKERNSEC_KMEM, was present on our
+ wiki but was removed from the config help at some point
+
+ grsecurity/Kconfig | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit ce2e88efa000fc32bfcd84098f57c8ed8310fefc
+Author: Thomas Egerer <hakke_007@gmx.de>
+Date: Mon Jan 25 12:58:44 2016 +0100
+
+ ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
+
+ The ESP algorithms using CBC mode require echainiv. Hence INET*_ESP have
+ to select CRYPTO_ECHAINIV in order to work properly. This solves the
+ issues caused by a misconfiguration as described in [1].
+ The original approach, patching crypto/Kconfig was turned down by
+ Herbert Xu [2].
+
+ [1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html
+ [2] http://marc.info/?l=linux-crypto-vger&m=145224655809562&w=2
+
+ Signed-off-by: Thomas Egerer <hakke_007@gmx.de>
+ Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/ipv4/Kconfig | 1 +
+ net/ipv6/Kconfig | 1 +
+ 2 files changed, 2 insertions(+), 0 deletions(-)
+
+commit fca5a303155ea67d28aece0caf2b03ffc3b2668d
+Merge: 904114c 6339c1f
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:08:40 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 6339c1f9a9beafd417bf9f04d4b257e62aeb45b7
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 26 18:07:51 2016 -0500
+
+ Update to pax-linux-4.3.4-test25.patch:
+ - fixed incorrect handling of VM_DONTCOPY during fork that would trigger a consistency check in the vma mirroring logic, reported by Mathias Krause <minipli@googlemail.com>
+ - fixed init_new_context on !MODIFY_LDT_SYSCALL configs, reported by tjh (https://forums.grsecurity.net/viewtopic.php?f=3&t=4368)
+ - fixed a few REFCOUNT false positives in SNMP related statistics
+
+ arch/x86/Kconfig | 2 +-
+ arch/x86/include/asm/mmu_context.h | 17 +++++++++++++++++
+ include/net/snmp.h | 10 +++++-----
+ kernel/fork.c | 11 +++++++++--
+ net/ipv4/proc.c | 8 ++++----
+ net/ipv6/addrconf.c | 4 ++--
+ net/ipv6/proc.c | 10 +++++-----
+ 7 files changed, 43 insertions(+), 19 deletions(-)
+
+commit 904114c2fce3fdff5d57e763da56a78960db4e19
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri Jan 22 18:08:52 2016 -0500
+
+ make sure that freeing shmem fast symlinks is RCU-delayed
+
+ Cc: stable@vger.kernel.org # v4.2+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ include/linux/shmem_fs.h | 5 +----
+ mm/shmem.c | 9 ++++-----
+ 2 files changed, 5 insertions(+), 9 deletions(-)
+
+commit ab86adee64312a2f827dd516cb199521327943ed
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Mon Jan 18 19:23:51 2016 -0500
+
+ netfilter: nf_conntrack: use safer way to lock all buckets
+
+ When we need to lock all buckets in the connection hashtable we'd attempt to
+ lock 1024 spinlocks, which is way more preemption levels than supported by
+ the kernel. Furthermore, this behavior was hidden by checking if lockdep is
+ enabled, and if it was - use only 8 buckets(!).
+
+ Fix this by using a global lock and synchronize all buckets on it when we
+ need to lock them all. This is pretty heavyweight, but is only done when we
+ need to resize the hashtable, and that doesn't happen often enough (or at all).
+
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+ Reviewed-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+ Conflicts:
+
+ net/netfilter/nfnetlink_cttimeout.c
+
+ include/net/netfilter/nf_conntrack_core.h | 8 ++----
+ net/netfilter/nf_conntrack_core.c | 38 +++++++++++++++++++++-------
+ net/netfilter/nf_conntrack_helper.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 2 +-
+ 4 files changed, 33 insertions(+), 17 deletions(-)
+
+commit 37014723527225481c720484bb788a1a6358072f
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Jan 18 16:36:09 2016 +0100
+
+ pipe: limit the per-user amount of pages allocated in pipes
+
+ On no-so-small systems, it is possible for a single process to cause an
+ OOM condition by filling large pipes with data that are never read. A
+ typical process filling 4000 pipes with 1 MB of data will use 4 GB of
+ memory. On small systems it may be tricky to set the pipe max size to
+ prevent this from happening.
+
+ This patch makes it possible to enforce a per-user soft limit above
+ which new pipes will be limited to a single page, effectively limiting
+ them to 4 kB each, as well as a hard limit above which no new pipes may
+ be created for this user. This has the effect of protecting the system
+ against memory abuse without hurting other users, and still allowing
+ pipes to work correctly though with less data at once.
+
+ The limit are controlled by two new sysctls : pipe-user-pages-soft, and
+ pipe-user-pages-hard. Both may be disabled by setting them to zero. The
+ default soft limit allows the default number of FDs per process (1024)
+ to create pipes of the default size (64kB), thus reaching a limit of 64MB
+ before starting to create only smaller pipes. With 256 processes limited
+ to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
+ 1084 MB of memory allocated for a user. The hard limit is disabled by
+ default to avoid breaking existing applications that make intensive use
+ of pipes (eg: for splicing).
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Documentation/sysctl/fs.txt | 23 +++++++++++++++++++++
+ fs/pipe.c | 47 +++++++++++++++++++++++++++++++++++++++++-
+ include/linux/pipe_fs_i.h | 4 +++
+ include/linux/sched.h | 1 +
+ kernel/sysctl.c | 14 ++++++++++++
+ 5 files changed, 87 insertions(+), 2 deletions(-)
+
+commit 51645fa198d194f746651dcfbc5f24a4cf8b9fb8
+Merge: 540f2af 7791ecb
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 23 10:57:11 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 7791ecb84f840343a5646236fd0d34e1fb450793
+Merge: 470069c 399588c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 23 10:56:47 2016 -0500
+
+ Merge branch 'linux-4.3.y' into pax-test
+
+commit 540f2affebd42cdc26a699208ab4f1cb0cb75e33
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 21:18:47 2016 -0500
+
+ Update size_overflow hash table
+
+ .../size_overflow_plugin/size_overflow_hash.data | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 7e649765626a28437f573f0fbe7a51a04615f041
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 20:29:46 2016 -0500
+
+ Backport fix from: https://lkml.org/lkml/2015/12/13/187
+
+ fs/ext4/extents.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 53b859cd0a5f5b6ad54fe0c879dfedaa3c5a3005
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:30 2016 +0100
+
+ compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)
+
+ This replaces all code in fs/compat_ioctl.c that translated
+ ioctl arguments into a in-kernel structure, then performed
+ do_ioctl under set_fs(KERNEL_DS), with code that allocates
+ data on the user stack and can call the VFS ioctl handler
+ under USER_DS.
+
+ This is done as a hardening measure because the caller
+ does not know what kind of ioctl handler will be invoked,
+ only that no corresponding compat_ioctl handler exists and
+ what the ioctl command number is. The accidental
+ invocation of an unlocked_ioctl handler that unexpectedly
+ calls copy_to_user could be a severe security issue.
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ Conflicts:
+
+ fs/compat_ioctl.c
+
+ fs/compat_ioctl.c | 130 ++++++++++++++++++++++++++++-------------------------
+ 1 files changed, 68 insertions(+), 62 deletions(-)
+
+commit 3e89e770ae27e931cd1583f021abac41eeebc3e7
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu Jan 7 09:53:30 2016 -0500
+
+ compat_ioctl: don't pass fd around when not needed
+
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/compat_ioctl.c | 103 ++++++++++++++++++++++++++--------------------------
+ fs/internal.h | 7 ++++
+ fs/ioctl.c | 4 +-
+ include/linux/fs.h | 2 -
+ 4 files changed, 61 insertions(+), 55 deletions(-)
+
+commit 9d4e04082752d4d2d68445c4e6faf33a2613df55
+Author: Jann Horn <jann@thejh.net>
+Date: Tue Jan 5 18:27:29 2016 +0100
+
+ compat_ioctl: don't look up the fd twice
+
+ In code in fs/compat_ioctl.c that translates ioctl arguments
+ into a in-kernel structure, then performs sys_ioctl, possibly
+ under set_fs(KERNEL_DS), this commit changes the sys_ioctl
+ calls to do_ioctl calls. do_ioctl is a new function that does
+ the same thing as sys_ioctl, but doesn't look up the fd again.
+
+ This change is made to avoid (potential) security issues
+ because of ioctl handlers that accept one of the ioctl
+ commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET,
+ TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ.
+ This can happen for multiple reasons:
+
+ - The ioctl command number could be reused.
+ - The ioctl handler might not check the full ioctl
+ command. This is e.g. true for drm_ioctl.
+ - The ioctl handler is very special, e.g. cuse_file_ioctl
+
+ The real issue is that set_fs(KERNEL_DS) is used here,
+ but that's fixed in a separate commit
+ "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)".
+
+ This change mitigates potential security issues by
+ preventing a race that permits invocation of
+ unlocked_ioctl handlers under KERNEL_DS through compat
+ code even if a corresponding compat_ioctl handler exists.
+
+ So far, no way has been identified to use this to damage
+ kernel memory without having CAP_SYS_ADMIN in the init ns
+ (with the capability, doing reads/writes at arbitrary
+ kernel addresses should be easy through CUSE's ioctl
+ handler with FUSE_IOCTL_UNRESTRICTED set).
+
+ [AV: two missed sys_ioctl() taken care of]
+
+ Signed-off-by: Jann Horn <jann@thejh.net>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/compat_ioctl.c | 122 +++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 68 insertions(+), 54 deletions(-)
+
+commit 5bf9e1ed4ebb278cd956ba142914fc04a024309c
+Author: Vasily Kulikov <segoon@openwall.com>
+Date: Fri Jan 15 16:57:55 2016 -0800
+
+ include/linux/poison.h: use POISON_POINTER_DELTA for poison pointers
+
+ TIMER_ENTRY_STATIC is defined as a poison pointers which
+ should point to nowhere. Redefine them using POISON_POINTER_DELTA
+ arithmetics to make sure they really point to non-mappable area declared
+ by the target architecture.
+
+ Signed-off-by: Vasily Kulikov <segoon@openwall.com>
+ Acked-by: Thomas Gleixner <tglx@linutronix.de>
+ Cc: Solar Designer <solar@openwall.com>
+ Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+ Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+ Conflicts:
+
+ include/linux/poison.h
+
+ include/linux/poison.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 60f2e0a05ab8f56c804a9334a23e2b446305d110
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 19:41:44 2016 -0500
+
+ Fix ARM compilation, reported by Austin Sepp
+
+ grsecurity/grsec_sig.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit e15383743443dc43460a2fd73e0db0b608610dca
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Mon Jan 18 13:52:47 2016 +0100
+
+ ALSA: hrtimer: Fix stall by hrtimer_cancel()
+
+ hrtimer_cancel() waits for the completion from the callback, thus it
+ must not be called inside the callback itself. This was already a
+ problem in the past with ALSA hrtimer driver, and the early commit
+ [fcfdebe70759: ALSA: hrtimer - Fix lock-up] tried to address it.
+
+ However, the previous fix is still insufficient: it may still cause a
+ lockup when the ALSA timer instance reprograms itself in its callback.
+ Then it invokes the start function even in snd_timer_interrupt() that
+ is called in hrtimer callback itself, results in a CPU stall. This is
+ no hypothetical problem but actually triggered by syzkaller fuzzer.
+
+ This patch tries to fix the issue again. Now we call
+ hrtimer_try_to_cancel() at both start and stop functions so that it
+ won't fall into a deadlock, yet giving some chance to cancel the queue
+ if the functions have been called outside the callback. The proper
+ hrtimer_cancel() is called in anyway at closing, so this should be
+ enough.
+
+ Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/hrtimer.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 12d874daf706e6e7c1ae709141859c809599297e
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 12:38:02 2016 +0100
+
+ ALSA: seq: Fix missing NULL check at remove_events ioctl
+
+ snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear()
+ unconditionally even if there is no FIFO assigned, and this leads to
+ an Oops due to NULL dereference. The fix is just to add a proper NULL
+ check.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/seq/seq_clientmgr.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 2eb0632df1351378946507e7ef7ba0682632a7b5
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Tue Jan 12 15:36:27 2016 +0100
+
+ ALSA: seq: Fix race at timer setup and close
+
+ ALSA sequencer code has an open race between the timer setup ioctl and
+ the close of the client. This was triggered by syzkaller fuzzer, and
+ a use-after-free was caught there as a result.
+
+ This patch papers over it by adding a proper queue->timer_mutex lock
+ around the timer-related calls in the relevant code path.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/seq/seq_queue.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+commit b9e55ab955e59b4a636d78a748be90334a48b485
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Thu Jan 14 16:30:58 2016 +0100
+
+ ALSA: timer: Harden slave timer list handling
+
+ A slave timer instance might be still accessible in a racy way while
+ operating the master instance as it lacks of locking. Since the
+ master operation is mostly protected with timer->lock, we should cope
+ with it while changing the slave instance, too. Also, some linked
+ lists (active_list and ack_list) of slave instances aren't unlinked
+ immediately at stopping or closing, and this may lead to unexpected
+ accesses.
+
+ This patch tries to address these issues. It adds spin lock of
+ timer->lock (either from master or slave, which is equivalent) in a
+ few places. For avoiding a deadlock, we ensure that the global
+ slave_active_lock is always locked at first before each timer lock.
+
+ Also, ack and active_list of slave instances are properly unlinked at
+ snd_timer_stop() and snd_timer_close().
+
+ Last but not least, remove the superfluous call of _snd_timer_stop()
+ at removing slave links. This is a noop, and calling it may confuse
+ readers wrt locking. Further cleanup will follow in a later patch.
+
+ Actually we've got reports of use-after-free by syzkaller fuzzer, and
+ this hopefully fixes these issues.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 18 ++++++++++++++----
+ 1 files changed, 14 insertions(+), 4 deletions(-)
+
+commit f1ce0547bdfda1b42ae8a66c222f2a897cbe1586
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 17:48:01 2016 +0100
+
+ ALSA: timer: Fix race among timer ioctls
+
+ ALSA timer ioctls have an open race and this may lead to a
+ use-after-free of timer instance object. A simplistic fix is to make
+ each ioctl exclusive. We have already tread_sem for controlling the
+ tread, and extend this as a global mutex to be applied to each ioctl.
+
+ The downside is, of course, the worse concurrency. But these ioctls
+ aren't to be parallel accessible, in anyway, so it should be fine to
+ serialize there.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 32 +++++++++++++++++++-------------
+ 1 files changed, 19 insertions(+), 13 deletions(-)
+
+commit 8347d8461ed48a98f9c76cc3cfcdad8217d314bc
+Author: Takashi Iwai <tiwai@suse.de>
+Date: Wed Jan 13 21:35:06 2016 +0100
+
+ ALSA: timer: Fix double unlink of active_list
+
+ ALSA timer instance object has a couple of linked lists and they are
+ unlinked unconditionally at snd_timer_stop(). Meanwhile
+ snd_timer_interrupt() unlinks it, but it calls list_del() which leaves
+ the element list itself unchanged. This ends up with unlinking twice,
+ and it was caught by syzkaller fuzzer.
+
+ The fix is to use list_del_init() variant properly there, too.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: <stable@vger.kernel.org>
+ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+
+ sound/core/timer.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 243aebb7ae71d6e11ea9880faa893d1d0d60cd75
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Mon Jan 18 18:03:48 2016 +0100
+
+ ovs: limit ovs recursions in ovs_execute_actions to not corrupt stack
+
+ It was seen that defective configurations of openvswitch could overwrite
+ the STACK_END_MAGIC and cause a hard crash of the kernel because of too
+ many recursions within ovs.
+
+ This problem arises due to the high stack usage of openvswitch. The rest
+ of the kernel is fine with the current limit of 10 (RECURSION_LIMIT).
+
+ We use the already existing recursion counter in ovs_execute_actions to
+ implement an upper bound of 5 recursions.
+
+ Cc: Pravin Shelar <pshelar@ovn.org>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Cc: Eric Dumazet <eric.dumazet@gmail.com>
+ Cc: Simon Horman <simon.horman@netronome.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/openvswitch/actions.c | 19 ++++++++++++++-----
+ 1 files changed, 14 insertions(+), 5 deletions(-)
+
+commit 8080793479c6d5befe37a67b1dbd9e4e0a61af96
+Author: Ursula Braun <ursula.braun@de.ibm.com>
+Date: Tue Jan 19 10:41:33 2016 +0100
+
+ af_iucv: Validate socket address length in iucv_sock_bind()
+
+ Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Reviewed-by: Evgeny Cherkashin <Eugene.Crosser@ru.ibm.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/iucv/af_iucv.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+commit 50a383c1c91ed7409c3cbdd41e662d6891463d1b
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 19 19:32:54 2016 -0500
+
+ Apply the same fix as everyone else for the recent keys vulnerability that is
+ unexploitable under PAX_REFCOUNT
+
+ Make a couple more changes that no one else can/will
+
+ include/linux/key-type.h | 4 ++--
+ ipc/msgutil.c | 4 ++--
+ security/keys/internal.h | 2 +-
+ security/keys/process_keys.c | 1 +
+ 4 files changed, 6 insertions(+), 5 deletions(-)
+
+commit b56c3a63f431c193400aee17543021950bd14bc4
+Merge: 38b1a3d 470069c
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 18:30:19 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 470069cfedef2180313233d275be5901bd6d1135
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 18:29:59 2016 -0500
+
+ Update to pax-linux-4.3.3-test22.patch:
+ - Emesed fixed a gcc induced intentional integer overflow in asix_rx_fixup_internal, reported by thomas callison caffrey
+ - fixed some more fallout from the drm_drivers constification, reported by Colin Childs and Toralf Foerster
+
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 ++++----------
+ drivers/gpu/drm/drm_pci.c | 3 +++
+ drivers/gpu/drm/gma500/psb_drv.c | 4 ----
+ drivers/gpu/drm/i915/i915_drv.c | 16 ++++++++--------
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 6 +++---
+ drivers/gpu/drm/radeon/radeon_drv.c | 4 +---
+ drivers/net/usb/asix_common.c | 3 ++-
+ include/drm/drmP.h | 1 +
+ 8 files changed, 22 insertions(+), 29 deletions(-)
+
+commit 38b1a3d676f407865c3d41840df8213c5ad639c1
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sun Jan 17 12:33:53 2016 -0500
+
+ As reported by Luis Ressel, the Kconfig help for GRKERNSEC_BRUTE
+ mentioned banning execution of suid/sgid binaries, though the kernel
+ source clearly only mentions banning execution of suid binaries. Since
+ there's no reason for us to not ban execution of sgid binaries as well,
+ make the implementation match the Kconfig description.
+
+ fs/exec.c | 4 ++--
+ grsecurity/grsec_sig.c | 27 ++++++++++++++-------------
+ include/linux/sched.h | 4 ++--
+ 3 files changed, 18 insertions(+), 17 deletions(-)
+
+commit 8c3bcb7dbf7f606acfa0983e81f0f928da1f1ace
+Merge: d141a86 ea4a835
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 14:12:22 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+ Conflicts:
+ drivers/gpu/drm/i810/i810_drv.c
+
+commit ea4a835328ada6513ac013986764d6caea8cd348
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 14:11:30 2016 -0500
+
+ Update to pax-linux-4.3.3-test21.patch:
+ - fixed some fallout from the drm_drivers constification, reported by spender
+
+ drivers/gpu/drm/armada/armada_drv.c | 3 +--
+ drivers/gpu/drm/exynos/exynos_drm_drv.c | 1 -
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 6 +++++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 5 files changed, 8 insertions(+), 6 deletions(-)
+
+commit d141a86fd66194bc3f896b6809b189e2f12a9a83
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 13:16:36 2016 -0500
+
+ compile fix
+
+ drivers/gpu/drm/i810/i810_dma.c | 2 +-
+ drivers/gpu/drm/i810/i810_drv.c | 4 +++-
+ drivers/gpu/drm/i810/i810_drv.h | 2 +-
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+commit 0d9dc4b25ea32c14561bcfe6b5b24f1b00fe0270
+Merge: 5fa135d bbda879
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:59:22 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit bbda87914edf63e27fb46670bf3a373f2b963c73
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:58:04 2016 -0500
+
+ Update to pax-linux-4.3.3-test20.patch:
+ - constified drm_driver
+ - Emese fixed a special case in handling __func__ in the initify plugin
+ - Emese fixed a false positive size overflow report in handling inbufBits, reported by Martin Filo (https://bugs.gentoo.org/show_bug.cgi?id=567048)
+ - fixed regression that caused perf to not resolve kernel code addresses under KERNEXEC/i386, reported by minipli
+
+ arch/x86/kernel/cpu/perf_event.h | 2 +-
+ arch/x86/kernel/cpu/perf_event_intel_ds.c | 7 +-
+ arch/x86/kernel/cpu/perf_event_intel_lbr.c | 4 +-
+ arch/x86/kernel/uprobes.c | 2 +-
+ arch/x86/mm/mpx.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 8 ++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 2 +-
+ drivers/gpu/drm/drm_pci.c | 6 +-
+ drivers/gpu/drm/gma500/psb_drv.c | 5 +-
+ drivers/gpu/drm/i915/i915_dma.c | 2 +-
+ drivers/gpu/drm/i915/i915_drv.c | 15 ++--
+ drivers/gpu/drm/i915/i915_drv.h | 2 +-
+ drivers/gpu/drm/i915/i915_irq.c | 88 ++++++++++----------
+ drivers/gpu/drm/mga/mga_drv.c | 5 +-
+ drivers/gpu/drm/mga/mga_drv.h | 2 +-
+ drivers/gpu/drm/mga/mga_state.c | 2 +-
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 13 ++--
+ drivers/gpu/drm/qxl/qxl_drv.c | 8 ++-
+ drivers/gpu/drm/qxl/qxl_ioctl.c | 2 +-
+ drivers/gpu/drm/r128/r128_drv.c | 4 +-
+ drivers/gpu/drm/r128/r128_drv.h | 2 +-
+ drivers/gpu/drm/r128/r128_state.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_drv.c | 17 +++-
+ drivers/gpu/drm/radeon/radeon_drv.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_kms.c | 2 +-
+ drivers/gpu/drm/radeon/radeon_state.c | 2 +-
+ drivers/gpu/drm/savage/savage_bci.c | 2 +-
+ drivers/gpu/drm/savage/savage_drv.c | 5 +-
+ drivers/gpu/drm/savage/savage_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_drv.c | 5 +-
+ drivers/gpu/drm/sis/sis_drv.h | 2 +-
+ drivers/gpu/drm/sis/sis_mm.c | 2 +-
+ drivers/gpu/drm/via/via_dma.c | 2 +-
+ drivers/gpu/drm/via/via_drv.c | 5 +-
+ drivers/gpu/drm/via/via_drv.h | 2 +-
+ include/drm/drmP.h | 2 +-
+ mm/slab.c | 2 +-
+ net/sunrpc/xprtrdma/svc_rdma.c | 6 +-
+ tools/gcc/initify_plugin.c | 15 +++-
+ .../disable_size_overflow_hash.data | 1 +
+ .../size_overflow_plugin/size_overflow_hash.data | 3 +-
+ 42 files changed, 156 insertions(+), 110 deletions(-)
+
+commit 5fa135dc116350e0205c39ef65eaf6496ed2748a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:19:23 2016 -0500
+
+ compile fix
+
+ grsecurity/grsec_sig.c | 3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+commit a9090fa58f33f75c7450fda5721a9b13625a47d9
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Sat Jan 16 12:10:37 2016 -0500
+
+ As pointed out by Jann Horn, some distros are starting to circumvent
+ previous assumptions about the attainability of a user to control
+ multiple UIDs by handing out suid binaries that allow a user to run
+ processes (including exploits) under a number of other pre-defined
+ UIDs. As this could potentially be used to bypass GRKERNSEC_BRUTE
+ (though it would have to involve some code path that doesn't involve
+ locks) fix that here by ensuring no more than 8 users on a system can
+ be banned before a reboot is required. If more are banned, a panic
+ is triggered.
+
+ grsecurity/grsec_sig.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+commit a8d37776e9521c567ebff6730d49312f72435f08
+Author: Eric Dumazet <edumazet@google.com>
+Date: Thu Dec 3 11:12:07 2015 -0800
+
+ proc: add a reschedule point in proc_readfd_common()
+
+ User can pass an arbitrary large buffer to getdents().
+
+ It is typically a 32KB buffer used by libc scandir() implementation.
+
+ When scanning /proc/{pid}/fd, we can hold cpu way too long,
+ so add a cond_resched() to be kind with other tasks.
+
+ We've seen latencies of more than 50ms on real workloads.
+
+ Signed-off-by: Eric Dumazet <edumazet@google.com>
+ Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ fs/proc/fd.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0adba75f8708f13b1f5d98ebe3fc2fb961e100c8
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 12 20:17:08 2016 +0100
+
+ net: bpf: reject invalid shifts
+
+ On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
+ constant shift that can't be encoded in the immediate field of the
+ UBFM/SBFM instructions is passed to the JIT. Since these shifts
+ amounts, which are negative or >= regsize, are invalid, reject them in
+ the eBPF verifier and the classic BPF filter checker, for all
+ architectures.
+
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ kernel/bpf/verifier.c | 10 ++++++++++
+ net/core/filter.c | 5 +++++
+ 2 files changed, 15 insertions(+), 0 deletions(-)
+
+commit c248e115a73496625a1c64660d0eeefd67e55cbf
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Fri Jan 8 11:00:54 2016 -0200
+
+ sctp: fix use-after-free in pr_debug statement
+
+ Dmitry Vyukov reported a use-after-free in the code expanded by the
+ macro debug_post_sfx, which is caused by the use of the asoc pointer
+ after it was freed within sctp_side_effect() scope.
+
+ This patch fixes it by allowing sctp_side_effect to clear that asoc
+ pointer when the TCB is freed.
+
+ As Vlad explained, we also have to cover the SCTP_DISPOSITION_ABORT case
+ because it will trigger DELETE_TCB too on that same loop.
+
+ Also, there were places issuing SCTP_CMD_INIT_FAILED and ASSOC_FAILED
+ but returning SCTP_DISPOSITION_CONSUME, which would fool the scheme
+ above. Fix it by returning SCTP_DISPOSITION_ABORT instead.
+
+ The macro is already prepared to handle such NULL pointer.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Acked-by: Vlad Yasevich <vyasevich@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/sm_sideeffect.c | 11 ++++++-----
+ net/sctp/sm_statefuns.c | 17 ++++-------------
+ 2 files changed, 10 insertions(+), 18 deletions(-)
+
+commit 395ea8a9e73e184fc14153a033000bccf4213213
+Author: willy tarreau <w@1wt.eu>
+Date: Sun Jan 10 07:54:56 2016 +0100
+
+ unix: properly account for FDs passed over unix sockets
+
+ It is possible for a process to allocate and accumulate far more FDs than
+ the process' limit by sending them over a unix socket then closing them
+ to keep the process' fd count low.
+
+ This change addresses this problem by keeping track of the number of FDs
+ in flight per user and preventing non-privileged processes from having
+ more FDs in flight than their configured FD limit.
+
+ Reported-by: socketpair@gmail.com
+ Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+ Mitigates: CVE-2013-4312 (Linux 2.0+)
+ Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+ Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ include/linux/sched.h | 1 +
+ net/unix/af_unix.c | 24 ++++++++++++++++++++----
+ net/unix/garbage.c | 13 ++++++++-----
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+commit cb207ab8fbd71dcfc4a49d533aba8085012543fd
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Thu Jan 7 14:52:43 2016 -0500
+
+ net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory
+
+ proc_dostring() needs an initialized destination string, while the one
+ provided in proc_sctp_do_hmac_alg() contains stack garbage.
+
+ Thus, writing to cookie_hmac_alg would strlen() that garbage and end up
+ accessing invalid memory.
+
+ Fixes: 3c68198e7 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/sysctl.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 4014e09faf0fe9054119624ccfff1236e886b554
+Author: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+Date: Tue Nov 24 17:13:21 2015 -0500
+
+ RDS: fix race condition when sending a message on unbound socket
+
+ commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream.
+
+ Sasha's found a NULL pointer dereference in the RDS connection code when
+ sending a message to an apparently unbound socket. The problem is caused
+ by the code checking if the socket is bound in rds_sendmsg(), which checks
+ the rs_bound_addr field without taking a lock on the socket. This opens a
+ race where rs_bound_addr is temporarily set but where the transport is not
+ in rds_bind(), leading to a NULL pointer dereference when trying to
+ dereference 'trans' in __rds_conn_create().
+
+ Vegard wrote a reproducer for this issue, so kindly ask him to share if
+ you're interested.
+
+ I cannot reproduce the NULL pointer dereference using Vegard's reproducer
+ with this patch, whereas I could without.
+
+ Complete earlier incomplete fix to CVE-2015-6937:
+
+ 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
+
+ Cc: David S. Miller <davem@davemloft.net>
+
+ Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
+ Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+ Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+
+ Conflicts:
+
+ net/rds/send.c
+
+ net/rds/connection.c | 6 ------
+ 1 files changed, 0 insertions(+), 6 deletions(-)
+
+commit 206df8d01104344d7588d801016a281a4cd25556
+Author: Sasha Levin <sasha.levin@oracle.com>
+Date: Tue Sep 8 10:53:40 2015 -0400
+
+ RDS: verify the underlying transport exists before creating a connection
+
+ There was no verification that an underlying transport exists when creating
+ a connection, this would cause dereferencing a NULL ptr.
+
+ It might happen on sockets that weren't properly bound before attempting to
+ send a message, which will cause a NULL ptr deref:
+
+ [135546.047719] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
+ [135546.051270] Modules linked in:
+ [135546.051781] CPU: 4 PID: 15650 Comm: trinity-c4 Not tainted 4.2.0-next-20150902-sasha-00041-gbaa1222-dirty #2527
+ [135546.053217] task: ffff8800835bc000 ti: ffff8800bc708000 task.ti: ffff8800bc708000
+ [135546.054291] RIP: __rds_conn_create (net/rds/connection.c:194)
+ [135546.055666] RSP: 0018:ffff8800bc70fab0 EFLAGS: 00010202
+ [135546.056457] RAX: dffffc0000000000 RBX: 0000000000000f2c RCX: ffff8800835bc000
+ [135546.057494] RDX: 0000000000000007 RSI: ffff8800835bccd8 RDI: 0000000000000038
+ [135546.058530] RBP: ffff8800bc70fb18 R08: 0000000000000001 R09: 0000000000000000
+ [135546.059556] R10: ffffed014d7a3a23 R11: ffffed014d7a3a21 R12: 0000000000000000
+ [135546.060614] R13: 0000000000000001 R14: ffff8801ec3d0000 R15: 0000000000000000
+ [135546.061668] FS: 00007faad4ffb700(0000) GS:ffff880252000000(0000) knlGS:0000000000000000
+ [135546.062836] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ [135546.063682] CR2: 000000000000846a CR3: 000000009d137000 CR4: 00000000000006a0
+ [135546.064723] Stack:
+ [135546.065048] ffffffffafe2055c ffffffffafe23fc1 ffffed00493097bf ffff8801ec3d0008
+ [135546.066247] 0000000000000000 00000000000000d0 0000000000000000 ac194a24c0586342
+ [135546.067438] 1ffff100178e1f78 ffff880320581b00 ffff8800bc70fdd0 ffff880320581b00
+ [135546.068629] Call Trace:
+ [135546.069028] ? __rds_conn_create (include/linux/rcupdate.h:856 net/rds/connection.c:134)
+ [135546.069989] ? rds_message_copy_from_user (net/rds/message.c:298)
+ [135546.071021] rds_conn_create_outgoing (net/rds/connection.c:278)
+ [135546.071981] rds_sendmsg (net/rds/send.c:1058)
+ [135546.072858] ? perf_trace_lock (include/trace/events/lock.h:38)
+ [135546.073744] ? lockdep_init (kernel/locking/lockdep.c:3298)
+ [135546.074577] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.075508] ? __might_fault (./arch/x86/include/asm/current.h:14 mm/memory.c:3795)
+ [135546.076349] ? __might_fault (mm/memory.c:3795)
+ [135546.077179] ? rds_send_drop_to (net/rds/send.c:976)
+ [135546.078114] sock_sendmsg (net/socket.c:611 net/socket.c:620)
+ [135546.078856] SYSC_sendto (net/socket.c:1657)
+ [135546.079596] ? SYSC_connect (net/socket.c:1628)
+ [135546.080510] ? trace_dump_stack (kernel/trace/trace.c:1926)
+ [135546.081397] ? ring_buffer_unlock_commit (kernel/trace/ring_buffer.c:2479 kernel/trace/ring_buffer.c:2558 kernel/trace/ring_buffer.c:2674)
+ [135546.082390] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.083410] ? trace_event_raw_event_sys_enter (include/trace/events/syscalls.h:16)
+ [135546.084481] ? do_audit_syscall_entry (include/trace/events/syscalls.h:16)
+ [135546.085438] ? trace_buffer_unlock_commit (kernel/trace/trace.c:1749)
+ [135546.085515] rds_ib_laddr_check(): addr 36.74.25.172 ret -99 node type -1
+
+ Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/rds/connection.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 173fa03f05cf0ad485d49a42cbdee8844d3a689a
+Author: Steven Rostedt (Red Hat) <rostedt@goodmis.org>
+Date: Tue Jan 5 20:32:47 2016 -0500
+
+ ftrace/module: Call clean up function when module init fails early
+
+ If the module init code fails after calling ftrace_module_init() and before
+ calling do_init_module(), we can suffer from a memory leak. This is because
+ ftrace_module_init() allocates pages to store the locations that ftrace
+ hooks are placed in the module text. If do_init_module() fails, it still
+ calls the MODULE_GOING notifiers which will tell ftrace to do a clean up of
+ the pages it allocated for the module. But if load_module() fails before
+ then, the pages allocated by ftrace_module_init() will never be freed.
+
+ Call ftrace_release_mod() on the module if load_module() fails before
+ getting to do_init_module().
+
+ Link: http://lkml.kernel.org/r/567CEA31.1070507@intel.com
+
+ Reported-by: "Qiu, PeiyangX" <peiyangx.qiu@intel.com>
+ Fixes: a949ae560a511 "ftrace/module: Hardcode ftrace_module_init() call into load_module()"
+ Cc: stable@vger.kernel.org # v2.6.38+
+ Acked-by: Rusty Russell <rusty@rustcorp.com.au>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ include/linux/ftrace.h | 1 +
+ kernel/module.c | 6 ++++++
+ 2 files changed, 7 insertions(+), 0 deletions(-)
+
+commit 1e5a4a81a4c16c8ac2e264b88a02cc2f42ed0399
+Author: Francesco Ruggeri <fruggeri@aristanetworks.com>
+Date: Wed Jan 6 00:18:48 2016 -0800
+
+ net: possible use after free in dst_release
+
+ dst_release should not access dst->flags after decrementing
+ __refcnt to 0. The dst_entry may be in dst_busy_list and
+ dst_gc_task may dst_destroy it before dst_release gets a chance
+ to access dst->flags.
+
+ Fixes: d69bbf88c8d0 ("net: fix a race in dst_release()")
+ Fixes: 27b75c95f10d ("net: avoid RCU for NOCACHE dst")
+ Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/core/dst.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit bfb0455793dd4e0f0b49d34a68b3249ab55565cc
+Author: Alan <gnomes@lxorguk.ukuu.org.uk>
+Date: Wed Jan 6 14:55:02 2016 +0000
+
+ mkiss: fix scribble on freed memory
+
+ commit d79f16c046086f4fe0d42184a458e187464eb83e fixed a user triggerable
+ scribble on free memory but added a new one which allows the user to
+ scribble even more and user controlled data into freed space.
+
+ As with 6pack we need to halt the queue before we free the buffers, because
+ the transmit logic is not protected by the semaphore.
+
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/hamradio/mkiss.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+commit 5cbbcbd32dc1949470f61d342503808fa9555276
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:49 2015 -0500
+
+ mkiss: Fix use after free in mkiss_close().
+
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/hamradio/mkiss.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+commit b00171576794a98068e069a660f0991a6a5190ff
+Author: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
+Date: Tue Jan 5 11:51:25 2016 +0000
+
+ 6pack: fix free memory scribbles
+
+ commit acf673a3187edf72068ee2f92f4dc47d66baed47 fixed a user triggerable free
+ memory scribble but in doing so replaced it with a different one that allows
+ the user to control the data and scribble even more.
+
+ sixpack_close is called by the tty layer in tty context. The tty context is
+ protected by sp_get() and sp_put(). However network layer activity via
+ sp_xmit() is not protected this way. We must therefore stop the queue
+ otherwise the user gets to dump a buffer mostly of their choice into freed
+ kernel pages.
+
+ Signed-off-by: Alan Cox <alan@linux.intel.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/hamradio/6pack.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+commit 5b64a833907cd230a3106aeba2304b2c1bcd116d
+Author: David Miller <davem@davemloft.net>
+Date: Thu Dec 17 16:05:32 2015 -0500
+
+ 6pack: Fix use after free in sixpack_close().
+
+ Need to do the unregister_device() after all references to the driver
+ private have been done.
+
+ Also we need to use del_timer_sync() for the timers so that we don't
+ have any asynchronous references after the unregister.
+
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/net/hamradio/6pack.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+commit 4f9d532742656b3613d579220fd10c78f24ba37b
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 16:23:07 2016 +0100
+
+ net: filter: make JITs zero A for SKF_AD_ALU_XOR_X
+
+ The SKF_AD_ALU_XOR_X ancillary is not like the other ancillary data
+ instructions since it XORs A with X while all the others replace A with
+ some loaded value. All the BPF JITs fail to clear A if this is used as
+ the first instruction in a filter. This was found using american fuzzy
+ lop.
+
+ Add a helper to determine if A needs to be cleared given the first
+ instruction in a filter, and use this in the JITs. Except for ARM, the
+ rest have only been compile-tested.
+
+ Fixes: 3480593131e0 ("net: filter: get rid of BPF_S_* enum")
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/arm/net/bpf_jit_32.c | 16 +---------------
+ arch/mips/net/bpf_jit.c | 16 +---------------
+ arch/powerpc/net/bpf_jit_comp.c | 13 ++-----------
+ arch/sparc/net/bpf_jit_comp.c | 17 ++---------------
+ include/linux/filter.h | 19 +++++++++++++++++++
+ 5 files changed, 25 insertions(+), 56 deletions(-)
+
+commit 570d88f8acfffda92b89ae2e1c47320d47256034
+Author: John Fastabend <john.fastabend@gmail.com>
+Date: Tue Jan 5 09:11:36 2016 -0800
+
+ net: sched: fix missing free per cpu on qstats
+
+ When a qdisc is using per cpu stats (currently just the ingress
+ qdisc) only the bstats are being freed. This also free's the qstats.
+
+ Fixes: b0ab6f92752b9f9d8 ("net: sched: enable per cpu qstats")
+ Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
+ Acked-by: Eric Dumazet <edumazet@google.com>
+ Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sched/sch_generic.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+commit 32c0ebc51857ee83470a10dcb234d308a0ed1881
+Author: Rabin Vincent <rabin@rab.in>
+Date: Tue Jan 5 18:34:04 2016 +0100
+
+ ARM: net: bpf: fix zero right shift
+
+ The LSR instruction cannot be used to perform a zero right shift since a
+ 0 as the immediate value (imm5) in the LSR instruction encoding means
+ that a shift of 32 is perfomed. See DecodeIMMShift() in the ARM ARM.
+
+ Make the JIT skip generation of the LSR if a zero-shift is requested.
+
+ This was found using american fuzzy lop.
+
+ Signed-off-by: Rabin Vincent <rabin@rab.in>
+ Acked-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ arch/arm/net/bpf_jit_32.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+commit 51f5d291750285efa4d4bbe84e5ec23dc00c8d2d
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Wed Jan 6 20:35:57 2016 -0500
+
+ Don't perform hidden lookups in RBAC against the directory of
+ a file being opened with O_CREAT, reported by Karl Witt
+
+ Conflicts:
+
+ fs/namei.c
+
+ fs/namei.c | 3 ---
+ 1 files changed, 0 insertions(+), 3 deletions(-)
+
+commit 5a8266a6b2769ccdb447256f95bc2577a73cccd1
+Author: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Tue Jan 5 10:46:00 2016 +0100
+
+ bridge: Only call /sbin/bridge-stp for the initial network namespace
+
+ [I stole this patch from Eric Biederman. He wrote:]
+
+ > There is no defined mechanism to pass network namespace information
+ > into /sbin/bridge-stp therefore don't even try to invoke it except
+ > for bridge devices in the initial network namespace.
+ >
+ > It is possible for unprivileged users to cause /sbin/bridge-stp to be
+ > invoked for any network device name which if /sbin/bridge-stp does not
+ > guard against unreasonable arguments or being invoked twice on the
+ > same network device could cause problems.
+
+ [Hannes: changed patch using netns_eq]
+
+ Cc: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/bridge/br_stp_if.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+commit 650d535cc39f0aeff2f57e60b6617be25d3ef48b
+Author: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Wed Dec 23 16:28:40 2015 -0200
+
+ sctp: use GFP_USER for user-controlled kmalloc
+
+ Commit cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ missed two other spots.
+
+ For connectx, as it's more likely to be used by kernel users of the API,
+ it detects if GFP_USER should be used or not.
+
+ Fixes: cacc06215271 ("sctp: use GFP_USER for user-controlled kmalloc")
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ net/sctp/socket.c | 9 ++++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+commit 5718a1f63c41fc156f729783423b002763779d04
+Author: Florian Westphal <fw@strlen.de>
+Date: Thu Dec 31 14:26:33 2015 +0100
+
+ connector: bump skb->users before callback invocation
+
+ Dmitry reports memleak with syskaller program.
+ Problem is that connector bumps skb usecount but might not invoke callback.
+
+ So move skb_get to where we invoke the callback.
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: Florian Westphal <fw@strlen.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ drivers/connector/connector.c | 11 +++--------
+ 1 files changed, 3 insertions(+), 8 deletions(-)
+
+commit 2e6372e6a97f8d642416899861f91777f44f13b7
+Author: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Sun Jan 3 18:56:38 2016 +0000
+
+ af_unix: Fix splice-bind deadlock
+
+ On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice
+ system call and AF_UNIX sockets,
+
+ http://lists.openwall.net/netdev/2015/11/06/24
+
+ The situation was analyzed as
+
+ (a while ago) A: socketpair()
+ B: splice() from a pipe to /mnt/regular_file
+ does sb_start_write() on /mnt
+ C: try to freeze /mnt
+ wait for B to finish with /mnt
+ A: bind() try to bind our socket to /mnt/new_socket_name
+ lock our socket, see it not bound yet
+ decide that it needs to create something in /mnt
+ try to do sb_start_write() on /mnt, block (it's
+ waiting for C).
+ D: splice() from the same pipe to our socket
+ lock the pipe, see that socket is connected
+ try to lock the socket, block waiting for A
+ B: get around to actually feeding a chunk from
+ pipe to file, try to lock the pipe. Deadlock.
+
+ on 2015/11/10 by Al Viro,
+
+ http://lists.openwall.net/netdev/2015/11/10/4
+
+ The patch fixes this by removing the kern_path_create related code from
+ unix_mknod and executing it as part of unix_bind prior acquiring the
+ readlock of the socket in question. This means that A (as used above)
+ will sb_start_write on /mnt before it acquires the readlock, hence, it
+ won't indirectly block B which first did a sb_start_write and then
+ waited for a thread trying to acquire the readlock. Consequently, A
+ being blocked by C waiting for B won't cause a deadlock anymore
+ (effectively, both A and B acquire two locks in opposite order in the
+ situation described above).
+
+ Dmitry Vyukov(<dvyukov@google.com>) tested the original patch.
+
+ Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+ Conflicts:
+
+ net/unix/af_unix.c
+
+ net/unix/af_unix.c | 70 +++++++++++++++++++++++++++++++--------------------
+ 1 files changed, 42 insertions(+), 28 deletions(-)
+
+commit 2e729e557c571f3253e32472cd7d382ac16cf1c3
+Author: Qiu Peiyang <peiyangx.qiu@intel.com>
+Date: Thu Dec 31 13:11:28 2015 +0800
+
+ tracing: Fix setting of start_index in find_next()
+
+ When we do cat /sys/kernel/debug/tracing/printk_formats, we hit kernel
+ panic at t_show.
+
+ general protection fault: 0000 [#1] PREEMPT SMP
+ CPU: 0 PID: 2957 Comm: sh Tainted: G W O 3.14.55-x86_64-01062-gd4acdc7 #2
+ RIP: 0010:[<ffffffff811375b2>]
+ [<ffffffff811375b2>] t_show+0x22/0xe0
+ RSP: 0000:ffff88002b4ebe80 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: 0000000000000004 RSI: ffffffff81fd26a6 RDI: ffff880032f9f7b1
+ RBP: ffff88002b4ebe98 R08: 0000000000001000 R09: 000000000000ffec
+ R10: 0000000000000000 R11: 000000000000000f R12: ffff880004d9b6c0
+ R13: 7365725f6d706400 R14: ffff880004d9b6c0 R15: ffffffff82020570
+ FS: 0000000000000000(0000) GS:ffff88003aa00000(0063) knlGS:00000000f776bc40
+ CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
+ CR2: 00000000f6c02ff0 CR3: 000000002c2b3000 CR4: 00000000001007f0
+ Call Trace:
+ [<ffffffff811dc076>] seq_read+0x2f6/0x3e0
+ [<ffffffff811b749b>] vfs_read+0x9b/0x160
+ [<ffffffff811b7f69>] SyS_read+0x49/0xb0
+ [<ffffffff81a3a4b9>] ia32_do_call+0x13/0x13
+ ---[ end trace 5bd9eb630614861e ]---
+ Kernel panic - not syncing: Fatal exception
+
+ When the first time find_next calls find_next_mod_format, it should
+ iterate the trace_bprintk_fmt_list to find the first print format of
+ the module. However in current code, start_index is smaller than *pos
+ at first, and code will not iterate the list. Latter container_of will
+ get the wrong address with former v, which will cause mod_fmt be a
+ meaningless object and so is the returned mod_fmt->fmt.
+
+ This patch will fix it by correcting the start_index. After fixed,
+ when the first time calls find_next_mod_format, start_index will be
+ equal to *pos, and code will iterate the trace_bprintk_fmt_list to
+ get the right module printk format, so is the returned mod_fmt->fmt.
+
+ Link: http://lkml.kernel.org/r/5684B900.9000309@intel.com
+
+ Cc: stable@vger.kernel.org # 3.12+
+ Fixes: 102c9323c35a8 "tracing: Add __tracepoint_string() to export string pointers"
+ Signed-off-by: Qiu Peiyang <peiyangx.qiu@intel.com>
+ Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+
+ kernel/trace/trace_printk.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+commit 0994af4b1930f32aa493dc08145cd304f8bfc8f4
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date: Mon Dec 28 20:47:08 2015 -0500
+
+ [PATCH] arm: fix handling of F_OFD_... in oabi_fcntl64()
+
+ Cc: stable@vger.kernel.org # 3.15+
+ Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+ arch/arm/kernel/sys_oabi-compat.c | 73 +++++++++++++++++++------------------
+ 1 files changed, 37 insertions(+), 36 deletions(-)
+
+commit 4ed030f65dcf3e6b0128032a49a7d75f947fa351
+Merge: de243c2 3adc55a
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 5 18:10:10 2016 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 3adc55a5acfa429c2a7cc883aef08b960c0079b0
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Jan 5 18:08:53 2016 -0500
+
+ Update to pax-linux-4.3.3-test16.patch:
+ - small cleanup in entry_64.S on x86
+ - Emese fixed the initify plugin to recursively check variable initializers, reported by Rasmus Villemoes
+ - fixed an integer truncation of a partially uninitialized value bug in em_pop_sreg, reported by fx3 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4354)
+ - fixed alternatives patching of call insns under KERNEXEC/i386, reported by fly_a320 (https://forums.grsecurity.net/viewtopic.php?f=3&t=4305) and TTgrsec (https://forums.grsecurity.net/viewtopic.php?f=3&t=4353)
+ - fixed a size overflow false positive that triggered in tcp_parse_options on arm, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350&p=15917#p15916)
+ - fixed a boot crash on amd64 with KERNEXEC/OR and CONTEXT_TRACKING, reported by Klaus Kusche (https://bugs.gentoo.org/show_bug.cgi?id=570420)
+
+ arch/x86/entry/entry_64.S | 60 +++++-----
+ arch/x86/kernel/alternative.c | 2 +-
+ arch/x86/kvm/emulate.c | 4 +-
+ tools/gcc/initify_plugin.c | 123 +++++++++----------
+ .../disable_size_overflow_hash.data | 4 +-
+ .../size_overflow_plugin/size_overflow_hash.data | 2 -
+ 6 files changed, 93 insertions(+), 102 deletions(-)
+
+commit de243c26efd0e423ca92db825af2c3f8eb1ca043
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Tue Dec 29 18:01:24 2015 -0500
+
+ It was noticed during an internal audit that the code under GRKERNSEC_PROC_MEMMAP
+ which aimed to enforce a 16MB minimum on RLIMIT_DATA for suid/sgid binaries only
+ did so if RLIMIT_DATA was set lower than PAGE_SIZE.
+
+ This addition was only supplemental as GRKERNSEC_BRUTE is the main defense
+ against suid/sgid attacks and the flaw above would only eliminate the extra
+ entropy provided for the brk-managed heap, still leaving it with the minimum
+ of 16-bit entropy for mmap on x86 and 28 on x64.
+
+ mm/mmap.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+commit 8e264cfe47e5f08cdc9ed009a630277206cd2534
+Merge: 436201b 2584340
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 28 20:30:01 2015 -0500
+
+ Merge branch 'pax-test' into grsec-test
+
+commit 2584340eab494e64ec1bf9eb5b0d1ae31f926306
+Author: Brad Spengler <spender@grsecurity.net>
+Date: Mon Dec 28 20:29:28 2015 -0500
+
+ Update to pax-linux-4.3.3-test14.patch:
+ - fixed an integer sign conversion error in i2c_dw_pci_probe caught by the size overflow plugin, reported by Jean Lucas and ganymede (https://forums.grsecurity.net/viewtopic.php?f=3&t=4349)
+ - fixed shutdown crash with tboot and KERNEXEC, reported by perfinion
+ - fixed a few false positive and one real size overflow reports in hyperv, reported by hunger
+ - fixed compile regressions on armv5, reported by iamb (https://forums.grsecurity.net/viewtopic.php?f=3&t=4350)
+ - fixed an assert in the initify plugin that triggered in vic_register on arm
+
+ arch/arm/include/asm/atomic.h | 7 +++++--
+ arch/arm/include/asm/domain.h | 5 ++---
+ arch/x86/kernel/tboot.c | 14 +++++++++-----
+ drivers/hv/channel.c | 4 +---
+ drivers/i2c/busses/i2c-designware-pcidrv.c | 2 +-
+ drivers/net/hyperv/rndis_filter.c | 3 +--
+ fs/exec.c | 4 ++--
+ include/linux/atomic.h | 15 ---------------
+ net/core/skbuff.c | 3 ++-
+ tools/gcc/initify_plugin.c | 4 +++-
+ 10 files changed, 26 insertions(+), 35 deletions(-)
+
+commit 436201b6626b488d173c8076447000077c27b84a
+Author: David Howells <dhowells@redhat.com>
+Date: Fri Dec 18 01:34:26 2015 +0000
+
+ KEYS: Fix race between read and revoke
+
+ This fixes CVE-2015-7550.
+
+ There's a race between keyctl_read() and keyctl_revoke(). If the revoke
+ happens between keyctl_read() checking the validity of a key and the key's
+ semaphore being taken, then the key type read method will see a revoked key.
+
+ This causes a problem for the user-defined key type because it assumes in
+ its read method that there will always be a payload in a non-revoked key
+ and doesn't check for a NULL pointer.
+
+ Fix this by making keyctl_read() check the validity of a key after taking
+ semaphore instead of before.
+
+ I think the bug was introduced with the original keyrings code.
+
+ This was discovered by a multithreaded test program generated by syzkaller
+ (http://github.com/google/syzkaller). Here's a cleaned up version:
+
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <pthread.h>
+ void *thr0(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ keyctl_revoke(key);
+ return 0;
+ }
+ void *thr1(void *arg)
+ {
+ key_serial_t key = (unsigned long)arg;
+ char buffer[16];
+ keyctl_read(key, buffer, 16);
+ return 0;
+ }
+ int main()
+ {
+ key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
+ pthread_t th[5];
+ pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
+ pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
+ pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
+ pthread_join(th[0], 0);
+ pthread_join(th[1], 0);
+ pthread_join(th[2], 0);
+ pthread_join(th[3], 0);
+ return 0;
+ }
+
+ Build as:
+
+ cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
+
+ Run as:
+
+ while keyctl-race; do :; done
+
+ as it may need several iterations to crash the kernel. The crash can be
+ summarised as:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: [<ffffffff81279b08>] user_read+0x56/0xa3
+ ...
+ Call Trace:
+ [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
+ [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
+ [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
+
+ Reported-by: Dmitry Vyukov <dvyukov@google.com>
+ Signed-off-by: David Howells <dhowells@redhat.com>
+ Tested-by: Dmitry Vyukov <dvyukov@google.com>
+ Cc: stable@vger.kernel.org
+ Signed-off-by: James Morris <james.l.morris@oracle.com>
+
+ security/keys/keyctl.c | 18 +++++++++---------
+ 1 files changed, 9 insertions(+), 9 deletions(-)
+
commit 195cea04477025da4a2078bd3e1fb7c4e11206c2
Author: Brad Spengler <spender@grsecurity.net>
Date: Tue Dec 22 20:44:01 2015 -0500
projects / thirdparty / grsecurity-scrape.git / blobdiff